From 276a3daea12bce6a2af6c1dee55a99f28d394fff Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Thu, 11 Jun 2015 16:45:21 -0700 Subject: [PATCH 001/202] RANGER-550 Hive plugin: Add support for allowed/denied auditing for metadata commands with filtering support from hive. Signed-off-by: Madhan Neethiraj --- .../authorizer/RangerHiveAccessRequest.java | 2 +- .../authorizer/RangerHiveAuditHandler.java | 32 ---- .../hive/authorizer/RangerHiveAuthorizer.java | 181 +++++++----------- 3 files changed, 71 insertions(+), 144 deletions(-) diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java index 1f7ae4d5668..2ae41490735 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java @@ -81,7 +81,7 @@ public RangerHiveAccessRequest(RangerHiveResource resource, } public RangerHiveAccessRequest(RangerHiveResource resource, String user, Set groups, HiveAuthzContext context, HiveAuthzSessionContext sessionContext) { - this(resource, user, groups, "OTHER", HiveAccessType.USE, context, sessionContext); + this(resource, user, groups, "METADATA OPERATION", HiveAccessType.USE, context, sessionContext); } public HiveAccessType getHiveAccessType() { diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java index 2675a67a495..0f13577b0f9 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java @@ -150,38 +150,6 @@ public void processResults(Collection results) { } } - public void logAuditEventForFiltering(RangerAccessResult result, HiveOperationType hiveOpType) { - - if(! result.getIsAudited()) { - return; - } - - RangerHiveAccessRequest request = (RangerHiveAccessRequest)result.getAccessRequest(); - RangerHiveResource resource = (RangerHiveResource)request.getResource(); - String resourcePath = resource.getObjectType().toString(); - String accessType = getAccessTypeForMetaOperation(hiveOpType); - - AuthzAuditEvent auditEvent = createAuditEvent(result, accessType, resourcePath); - - addAuthzAuditEvent(auditEvent); - } - - String getAccessTypeForMetaOperation(HiveOperationType hiveOperationType) { - String result; - switch (hiveOperationType) { - case SHOWDATABASES: - result = "SHOW DATABASES"; - break; - case SHOWTABLES: - result = "SHOW TABLES"; - break; - default: - result = "OTHER METADATA OP"; - break; - } - return result; - } - public void logAuditEventForDfs(String userName, String dfsCommand, boolean accessGranted, int repositoryType, String repositoryName) { AuthzAuditEvent auditEvent = new AuthzAuditEvent(); diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 1df1af40559..9075b574f00 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -26,6 +26,7 @@ import java.util.Map; import java.util.Set; +import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -225,7 +226,18 @@ public void checkPrivileges(HiveOperationType hiveOpType, List requests = new ArrayList(); - if(inputHObjs != null) { + if(CollectionUtils.isEmpty(inputHObjs)) { + // this should happen only for SHOWDATABASES + if (hiveOpType == HiveOperationType.SHOWDATABASES) { + RangerHiveResource resource = new RangerHiveResource(HiveObjectType.DATABASE, null); + RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.USE, context, sessionContext); + requests.add(request); + } else { + if (LOG.isDebugEnabled()) { + LOG.debug("RangerHiveAuthorizer.checkPrivileges: Unexpected operation type[" + hiveOpType + "] received with empty input objects list!"); + } + } + } else { for(HivePrivilegeObject hiveObj : inputHObjs) { RangerHiveResource resource = getHiveResource(hiveOpType, hiveObj); @@ -283,76 +295,54 @@ public void checkPrivileges(HiveOperationType hiveOpType, } } - if (isMetaDataOperation(hiveOpType)) { - RangerHiveResource resource = getHiveResource(hiveOpType); - RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, context, sessionContext); - RangerAccessResult result = hivePlugin.isAccessAllowed(request); - if (result == null) { - LOG.error("Internal error: null RangerAccessResult object received back from isAccessAllowed()!"); - throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege", - user, hiveOpType)); - } else if (!result.getIsAllowed()) { - String path = resource.getAsString(); - throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", - user, hiveOpType.name(), path)); - } else { - if (LOG.isDebugEnabled()) { - LOG.debug(String.format("[%s] allowed on resource[%s]: request[%s], result[%s]", hiveOpType, resource, request, result)); + for(RangerHiveAccessRequest request : requests) { + RangerHiveResource resource = (RangerHiveResource)request.getResource(); + RangerAccessResult result = null; + + if(resource.getObjectType() == HiveObjectType.COLUMN && StringUtils.contains(resource.getColumn(), COLUMN_SEP)) { + List colRequests = new ArrayList(); + + String[] columns = StringUtils.split(resource.getColumn(), COLUMN_SEP); + + // in case of multiple columns, original request is not sent to the plugin; hence service-def will not be set + resource.setServiceDef(hivePlugin.getServiceDef()); + + for(String column : columns) { + if (column != null) { + column = column.trim(); + } + if(StringUtils.isBlank(column)) { + continue; + } + + RangerHiveResource colResource = new RangerHiveResource(HiveObjectType.COLUMN, resource.getDatabase(), resource.getTable(), column); + + RangerHiveAccessRequest colRequest = request.copy(); + colRequest.setResource(colResource); + + colRequests.add(colRequest); } - if (result.getIsAudited()) { - auditHandler.logAuditEventForFiltering(result, hiveOpType); + + Collection colResults = hivePlugin.isAccessAllowed(colRequests, auditHandler); + + if(colResults != null) { + for(RangerAccessResult colResult : colResults) { + result = colResult; + + if(!result.getIsAllowed()) { + break; + } + } } + } else { + result = hivePlugin.isAccessAllowed(request, auditHandler); } - } else { - for(RangerHiveAccessRequest request : requests) { - RangerHiveResource resource = (RangerHiveResource)request.getResource(); - RangerAccessResult result = null; - - if(resource.getObjectType() == HiveObjectType.COLUMN && StringUtils.contains(resource.getColumn(), COLUMN_SEP)) { - List colRequests = new ArrayList(); - - String[] columns = StringUtils.split(resource.getColumn(), COLUMN_SEP); - // in case of multiple columns, original request is not sent to the plugin; hence service-def will not be set - resource.setServiceDef(hivePlugin.getServiceDef()); - - for(String column : columns) { - if (column != null) { - column = column.trim(); - } - if(StringUtils.isBlank(column)) { - continue; - } - - RangerHiveResource colResource = new RangerHiveResource(HiveObjectType.COLUMN, resource.getDatabase(), resource.getTable(), column); - - RangerHiveAccessRequest colRequest = request.copy(); - colRequest.setResource(colResource); - - colRequests.add(colRequest); - } - - Collection colResults = hivePlugin.isAccessAllowed(colRequests, auditHandler); - - if(colResults != null) { - for(RangerAccessResult colResult : colResults) { - result = colResult; - - if(!result.getIsAllowed()) { - break; - } - } - } - } else { - result = hivePlugin.isAccessAllowed(request, auditHandler); - } - - if(result != null && !result.getIsAllowed()) { - String path = resource.getAsString(); - - throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", - user, request.getHiveAccessType().name(), path)); - } + if(result != null && !result.getIsAllowed()) { + String path = resource.getAsString(); + + throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", + user, request.getHiveAccessType().name(), path)); } } } finally { @@ -360,29 +350,6 @@ public void checkPrivileges(HiveOperationType hiveOpType, } } - boolean isMetaDataOperation(HiveOperationType hiveOpType) { - boolean result; - - switch (hiveOpType) { - /* - * Uncomment this part when hive bug is resolved. - * - case SHOWTABLES: - result = true; - break; - * - */ - case SHOWDATABASES: // we don't want to authorize for show databases either since any call with _any privilages runs into a problem. - case SHOWTABLES: // currently does not work since we don't get the database name in the context to do this check correctly. - case DESCDATABASE: // currently does not work since we don't get the database name in the context to do this check correctly. - default: - result = false; - break; - } - return result; - } - - /** * Check if user has privileges to do this action on these objects * @param objs @@ -456,38 +423,25 @@ public List filterListCmdObjects(List } else if (!result.getIsAllowed()) { if (!LOG.isDebugEnabled()) { String path = resource.getAsString(); - LOG.debug(String.format("filterListCmdObjects: Permission denied: user [%s] does not have [%s] privilege on [%s]", user, request.getHiveAccessType().name(), path)); + LOG.debug(String.format("filterListCmdObjects: Permission denied: user [%s] does not have [%s] privilege on [%s]. resource[%s], request[%s], result[%s]", + user, request.getHiveAccessType().name(), path, resource, request, result)); } } else { if (LOG.isDebugEnabled()) { - LOG.debug(String.format("filterListCmdObjects: resource[%s]: allowed!: request[%s], result[%s]", resource, request, result)); + LOG.debug(String.format("filterListCmdObjects: access allowed. resource[%s], request[%s], result[%s]", resource, request, result)); } ret.add(privilegeObject); } } } } + if (LOG.isDebugEnabled()) { - LOG.debug(String.format("filterListCmdObjects: number of output objects[%d]", ret == null ? 0: ret.size())); - LOG.debug(String.format("<== filterListCmdObjects(%s, %s): %s", objs, context, ret)); + int count = ret == null ? 0 : ret.size(); + LOG.debug(String.format("<== filterListCmdObjects: count[%d], ret[%s]", count, ret)); } - return ret; } - - RangerHiveResource getHiveResource(HiveOperationType hiveOperationType) { - RangerHiveResource hiveResource; - switch (hiveOperationType) { - case SHOWDATABASES: - case SHOWTABLES: - // any database - hiveResource = new RangerHiveResource(HiveObjectType.DATABASE, null); - break; - default: - hiveResource = null; - } - return hiveResource; - } RangerHiveResource createHiveResource(HivePrivilegeObject privilegeObject) { RangerHiveResource resource = null; @@ -691,6 +645,10 @@ private HiveAccessType getAccessType(HivePrivilegeObject hiveObj, HiveOperationT accessType = HiveAccessType.LOCK; break; + /* + * SELECT access is done for many of these metadata operations since hive does not call back for filtering. + * Overtime these should move to _any/USE access (as hive adds support for filtering). + */ case QUERY: case SHOW_TABLESTATUS: case SHOW_CREATETABLE: @@ -703,8 +661,11 @@ private HiveAccessType getAccessType(HivePrivilegeObject hiveObj, HiveOperationT accessType = HiveAccessType.SELECT; break; + // any access done for metadata access of actions that have support from hive for filtering + case SHOWDATABASES: case SWITCHDATABASE: case DESCDATABASE: + case SHOWTABLES: accessType = HiveAccessType.USE; break; @@ -733,10 +694,8 @@ private HiveAccessType getAccessType(HivePrivilegeObject hiveObj, HiveOperationT case RESET: case SET: case SHOWCONF: - case SHOWDATABASES: case SHOWFUNCTIONS: case SHOWLOCKS: - case SHOWTABLES: case SHOW_COMPACTIONS: case SHOW_GRANT: case SHOW_ROLES: From df753e85e02eedea75421d21942686a03813187c Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Fri, 12 Jun 2015 12:40:04 -0700 Subject: [PATCH 002/202] RANGER-549 updating the tests so it would have failed without the fix that was checked in prior Signed-off-by: Madhan Neethiraj --- .../plugin/model/validation/TestRangerServiceValidator.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceValidator.java b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceValidator.java index 6c20f0d466d..4b0fdbf5cef 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceValidator.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceValidator.java @@ -196,7 +196,7 @@ public void test_isValid_happyPath() throws Exception { // if name is not null and it points to a service then it should match the id when(service.getId()).thenReturn(7L); RangerService existingService = mock(RangerService.class); - when(existingService.getId()).thenReturn(7L); + when(existingService.getId()).thenReturn(new Long(7L)); when(_store.getService(7L)).thenReturn(existingService); when(_store.getServiceByName("aName")).thenReturn(existingService); assertTrue(_validator.isValid(service, Action.UPDATE, _failures)); From e4877418f5c8f2ea42bdb57c84b2cc70856b6770 Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Fri, 12 Jun 2015 19:09:13 -0700 Subject: [PATCH 003/202] RANGER-553 Default policy creation during service creation should handle service defs with multiple hierarchies, e.g. hive, properly Signed-off-by: Madhan Neethiraj --- .../org/apache/ranger/biz/ServiceDBStore.java | 69 ++++++++++--------- 1 file changed, 38 insertions(+), 31 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index d57f0be4843..ff04d3fc1b3 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -100,6 +100,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef; +import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper; import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.apache.ranger.plugin.store.ServicePredicateUtil; import org.apache.ranger.plugin.store.ServiceStore; @@ -1065,7 +1066,7 @@ public RangerService createService(RangerService service) throws Exception { bizUtil.createTrxLog(trxLogList); if (createDefaultPolicy) { - createDefaultPolicy(xCreatedService, vXUser); + createDefaultPolicies(xCreatedService, vXUser); } return createdService; @@ -1669,9 +1670,20 @@ public ServicePolicies getServicePoliciesIfUpdated(String serviceName, Long last return ret; } - private void createDefaultPolicy(XXService createdService, VXUser vXUser) throws Exception { + private void createDefaultPolicies(XXService createdService, VXUser vXUser) throws Exception { + // we need to create one policy for each resource hierarchy + RangerServiceDef serviceDef = getServiceDef(createdService.getType()); + RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef); + int i = 1; + for (List aHierarchy : serviceDefHelper.getResourceHierarchies()) { + createDefaultPolicy(createdService, vXUser, aHierarchy, i); + i++; + } + } + + private void createDefaultPolicy(XXService createdService, VXUser vXUser, List resourceHierarchy, int num) throws Exception { RangerPolicy policy = new RangerPolicy(); - String policyName=createdService.getName()+"-"+1+"-"+DateUtil.dateToString(DateUtil.getUTCDate(),"yyyyMMddHHmmss"); + String policyName=createdService.getName()+"-"+num+"-"+DateUtil.dateToString(DateUtil.getUTCDate(),"yyyyMMddHHmmss"); policy.setIsEnabled(true); policy.setVersion(1L); @@ -1680,34 +1692,7 @@ private void createDefaultPolicy(XXService createdService, VXUser vXUser) throws policy.setDescription("Default Policy for Service: " + createdService.getName()); policy.setIsAuditEnabled(true); - Map resources = new HashMap(); - List resDefList = daoMgr.getXXResourceDef().findByServiceDefId(createdService.getType()); - - for(XXResourceDef resDef : resDefList) { - // for hive, 2 policies should be created: 1) database/table/column 2) database/udf - // until we support multiple default policies creation - one for each resource hierarchy, - // lets just skip udf in the resoure list - if("udf".equalsIgnoreCase(resDef.getName())) { - continue; - } - - RangerPolicyResource polRes = new RangerPolicyResource(); - polRes.setIsExcludes(false); - polRes.setIsRecursive(false); - - String value = "*"; - if("path".equalsIgnoreCase(resDef.getName())) { - value = "/*"; - } - - if(resDef.getRecursivesupported()) { - polRes.setIsRecursive(Boolean.TRUE); - } - - polRes.setValue(value); - resources.put(resDef.getName(), polRes); - } - policy.setResources(resources); + policy.setResources(createDefaultPolicyResource(resourceHierarchy)); if (vXUser != null) { List policyItems = new ArrayList(); @@ -1742,6 +1727,28 @@ private void createDefaultPolicy(XXService createdService, VXUser vXUser) throws policy = createPolicy(policy); } + Map createDefaultPolicyResource(List resourceHierarchy) throws Exception { + Map resourceMap = new HashMap<>(); + + for (RangerResourceDef resourceDef : resourceHierarchy) { + RangerPolicyResource polRes = new RangerPolicyResource(); + polRes.setIsExcludes(false); + polRes.setIsRecursive(false); + + String value = "*"; + if("path".equalsIgnoreCase(resourceDef.getName())) { + value = "/*"; + } + + if(resourceDef.getRecursiveSupported()) { + polRes.setIsRecursive(Boolean.TRUE); + } + + polRes.setValue(value); + resourceMap.put(resourceDef.getName(), polRes); + } + return resourceMap; + } private Map validateRequiredConfigParams(RangerService service, Map configs) { if(LOG.isDebugEnabled()) { From 157f0f8d7e6f2f244a3fe353eced1b9ad8dd5583 Mon Sep 17 00:00:00 2001 From: Velmurugan Periasamy Date: Mon, 15 Jun 2015 19:41:56 -0400 Subject: [PATCH 004/202] RANGER-554: Pagination support in KMS Keys listing page Signed-off-by: sneethiraj --- .../java/org/apache/ranger/biz/KmsKeyMgr.java | 52 +++++++++++++++---- .../java/org/apache/ranger/rest/XKeyREST.java | 3 +- 2 files changed, 42 insertions(+), 13 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java index 7854f4bf869..551ec2eabff 100755 --- a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java @@ -26,6 +26,7 @@ import java.net.URL; import java.security.PrivilegedAction; import java.util.ArrayList; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -100,7 +101,7 @@ public class KmsKeyMgr { RangerDaoManagerBase rangerDaoManagerBase; @SuppressWarnings("unchecked") - public VXKmsKeyList searchKeys(String repoName) throws Exception{ + public VXKmsKeyList searchKeys(HttpServletRequest request, String repoName) throws Exception{ String providers[] = null; try { providers = getKMSURL(repoName); @@ -147,6 +148,16 @@ public String run() { Gson gson = new GsonBuilder().create(); logger.debug(" Search Key RESPONSE: [" + response + "]"); keys = gson.fromJson(response, List.class); + Collections.sort(keys); + VXKmsKeyList vxKmsKeyList2 = new VXKmsKeyList(); + List vXKeys2 = new ArrayList(); + for (String name : keys) { + VXKmsKey key = new VXKmsKey(); + key.setName(name); + vXKeys2.add(key); + } + vxKmsKeyList2.setVXKeys(vXKeys2); + vxKmsKeyList = getFilteredKeyList(request, vxKmsKeyList2); break; } catch (Exception e) { if (e instanceof UniformInterfaceException || i == providers.length - 1) @@ -155,15 +166,35 @@ public String run() { continue; } } - if (keys != null && keys.size() > 0) { - for (String name : keys) { - VXKmsKey key = getKeyFromUri(connProvider, name, isKerberos, repoName); - vXKeys.add(key); + //details + if (vxKmsKeyList != null && vxKmsKeyList.getVXKeys() != null && vxKmsKeyList.getVXKeys().size() > 0) { + List lstKMSKey = vxKmsKeyList.getVXKeys(); + int startIndex=restErrorUtil.parseInt( + request.getParameter("startIndex"), 0, + "Invalid value for parameter startIndex", + MessageEnums.INVALID_INPUT_DATA, null, "startIndex"); + startIndex = startIndex < 0 ? 0 : startIndex; + + int pageSize=restErrorUtil.parseInt( + request.getParameter("pageSize"), 0, + "Invalid value for parameter pageSize", + MessageEnums.INVALID_INPUT_DATA, null, "pageSize"); + pageSize = pageSize < 0 ? 0 : pageSize; + + vxKmsKeyList.setResultSize(lstKMSKey.size()); + vxKmsKeyList.setTotalCount(lstKMSKey.size()); + if((startIndex+pageSize) <= lstKMSKey.size()){ + lstKMSKey = lstKMSKey.subList(startIndex, (startIndex+pageSize));} + else{ + startIndex = startIndex >= lstKMSKey.size() ? 0 : startIndex; + lstKMSKey = lstKMSKey.subList(startIndex, lstKMSKey.size()); } - vxKmsKeyList.setResultSize(vXKeys.size()); - vxKmsKeyList.setTotalCount(vXKeys.size()); - vxKmsKeyList.setStartIndex(0); - vxKmsKeyList.setPageSize(vXKeys.size()); + for (VXKmsKey kmsKey : lstKMSKey) { + VXKmsKey key = getKeyFromUri(connProvider, kmsKey.getName(), isKerberos, repoName); + vXKeys.add(key); + } + vxKmsKeyList.setStartIndex(startIndex); + vxKmsKeyList.setPageSize(pageSize); } vxKmsKeyList.setVXKeys(vXKeys); return vxKmsKeyList; @@ -540,7 +571,7 @@ private synchronized Client getClient() { public VXKmsKeyList getFilteredKeyList(HttpServletRequest request, VXKmsKeyList vXKmsKeyList){ List sortFields = new ArrayList(); sortFields.add(new SortField(KeySearchFilter.KEY_NAME, KeySearchFilter.KEY_NAME)); - + KeySearchFilter filter = getKeySearchFilter(request, sortFields); Predicate pred = getPredicate(filter); @@ -631,7 +662,6 @@ private KeySearchFilter extractCommonCriteriasForFilter(HttpServletRequest reque String sortBy = restErrorUtil.validateString(request.getParameter(KeySearchFilter.SORT_BY), StringUtil.VALIDATION_ALPHA, "Invalid value for parameter sortBy", MessageEnums.INVALID_INPUT_DATA, null, KeySearchFilter.SORT_BY); - boolean sortSet = false; if (!StringUtils.isEmpty(sortBy)) { for (SortField sortField : sortFields) { diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java index 7845b86c32b..1c0f9fc4a19 100755 --- a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java @@ -79,8 +79,7 @@ public class XKeyREST { public VXKmsKeyList searchKeys(@Context HttpServletRequest request, @QueryParam("provider") String provider) { VXKmsKeyList vxKmsKeyList = new VXKmsKeyList(); try{ - vxKmsKeyList = keyMgr.searchKeys(provider); - vxKmsKeyList = keyMgr.getFilteredKeyList(request, vxKmsKeyList); + vxKmsKeyList = keyMgr.searchKeys(request, provider); }catch(Exception e){ handleError(e); } From d650c91329c9bbc02f54977920b580320e293490 Mon Sep 17 00:00:00 2001 From: Velmurugan Periasamy Date: Mon, 15 Jun 2015 18:43:14 -0400 Subject: [PATCH 005/202] RANGER-555: Fixed x_data_hist query for Oracle DB Signed-off-by: sneethiraj --- .../org/apache/ranger/db/XXDataHistDao.java | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXDataHistDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXDataHistDao.java index b9f91d4b34f..07db4586ced 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXDataHistDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXDataHistDao.java @@ -23,6 +23,8 @@ import javax.persistence.NoResultException; import javax.persistence.Query; +import org.apache.ranger.biz.RangerBizUtil; +import org.apache.ranger.common.AppConstants; import org.apache.ranger.common.db.BaseDao; import org.apache.ranger.entity.XXDataHist; @@ -52,8 +54,22 @@ public XXDataHist findObjByEventTimeClassTypeAndId(String eventTime, int classTy return null; } try { - String queryStr = "select obj.* from x_data_hist obj where obj.obj_class_type = "+classType - + " and obj.obj_id = "+objId + " and obj.create_time <= '" + eventTime + "' ORDER BY obj.id DESC"; + + int dbFlavor = RangerBizUtil.getDBFlavor(); + + String queryStr = ""; + + if (dbFlavor == AppConstants.DB_FLAVOR_ORACLE) { + queryStr = "select obj.* from x_data_hist obj where obj.obj_class_type = " + classType + + " and obj.obj_id = " + objId + + " and to_date(obj.create_time, 'YYYY-MM-DD\"T\"HH24:MI:SS\"Z\"') <= to_date('" + eventTime + + "', 'YYYY-MM-DD\"T\"HH24:MI:SS\"Z\"') ORDER BY obj.id DESC"; + } else { + queryStr = "select obj.* from x_data_hist obj where obj.obj_class_type = " + classType + + " and obj.obj_id = " + objId + " and obj.create_time <= '" + eventTime + + "' ORDER BY obj.id DESC"; + } + Query jpaQuery = getEntityManager().createNativeQuery(queryStr, tClass).setMaxResults(1); return (XXDataHist) jpaQuery.getSingleResult(); From 74522f331dfdfc47dd456f5233d19b78079f9bf1 Mon Sep 17 00:00:00 2001 From: rmani Date: Tue, 16 Jun 2015 19:50:30 -0700 Subject: [PATCH 006/202] RANGER-557: Ranger Storm authorizer to be consistent with default authorizer --- .../authorizer/RangerStormAuthorizer.java | 62 +++++++++++-------- 1 file changed, 35 insertions(+), 27 deletions(-) diff --git a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java index b94988b7880..3687527f475 100644 --- a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java +++ b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java @@ -21,6 +21,7 @@ import java.security.Principal; import java.util.Map; +import java.util.Set; import org.apache.hadoop.security.UserGroupInformation; import org.apache.ranger.authorization.storm.StormRangerPlugin; @@ -30,6 +31,8 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import com.google.common.collect.Sets; + import backtype.storm.Config; import backtype.storm.security.auth.IAuthorizer; import backtype.storm.security.auth.ReqContext; @@ -39,7 +42,9 @@ public class RangerStormAuthorizer implements IAuthorizer { private static final Logger LOG = LoggerFactory.getLogger(RangerStormAuthorizer.class); static final StormRangerPlugin plugin = new StormRangerPlugin(); - + + static final Set noAuthzOperations = Sets.newHashSet(new String[] { "getNimbusConf", "getClusterInfo" }); + /** * permit() method is invoked for each incoming Thrift request. * @param context request context includes info about @@ -53,7 +58,7 @@ public boolean permit(ReqContext aRequestContext, String aOperationName, Map aTo boolean accessAllowed = false ; boolean isAuditEnabled = false; - + String topologyName = null ; try { @@ -76,39 +81,42 @@ public boolean permit(ReqContext aRequestContext, String aOperationName, Map aTo LOG.debug("TOPOLOGY CONFIG MAP is passed as null.") ; } } + + if(noAuthzOperations.contains(aOperationName)) { + accessAllowed = true; + } else { + String userName = null ; + String[] groups = null ; - String userName = null ; - String[] groups = null ; - - Principal user = aRequestContext.principal() ; + Principal user = aRequestContext.principal() ; - if (user != null) { - userName = user.getName() ; - if (userName != null) { - UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName) ; - userName = ugi.getShortUserName() ; - groups = ugi.getGroupNames() ; - if (LOG.isDebugEnabled()) { - LOG.debug("User found from principal [" + user.getName() + "] => user:[" + userName + "], groups:[" + StringUtil.toString(groups) + "]") ; + if (user != null) { + userName = user.getName() ; + if (userName != null) { + UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName) ; + userName = ugi.getShortUserName() ; + groups = ugi.getGroupNames() ; + if (LOG.isDebugEnabled()) { + LOG.debug("User found from principal [" + user.getName() + "] => user:[" + userName + "], groups:[" + StringUtil.toString(groups) + "]") ; + } } - } - } - if (userName != null) { - String clientIp = (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress() ) ; - RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp, topologyName, aOperationName); - RangerAccessResult result = plugin.isAccessAllowed(accessRequest); - accessAllowed = result != null && result.getIsAllowed(); - isAuditEnabled = result != null && result.getIsAudited(); + if (userName != null) { + String clientIp = (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress() ) ; + RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp, topologyName, aOperationName); + RangerAccessResult result = plugin.isAccessAllowed(accessRequest); + accessAllowed = result != null && result.getIsAllowed(); + isAuditEnabled = result != null && result.getIsAudited(); - if (LOG.isDebugEnabled()) { - LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups) + "]: verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled); + if (LOG.isDebugEnabled()) { + LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups) + "]: verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled); + } + } + else { + LOG.info("NULL User found from principal [" + user + "]: Skipping authorization; allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled); } - } - else { - LOG.info("NULL User found from principal [" + user + "]: Skipping authorization; allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled); } } catch(Throwable t) { From 5d3155313c29ad4ff0fa6d3bed2ad9afcf360fc1 Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Thu, 11 Jun 2015 11:45:06 -0700 Subject: [PATCH 007/202] RANGER-558 Hbase plugin: unless user has READ access at any level access should be denied and audited. Signed-off-by: Madhan Neethiraj --- .../plugin/policyengine/RangerAccessRequest.java | 4 ++++ .../policyengine/RangerAccessRequestImpl.java | 10 +++++++++- .../RangerDefaultPolicyEvaluator.java | 5 +++-- .../authorization/hbase/AuthorizationSession.java | 10 +++++++++- .../hbase/RangerAuthorizationCoprocessor.java | 13 +++++++------ .../hbase/RangerAuthorizationCoprocessorBase.java | 13 +++++++++++++ 6 files changed, 45 insertions(+), 10 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java index 82a18fc9e42..63a7f5a618b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java @@ -49,4 +49,8 @@ public interface RangerAccessRequest { String getSessionId(); Map getContext(); + + ResourceMatchingScope getResourceMatchingScope(); + + enum ResourceMatchingScope {SELF, SELF_OR_DESCENDANTS} } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java index e1326eac270..fe50ca6de2b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java @@ -44,6 +44,7 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { private boolean isAccessTypeAny = false; private boolean isAccessTypeDelegatedAdmin = false; + private ResourceMatchingScope resourceMatchingScope = ResourceMatchingScope.SELF; public RangerAccessRequestImpl() { this(null, null, null, null); @@ -120,6 +121,11 @@ public Map getContext() { return context; } + @Override + public ResourceMatchingScope getResourceMatchingScope() { + return resourceMatchingScope; + } + @Override public boolean isAccessTypeAny() { return isAccessTypeAny; @@ -176,6 +182,8 @@ public void setSessionId(String sessionId) { this.sessionId = sessionId; } + public void setResourceMatchingScope(ResourceMatchingScope scope) { this.resourceMatchingScope = scope; } + public void setContext(Map context) { this.context = (context == null) ? new HashMap() : context; } @@ -210,7 +218,7 @@ public StringBuilder toString(StringBuilder sb) { sb.append("action={").append(action).append("} "); sb.append("requestData={").append(requestData).append("} "); sb.append("sessionId={").append(sessionId).append("} "); - + sb.append("resourceMatchingScope={").append(resourceMatchingScope).append("} "); sb.append("context={"); if(context != null) { diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 030cd87e806..9f60b7bfe76 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -108,6 +108,7 @@ public void evaluate(RangerAccessRequest request, RangerAccessResult result) { boolean matchResult = false; boolean isHeadMatchAttempted = false; boolean headMatchResult = false; + final boolean attemptHeadMatch = request.isAccessTypeAny() || request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS; if (!result.getIsAuditedDetermined()) { // Need to match request.resource first. If it matches (or head matches), then only more progress can be made @@ -118,7 +119,7 @@ public void evaluate(RangerAccessRequest request, RangerAccessResult result) { // Try head match only if match was not found and ANY access was requested if (!matchResult) { - if (request.isAccessTypeAny() && !isHeadMatchAttempted) { + if (attemptHeadMatch && !isHeadMatchAttempted) { headMatchResult = matchResourceHead(request.getResource()); isHeadMatchAttempted = true; } @@ -142,7 +143,7 @@ public void evaluate(RangerAccessRequest request, RangerAccessResult result) { // Try Head Match only if no match was found so far AND a head match was not attempted as part of evaluating // Audit requirement if (!matchResult) { - if (request.isAccessTypeAny() && !isHeadMatchAttempted) { + if (attemptHeadMatch && !isHeadMatchAttempted) { headMatchResult = matchResourceHead(request.getResource()); isHeadMatchAttempted = true; } diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java index 006629b9971..fdf1527a04f 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java @@ -58,7 +58,8 @@ public class AuthorizationSession { // Passing a null handler to policy engine would suppress audit logging. HbaseAuditHandler _auditHandler = null; boolean _superUser = false; // is this session for a super user? - + private RangerAccessRequest.ResourceMatchingScope _resourceMatchingScope = RangerAccessRequest.ResourceMatchingScope.SELF; + // internal state per-authorization RangerAccessRequest _request; RangerAccessResult _result; @@ -169,6 +170,7 @@ AuthorizationSession buildRequest() { request.setAction(_operation); request.setRequestData(_otherInformation); request.setClientIPAddress(_remoteAddress); + request.setResourceMatchingScope(_resourceMatchingScope); _request = request; if (LOG.isDebugEnabled()) { @@ -311,6 +313,7 @@ String requestToString() { .add("table", _table) .add("column", _column) .add("column-family", _columnFamily) + .add("resource-matching-scope", _resourceMatchingScope) .toString(); } @@ -370,4 +373,9 @@ RangerAccessResult buildResult(boolean allowed, boolean audited, String reason) } return result; } + + AuthorizationSession resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope scope) { + _resourceMatchingScope = scope; + return this; + } } diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java index e64c5af086a..8762bf5c292 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java @@ -97,8 +97,8 @@ import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants; import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.service.RangerBasePlugin; import org.apache.ranger.plugin.util.GrantRevokeRequest; @@ -408,7 +408,8 @@ ColumnFamilyAccessResult evaluateAccess(String operation, Action action, final R if (LOG.isDebugEnabled()) { LOG.debug("evaluateAccess: no family level access [" + family + "]. Checking if has partial access (of any type)..."); } - session.access(RangerPolicyEngine.ANY_ACCESS) + + session.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) .buildRequest() .authorize(); auditEvent = auditHandler.getAndDiscardMostRecentEvent(); // capture it only for failure @@ -421,17 +422,17 @@ ColumnFamilyAccessResult evaluateAccess(String operation, Action action, final R familesAccessIndeterminate.add(family); } else { if (LOG.isDebugEnabled()) { - LOG.debug("evaluateAccess: has no access of any (of any type) in family [" + family + "]"); + LOG.debug("evaluateAccess: has no access of ["+ access + "] type in family [" + family + "]"); } familesAccessDenied.add(family); - denialReason = String.format("Insufficient permissions for user ‘%s',action: %s, tableName:%s, family:%s, no columns found.", user.getName(), operation, table, family); + denialReason = String.format("Insufficient permissions for user ‘%s',action: %s, tableName:%s, family:%s.", user.getName(), operation, table, family); if (auditEvent != null && deniedEvent == null) { // we need to capture just one denial event LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure audit event."); deniedEvent = auditEvent; } } - // Restore the access back - session.access(access); + // Restore the headMatch setting + session.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF); } } else { LOG.debug("evaluateAccess: columns collection not empty. Skipping Family level check, will do finer level access check."); diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java index 31f9e2264da..9a5bf05a3f1 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessorBase.java @@ -21,6 +21,8 @@ import java.io.IOException; import java.util.List; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; import org.apache.hadoop.hbase.Cell; import org.apache.hadoop.hbase.CellScanner; import org.apache.hadoop.hbase.CoprocessorEnvironment; @@ -60,6 +62,8 @@ public abstract class RangerAuthorizationCoprocessorBase extends BaseRegionObserver implements MasterObserver, RegionServerObserver, BulkLoadObserver { + private static final Log LOG = LogFactory.getLog(RangerAuthorizationCoprocessorBase.class.getName()); + @Override public void preMergeCommit( ObserverContext ctx, @@ -227,10 +231,19 @@ public void postReplicateLogEntries(final ObserverContext ctx, List tableNamesList, List descriptors) throws IOException { + if (LOG.isDebugEnabled()) { + LOG.debug(String.format("==> postGetTableDescriptors(count(tableNamesList)=%s, count(descriptors)=%s)", tableNamesList == null ? 0 : tableNamesList.size(), + descriptors == null ? 0 : descriptors.size())); + } + } @Override public void preGetTableDescriptors(ObserverContext ctx, List tableNamesList, List descriptors, String regex) throws IOException { + if (LOG.isDebugEnabled()) { + LOG.debug(String.format("==> postGetTableDescriptors(count(tableNamesList)=%s, count(descriptors)=%s, regex=%s)", tableNamesList == null ? 0 : tableNamesList.size(), + descriptors == null ? 0 : descriptors.size(), regex)); + } } public void preGetTableNames(ObserverContext ctx, List descriptors, String regex) throws IOException { From 60ae01301f43394a6f53580f8927cb15b7911b2d Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Thu, 18 Jun 2015 22:25:06 +0530 Subject: [PATCH 008/202] RANGER-559 : Fix ID preservation for MSSQL --- security-admin/scripts/db_setup.py | 12 ++- .../org/apache/ranger/biz/ServiceDBStore.java | 14 +++ .../org/apache/ranger/common/db/BaseDao.java | 34 ++++++++ .../ranger/solr/SolrAccessAuditsService.java | 9 ++ .../main/webapp/WEB-INF/db_patch.log4j.xml | 87 +++++++++++++++++++ .../apache/ranger/biz/TestServiceDBStore.java | 26 +++--- 6 files changed, 168 insertions(+), 14 deletions(-) create mode 100644 security-admin/src/main/webapp/WEB-INF/db_patch.log4j.xml diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py index 67f2a43c9f4..35f4dc93991 100644 --- a/security-admin/scripts/db_setup.py +++ b/security-admin/scripts/db_setup.py @@ -327,6 +327,7 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): version = "" className = "" app_home = os.path.join(RANGER_ADMIN_HOME,"ews","webapp") + ranger_log = os.path.join(RANGER_ADMIN_HOME,"ews","logs") javaFiles = os.path.join(app_home,"WEB-INF","classes","org","apache","ranger","patch") if not os.path.exists(javaFiles): @@ -366,7 +367,7 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_cmd = "%s -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,path,className) + get_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,ranger_log,path,className) if os_name == "LINUX": ret = subprocess.call(shlex.split(get_cmd)) elif os_name == "WINDOWS": @@ -591,6 +592,7 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): version = "" className = "" app_home = os.path.join(RANGER_ADMIN_HOME,"ews","webapp") + ranger_log = os.path.join(RANGER_ADMIN_HOME,"ews","logs") javaFiles = os.path.join(app_home,"WEB-INF","classes","org","apache","ranger","patch") if not os.path.exists(javaFiles): @@ -630,7 +632,7 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_cmd = "%s -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,path,className) + get_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,ranger_log,path,className) if os_name == "LINUX": ret = subprocess.call(shlex.split(get_cmd)) elif os_name == "WINDOWS": @@ -838,6 +840,7 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): version = "" className = "" app_home = os.path.join(RANGER_ADMIN_HOME,"ews","webapp") + ranger_log = os.path.join(RANGER_ADMIN_HOME,"ews","logs") javaFiles = os.path.join(app_home,"WEB-INF","classes","org","apache","ranger","patch") if not os.path.exists(javaFiles): @@ -877,7 +880,7 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s")%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s")%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_cmd = "%s -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,path,className) + get_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,ranger_log,path,className) if os_name == "LINUX": ret = subprocess.call(shlex.split(get_cmd)) elif os_name == "WINDOWS": @@ -1073,6 +1076,7 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): version = "" className = "" app_home = os.path.join(RANGER_ADMIN_HOME,"ews","webapp") + ranger_log = os.path.join(RANGER_ADMIN_HOME,"ews","logs") javaFiles = os.path.join(app_home,"WEB-INF","classes","org","apache","ranger","patch") if not os.path.exists(javaFiles): @@ -1112,7 +1116,7 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_cmd = "%s -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,path,className) + get_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,ranger_log,path,className) if os_name == "LINUX": ret = subprocess.call(shlex.split(get_cmd)) elif os_name == "WINDOWS": diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index ff04d3fc1b3..326cae0052e 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -262,9 +262,13 @@ public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) throws Exc if (populateExistingBaseFields) { svcDefServiceWithAssignedId.setPopulateExistingBaseFields(true); + daoMgr.getXXServiceDef().setIdentityInsert(true); + svcDefServiceWithAssignedId.create(serviceDef); + svcDefServiceWithAssignedId.setPopulateExistingBaseFields(false); daoMgr.getXXServiceDef().updateSequence(); + daoMgr.getXXServiceDef().setIdentityInsert(false); } else { // following fields will be auto populated serviceDef.setId(null); @@ -1009,7 +1013,12 @@ public RangerService createService(RangerService service) throws Exception { if (populateExistingBaseFields) { svcServiceWithAssignedId.setPopulateExistingBaseFields(true); + daoMgr.getXXService().setIdentityInsert(true); + service = svcServiceWithAssignedId.create(service); + + daoMgr.getXXService().setIdentityInsert(false); + daoMgr.getXXService().updateSequence(); svcServiceWithAssignedId.setPopulateExistingBaseFields(false); createDefaultPolicy = false; } else { @@ -1359,7 +1368,12 @@ public RangerPolicy createPolicy(RangerPolicy policy) throws Exception { if(populateExistingBaseFields) { assignedIdPolicyService.setPopulateExistingBaseFields(true); + daoMgr.getXXPolicy().setIdentityInsert(true); + policy = assignedIdPolicyService.create(policy); + + daoMgr.getXXPolicy().setIdentityInsert(false); + daoMgr.getXXPolicy().updateSequence(); assignedIdPolicyService.setPopulateExistingBaseFields(false); } else { policy = policyService.create(policy); diff --git a/security-admin/src/main/java/org/apache/ranger/common/db/BaseDao.java b/security-admin/src/main/java/org/apache/ranger/common/db/BaseDao.java index bfa4c4018bb..aaa4fa59e31 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/db/BaseDao.java +++ b/security-admin/src/main/java/org/apache/ranger/common/db/BaseDao.java @@ -23,12 +23,15 @@ import java.lang.reflect.ParameterizedType; import java.lang.reflect.Type; +import java.sql.Connection; +import java.sql.SQLException; import java.util.ArrayList; import java.util.List; import javax.persistence.EntityManager; import javax.persistence.NoResultException; import javax.persistence.Query; +import javax.persistence.Table; import javax.persistence.TypedQuery; import org.apache.log4j.Logger; @@ -231,4 +234,35 @@ public void updateSequence(String seqName, long nextValue) { } + public void setIdentityInsert(boolean identityInsert) { + if (RangerBizUtil.getDBFlavor() != AppConstants.DB_FLAVOR_SQLSERVER) { + logger.debug("Ignoring BaseDao.setIdentityInsert(). This should be executed if DB flavor is sqlserver."); + return; + } + + EntityManager entityMgr = getEntityManager(); + + String identityInsertStr; + if (identityInsert) { + identityInsertStr = "ON"; + } else { + identityInsertStr = "OFF"; + } + + Table table = tClass.getAnnotation(Table.class); + + if(table == null) { + throw new NullPointerException("Required annotation `Table` not found"); + } + + String tableName = table.name(); + + Connection conn = entityMgr.unwrap(Connection.class); + try { + conn.createStatement().execute("SET IDENTITY_INSERT " + tableName + " " + identityInsertStr); + } catch (SQLException e) { + logger.error("Error while settion identity_insert " + identityInsertStr, e); + } + } + } diff --git a/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java b/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java index ad198227145..5fc45d256e2 100644 --- a/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java +++ b/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java @@ -32,6 +32,8 @@ import org.apache.ranger.common.SearchField.DATA_TYPE; import org.apache.ranger.common.SearchField.SEARCH_TYPE; import org.apache.ranger.common.SortField.SORT_ORDER; +import org.apache.ranger.db.RangerDaoManager; +import org.apache.ranger.entity.XXServiceDef; import org.apache.ranger.view.VXAccessAudit; import org.apache.ranger.view.VXAccessAuditList; import org.apache.ranger.view.VXLong; @@ -60,6 +62,9 @@ public class SolrAccessAuditsService { @Autowired StringUtil stringUtil; + @Autowired + RangerDaoManager daoManager; + public List sortFields = new ArrayList(); public List searchFields = new ArrayList(); @@ -221,6 +226,10 @@ private VXAccessAudit populateViewBean(SolrDocument doc) { value = doc.getFieldValue("repoType"); if (value != null) { accessAudit.setRepoType(solrUtil.toInt(value)); + XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById((long) accessAudit.getRepoType()); + if (xServiceDef != null) { + accessAudit.setServiceType(xServiceDef.getName()); + } } value = doc.getFieldValue("resType"); if (value != null) { diff --git a/security-admin/src/main/webapp/WEB-INF/db_patch.log4j.xml b/security-admin/src/main/webapp/WEB-INF/db_patch.log4j.xml new file mode 100644 index 00000000000..1aafb071e14 --- /dev/null +++ b/security-admin/src/main/webapp/WEB-INF/db_patch.log4j.xml @@ -0,0 +1,87 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java b/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java index 6f95a8a7e94..e13b862aaac 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java @@ -1160,13 +1160,17 @@ public void test18getPaginatedServiceDefs() throws Exception { @Test public void test19createService() throws Exception { - XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class); + XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class); XXServiceConfigMapDao xServiceConfigMapDao = Mockito .mock(XXServiceConfigMapDao.class); XXUserDao xUserDao = Mockito.mock(XXUserDao.class); XXServiceConfigDefDao xServiceConfigDefDao = Mockito .mock(XXServiceConfigDefDao.class); XXService xService = Mockito.mock(XXService.class); + XXService xService2 = new XXService(); + xService2.setId(1L); + xService2.setName("Test"); + xService2.setType(1L); XXUser xUser = Mockito.mock(XXUser.class); RangerService rangerService = rangerService(); @@ -1183,8 +1187,7 @@ public void test19createService() throws Exception { Mockito.when(xServiceConfigDefDao.findByServiceDefName(userName)) .thenReturn(svcConfDefList); - Mockito.when(svcServiceWithAssignedId.create(rangerService)) - .thenReturn(rangerService); + Mockito.when(svcService.create(rangerService)).thenReturn(rangerService); Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao); Mockito.when(xServiceDao.getById(rangerService.getId())).thenReturn( @@ -1207,18 +1210,21 @@ public void test19createService() throws Exception { Mockito.when(svcService.getPopulatedViewObject(xService)).thenReturn( rangerService); - serviceDBStore.setPopulateExistingBaseFields(true); + Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao); + Mockito.when(xServiceDao.getById(Mockito.anyLong())).thenReturn(xService2); Mockito.when( rangerAuditFields.populateAuditFields( Mockito.isA(XXServiceConfigMap.class), Mockito.isA(XXService.class))).thenReturn(xConfMap); - - RangerService dbRangerService = serviceDBStore - .createService(rangerService); - serviceDBStore.setPopulateExistingBaseFields(false); - Assert.assertNotNull(dbRangerService); - Mockito.verify(daoManager).getXXService(); + + RangerServiceDef ran = new RangerServiceDef(); + ran.setName("Test"); + Mockito.when(serviceDefService.read(1L)).thenReturn(ran); + + serviceDBStore.createService(rangerService); + + Mockito.verify(daoManager, Mockito.atLeast(1)).getXXService(); Mockito.verify(daoManager).getXXServiceConfigMap(); } From 19aa95ec7df94e543a6533bcf992c0e7d09ce620 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Fri, 19 Jun 2015 18:33:59 -0400 Subject: [PATCH 009/202] RANGER-562: Policy migration updated to ignore incorrect permission type and continue with migration Signed-off-by: Madhan Neethiraj --- .../ranger/patch/PatchMigration_J10002.java | 28 ++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchMigration_J10002.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchMigration_J10002.java index 1747324e900..44306d83c97 100644 --- a/security-admin/src/main/java/org/apache/ranger/patch/PatchMigration_J10002.java +++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchMigration_J10002.java @@ -20,10 +20,13 @@ import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; +import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Map.Entry; +import java.util.Set; +import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; import org.apache.log4j.Logger; import org.apache.ranger.biz.RangerBizUtil; @@ -91,6 +94,15 @@ public class PatchMigration_J10002 extends BaseLoader { private static int policyCounter = 0; private static int serviceCounter = 0; + static Set unsupportedLegacyPermTypes = new HashSet(); + + static { + unsupportedLegacyPermTypes.add("Unknown"); + unsupportedLegacyPermTypes.add("Reset"); + unsupportedLegacyPermTypes.add("Obfuscate"); + unsupportedLegacyPermTypes.add("Mask"); + } + public static void main(String[] args) { logger.info("main()"); try { @@ -451,6 +463,10 @@ private List getPolicyItemListForRes(XXResource xRes, XXServic } String accessType = ServiceUtil.toAccessType(permMap.getPermType()); + if(StringUtils.isBlank(accessType) || unsupportedLegacyPermTypes.contains(accessType)) { + logger.info(accessType + ": is not a valid access-type, ignoring accesstype for policy: " + xRes.getPolicyName()); + continue; + } if(StringUtils.equalsIgnoreCase(accessType, "Admin")) { policyItem.setDelegateAdmin(Boolean.TRUE); @@ -464,6 +480,16 @@ private List getPolicyItemListForRes(XXResource xRes, XXServic ipAddress = permMap.getIpAddress(); } + if(CollectionUtils.isEmpty(accessList)) { + logger.info("no access specified. ignoring policyItem for policy: " + xRes.getPolicyName()); + continue; + } + + if(CollectionUtils.isEmpty(userList) && CollectionUtils.isEmpty(groupList)) { + logger.info("no user or group specified. ignoring policyItem for policy: " + xRes.getPolicyName()); + continue; + } + policyItem.setUsers(userList); policyItem.setGroups(groupList); policyItem.setAccesses(accessList); @@ -525,4 +551,4 @@ private String getGroupName(VXPermMap permMap) { return groupName; } -} \ No newline at end of file +} From 10f21940e310482d5a68eb225469835f2eb0861d Mon Sep 17 00:00:00 2001 From: Velmurugan Periasamy Date: Tue, 23 Jun 2015 18:40:53 -0400 Subject: [PATCH 010/202] RANGER-565: Fixed Oracle JDBC driver issue causing dba_script/db_setup failure with java.sql.SQLRecoverableException: IO Error when using Oracle Signed-off-by: sneethiraj --- kms/scripts/db_setup.py | 1 + kms/scripts/dba_script.py | 1 + security-admin/scripts/db_setup.py | 3 ++- security-admin/scripts/dba_script.py | 3 +++ 4 files changed, 7 insertions(+), 1 deletion(-) diff --git a/kms/scripts/db_setup.py b/kms/scripts/db_setup.py index fd10f4ec8a7..8116049a270 100644 --- a/kms/scripts/db_setup.py +++ b/kms/scripts/db_setup.py @@ -190,6 +190,7 @@ def get_jisql_cmd(self, user, password): #path = os.getcwd() path = RANGER_KMS_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") + self.JAVA_BIN = self.JAVA_BIN + " -Djava.security.egd=file:///dev/urandom " if os_name == "LINUX": jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver oraclethin -cstring jdbc:oracle:thin:@%s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, self.host, user, password) elif os_name == "WINDOWS": diff --git a/kms/scripts/dba_script.py b/kms/scripts/dba_script.py index 2a3d5d79162..c549fadd64c 100644 --- a/kms/scripts/dba_script.py +++ b/kms/scripts/dba_script.py @@ -326,6 +326,7 @@ def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN): def get_jisql_cmd(self, user, password): #TODO: User array for forming command path = RANGER_KMS_HOME + self.JAVA_BIN = self.JAVA_BIN + " -Djava.security.egd=file:///dev/urandom " if os_name == "LINUX": jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver oraclethin -cstring jdbc:oracle:thin:@%s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, self.host, user, password) elif os_name == "WINDOWS": diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py index 35f4dc93991..90d7d4eaa87 100644 --- a/security-admin/scripts/db_setup.py +++ b/security-admin/scripts/db_setup.py @@ -398,6 +398,7 @@ def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN): def get_jisql_cmd(self, user, password): path = RANGER_ADMIN_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") + self.JAVA_BIN = self.JAVA_BIN + " -Djava.security.egd=file:///dev/urandom " if os_name == "LINUX": jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver oraclethin -cstring jdbc:oracle:thin:@%s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, user, password) elif os_name == "WINDOWS": @@ -632,7 +633,7 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) elif os_name == "WINDOWS": path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) - get_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,ranger_log,path,className) + get_cmd = "%s -Djava.security.egd=file:///dev/urandom -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,ranger_log,path,className) if os_name == "LINUX": ret = subprocess.call(shlex.split(get_cmd)) elif os_name == "WINDOWS": diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py index a3737edf1ef..133af155bb4 100644 --- a/security-admin/scripts/dba_script.py +++ b/security-admin/scripts/dba_script.py @@ -333,10 +333,13 @@ def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN): def get_jisql_cmd(self, user, password): #TODO: User array for forming command path = RANGER_ADMIN_HOME + #print "self.JAVA_BIN=" + self.JAVA_BIN + self.JAVA_BIN = self.JAVA_BIN + " -Djava.security.egd=file:///dev/urandom " if os_name == "LINUX": jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver oraclethin -cstring jdbc:oracle:thin:@%s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, self.host, user, password) elif os_name == "WINDOWS": jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver oraclethin -cstring jdbc:oracle:thin:@%s -u %s -p %s -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, user, password) + #print jisql_cmd return jisql_cmd def check_connection(self, db_name, db_user, db_password): From 89f6eed17fd51b64e49e2f6b2f6c0fc0e6d224f8 Mon Sep 17 00:00:00 2001 From: sneethiraj Date: Tue, 23 Jun 2015 21:54:27 -0700 Subject: [PATCH 011/202] RANGER-566: modified to use private synonym for ranger-admin installation on oracle --- .../db/oracle/xa_core_db_oracle.sql | 3 -- security-admin/scripts/db_setup.py | 27 ++++++++++++++++++ security-admin/scripts/dba_script.py | 28 +++++++++---------- security-admin/scripts/setup.sh | 4 +-- 4 files changed, 43 insertions(+), 19 deletions(-) diff --git a/security-admin/db/oracle/xa_core_db_oracle.sql b/security-admin/db/oracle/xa_core_db_oracle.sql index 9cc22ff0705..2ede81037cb 100644 --- a/security-admin/db/oracle/xa_core_db_oracle.sql +++ b/security-admin/db/oracle/xa_core_db_oracle.sql @@ -429,9 +429,6 @@ CREATE INDEX x_user_FK_upd_by_id ON x_user (upd_by_id); CREATE INDEX x_user_FK_cred_store_id ON x_user (cred_store_id); CREATE INDEX x_user_cr_time ON x_user (create_time); CREATE INDEX x_user_up_time ON x_user(update_time); - -CREATE OR REPLACE PUBLIC SYNONYM xa_access_audit FOR xa_access_audit; -CREATE OR REPLACE PUBLIC SYNONYM XA_ACCESS_AUDIT_SEQ FOR XA_ACCESS_AUDIT_SEQ; commit; insert into x_portal_user ( id,CREATE_TIME, UPDATE_TIME, diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py index 90d7d4eaa87..0d6c49b5029 100644 --- a/security-admin/scripts/db_setup.py +++ b/security-admin/scripts/db_setup.py @@ -147,6 +147,9 @@ def apply_auditdb_patches(self, xa_sqlObj,xa_db_host, audit_db_host, db_name, au def execute_java_patches(xa_db_host, db_user, db_password, db_name): log("[I] ----------------- Executing java patches ------------", "info") + def create_synonym(db_name, db_user, db_password,audit_db_user): + log("[I] ----------------- Creating Synonym ------------", "info") + class MysqlConf(BaseDB): # Constructor def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN): @@ -465,6 +468,26 @@ def import_db_file(self, db_name, db_user, db_password, file_name): log("[E] "+name + " import failed!","error") sys.exit(1) + def create_synonym(self,db_name, db_user, db_password,audit_db_user): + log("[I] ----------------- Creating Synonym ------------", "info") + get_cmd = self.get_jisql_cmd(db_user, db_password) + if os_name == "LINUX": + query = get_cmd + " -c \; -query 'CREATE OR REPLACE SYNONYM %s.XA_ACCESS_AUDIT FOR %s.XA_ACCESS_AUDIT;'" % (audit_db_user,db_user) + ret = subprocess.call(shlex.split(query)) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"CREATE OR REPLACE SYNONYM %s.XA_ACCESS_AUDIT FOR %s.XA_ACCESS_AUDIT;\" -c ;" % (audit_db_user,db_user) + ret = subprocess.call(query) + if ret != 0: + sys.exit(1) + if os_name == "LINUX": + query = get_cmd + " -c \; -query 'CREATE OR REPLACE SYNONYM %s.XA_ACCESS_AUDIT_SEQ FOR %s.XA_ACCESS_AUDIT_SEQ;'" % (audit_db_user,db_user) + ret = subprocess.call(shlex.split(query)) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"CREATE OR REPLACE SYNONYM %s.XA_ACCESS_AUDIT_SEQ FOR %s.XA_ACCESS_AUDIT_SEQ;\" -c ;" % (audit_db_user,db_user) + ret = subprocess.call(query) + if ret != 0: + sys.exit(1) + def import_db_patches(self, db_name, db_user, db_password, file_name): if os.path.isfile(file_name): name = basename(file_name) @@ -1285,6 +1308,10 @@ def main(argv): else: log("[I] --------- Importing Ranger Core DB Schema ---------","info") xa_sqlObj.import_db_file(db_name, db_user, db_password, xa_db_core_file) + if XA_DB_FLAVOR == "ORACLE": + if xa_sqlObj.check_table(db_name, db_user, db_password, xa_access_audit): + if db_user != audit_db_user: + xa_sqlObj.create_synonym(db_name, db_user, db_password,audit_db_user) log("[I] --------- Verifying upgrade history table ---------","info") output = xa_sqlObj.check_table(db_name, db_user, db_password, x_db_version) if output == False: diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py index 133af155bb4..045990dc625 100644 --- a/security-admin/scripts/dba_script.py +++ b/security-admin/scripts/dba_script.py @@ -391,10 +391,10 @@ def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password log("[I] User " + db_user + " created", "info") log("[I] Granting permission to " + db_user, "info") if os_name == "LINUX": - query = get_cmd + " -c \; -query 'GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'" % (db_user) + query = get_cmd + " -c \; -query 'GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'" % (db_user) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": - query = get_cmd + " -query \"GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;\" -c ;" % (db_user) + query = get_cmd + " -query \"GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;\" -c ;" % (db_user) ret = subprocess.call(query) if ret == 0: log("[I] Granting permissions to Oracle user '" + db_user + "' for %s done" %(self.host), "info") @@ -483,10 +483,10 @@ def assign_tablespace(self, root_user, db_root_password, db_user, db_password, d if ret == 0: log("[I] Granting permission to " + db_user, "info") if os_name == "LINUX": - query = get_cmd + " -c \; -query 'GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'" % (db_user) + query = get_cmd + " -c \; -query 'GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'" % (db_user) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": - query = get_cmd + " -query \"GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;\" -c ;" % (db_user) + query = get_cmd + " -query \"GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;\" -c ;" % (db_user) ret = subprocess.call(query) if ret == 0: log("[I] Granting Oracle user '" + db_user + "' done", "info") @@ -499,7 +499,7 @@ def assign_tablespace(self, root_user, db_root_password, db_user, db_password, d sys.exit(1) else: logFile("alter user %s identified by \"%s\" DEFAULT Tablespace %s;" %(db_user, db_password, db_name)) - logFile("GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;" % (db_user)) + logFile("GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;" % (db_user)) def create_auditdb(self, audit_db_root_user, db_name ,audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_db_root_password,dryMode): @@ -576,10 +576,10 @@ def create_auditdb(self, audit_db_root_user, db_name ,audit_db_name, db_user, au if (ret1 == 0 and ret2 == 0): log("[I] Granting permission to " + db_user, "info") if os_name == "LINUX": - query = get_cmd + " -c \; -query 'GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'" % (db_user) + query = get_cmd + " -c \; -query 'GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'" % (db_user) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": - query = get_cmd + " -query \"GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;\" -c ;" % (db_user) + query = get_cmd + " -query \"GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;\" -c ;" % (db_user) ret = subprocess.call(query) if ret == 0: return True @@ -591,16 +591,16 @@ def create_auditdb(self, audit_db_root_user, db_name ,audit_db_name, db_user, au else: logFile("alter user %s identified by \"%s\" DEFAULT Tablespace %s;" %(audit_db_user, audit_db_password, db_name)) logFile("alter user %s identified by \"%s\" DEFAULT Tablespace %s;" %(audit_db_user, audit_db_password, audit_db_name)) - logFile("GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;" % (db_user)) + logFile("GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;" % (db_user)) def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_password, invoke,dryMode): if dryMode == False: get_cmd = self.get_jisql_cmd(root_user ,db_root_password) if os_name == "LINUX": - query = get_cmd + " -c \; -query 'GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'" % (db_user) + query = get_cmd + " -c \; -query 'GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'" % (db_user) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": - query = get_cmd + " -query \"GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;\" -c ;" % (db_user) + query = get_cmd + " -query \"GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;\" -c ;" % (db_user) ret = subprocess.call(query) if ret == 0: log("[I] Granted permission to " + db_user, "info") @@ -609,7 +609,7 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas log("[E] Granting Oracle user '" + db_user + "' failed..", "error") sys.exit(1) else: - logFile("GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;" % (db_user)) + logFile("GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;" % (db_user)) def create_auditdb_user(self, xa_db_host , audit_db_host , db_name ,audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode): if DBA_MODE == "TRUE": @@ -634,10 +634,10 @@ def create_auditdb_user(self, xa_db_host , audit_db_host , db_name ,audit_db_nam log("[I] User " + db_user + " created", "info") log("[I] Granting permission to " + db_user, "info") if os_name == "LINUX": - query = get_cmd + " -c \; -query 'GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'" % (db_user) + query = get_cmd + " -c \; -query 'GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'" % (db_user) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": - query = get_cmd + " -query \"GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;\" -c ;" % (db_user) + query = get_cmd + " -query \"GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;\" -c ;" % (db_user) ret = subprocess.call(query) if ret == 0: log("[I] Granting permissions to Oracle user '" + db_user + "' for %s Done" %(self.host), "info") @@ -652,7 +652,7 @@ def create_auditdb_user(self, xa_db_host , audit_db_host , db_name ,audit_db_nam sys.exit(1) else: logFile("create user %s identified by \"%s\";" %(db_user, db_password)) - logFile("GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;" % (db_user)) + logFile("GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;" % (db_user)) if self.verify_user(audit_db_root_user, audit_db_user, audit_db_root_password,dryMode): if dryMode == False: diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index 12224c4d15b..b79cba47545 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -797,11 +797,11 @@ update_properties() { if [ "${DB_FLAVOR}" == "ORACLE" ] then propertyName=ranger.jpa.jdbc.url - newPropertyValue="jdbc:oracle:thin:\@//${DB_HOST}" + newPropertyValue="jdbc:oracle:thin:@${DB_HOST}" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger propertyName=ranger.jpa.audit.jdbc.url - newPropertyValue="jdbc:oracle:thin:\@//${DB_HOST}" + newPropertyValue="jdbc:oracle:thin:@${DB_HOST}" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger propertyName=ranger.jpa.jdbc.dialect From 5ad0820f0b853a2d4061312ba24a264f1206f1b4 Mon Sep 17 00:00:00 2001 From: sneethiraj Date: Mon, 22 Jun 2015 18:29:39 -0700 Subject: [PATCH 012/202] RANGER-564: added incubating as part of the release filename --- release-build.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/release-build.xml b/release-build.xml index 5b3db7e05be..b968d859fab 100644 --- a/release-build.xml +++ b/release-build.xml @@ -21,7 +21,8 @@ - + + From 70887df6ccdfd0903f06a11e8705e62f87199623 Mon Sep 17 00:00:00 2001 From: Madhan Neethiraj Date: Fri, 19 Jun 2015 17:34:13 -0400 Subject: [PATCH 013/202] RANGER-561: YARN plugin updated to fallback to YARN ACL, instead of creating Ranger policies --- .../constants/RangerHadoopConstants.java | 5 + .../yarn/authorizer/RangerYarnAuthorizer.java | 208 ++++++++++++------ 2 files changed, 148 insertions(+), 65 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java index a80002763bf..ac9e93d3257 100644 --- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java +++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java @@ -41,17 +41,22 @@ public class RangerHadoopConstants { public static final String STORM_ACCESS_VERIFIER_CLASS_NAME_PROP = "storm.authorization.verifier.classname" ; public static final String STORM_ACCESS_VERIFIER_CLASS_NAME_DEFAULT_VALUE = "org.apache.ranger.pdp.storm.RangerAuthorizer" ; + public static final String RANGER_ADD_YARN_PERMISSION_PROP = "ranger.add-yarn-authorization" ; + public static final boolean RANGER_ADD_YARN_PERMISSION_DEFAULT = true ; + // // Loging constants // public static final String AUDITLOG_FIELD_DELIMITER_PROP = "xasecure.auditlog.fieldDelimiterString"; public static final String AUDITLOG_RANGER_MODULE_ACL_NAME_PROP = "xasecure.auditlog.xasecureAcl.name" ; public static final String AUDITLOG_HADOOP_MODULE_ACL_NAME_PROP = "xasecure.auditlog.hadoopAcl.name" ; + public static final String AUDITLOG_YARN_MODULE_ACL_NAME_PROP = "ranger.auditlog.yarnAcl.name" ; public static final String DEFAULT_LOG_FIELD_DELIMITOR = "|" ; public static final String DEFAULT_XASECURE_MODULE_ACL_NAME = "xasecure-acl" ; public static final String DEFAULT_RANGER_MODULE_ACL_NAME = "ranger-acl" ; public static final String DEFAULT_HADOOP_MODULE_ACL_NAME = "hadoop-acl" ; + public static final String DEFAULT_YARN_MODULE_ACL_NAME = "yarn-acl" ; public static final String AUDITLOG_FIELDINFO_VISIBLE_PROP = "xasecure.auditlog.fieldInfoVisible" ; diff --git a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java index e322477ef70..ab9b7a93091 100644 --- a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java +++ b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java @@ -21,13 +21,9 @@ package org.apache.ranger.authorization.yarn.authorizer; import java.net.InetAddress; -import java.util.Collection; -import java.util.HashSet; +import java.util.HashMap; import java.util.Map; -import java.util.Set; -import org.apache.commons.collections.CollectionUtils; -import org.apache.commons.collections.MapUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; @@ -35,14 +31,16 @@ import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authorize.AccessControlList; import org.apache.hadoop.yarn.security.*; +import org.apache.hadoop.yarn.security.PrivilegedEntity.EntityType; +import org.apache.ranger.audit.model.AuthzAuditEvent; +import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; +import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants; import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResult; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.service.RangerBasePlugin; -import org.apache.ranger.plugin.util.GrantRevokeRequest; import com.google.common.collect.Sets; @@ -51,11 +49,14 @@ public class RangerYarnAuthorizer extends YarnAuthorizationProvider { public static final String ACCESS_TYPE_SUBMIT_APP = "submit-app"; public static final String ACCESS_TYPE_ADMIN = "admin"; + private static boolean yarnAuthEnabled = RangerHadoopConstants.RANGER_ADD_YARN_PERMISSION_DEFAULT; + private static final Log LOG = LogFactory.getLog(RangerYarnAuthorizer.class); private static volatile RangerYarnPlugin yarnPlugin = null; private AccessControlList admins = null; + private Map> yarnAcl = new HashMap>(); @Override public void init(Configuration conf) { @@ -78,6 +79,8 @@ public void init(Configuration conf) { } } + RangerYarnAuthorizer.yarnAuthEnabled = RangerConfiguration.getInstance().getBoolean(RangerHadoopConstants.RANGER_ADD_YARN_PERMISSION_PROP, RangerHadoopConstants.RANGER_ADD_YARN_PERMISSION_DEFAULT); + if(LOG.isDebugEnabled()) { LOG.debug("<== RangerYarnAuthorizer.init()"); } @@ -86,23 +89,34 @@ public void init(Configuration conf) { @Override public boolean checkPermission(AccessType accessType, PrivilegedEntity entity, UserGroupInformation ugi) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerYarnAuthorizer.checkPermission(" + accessType + ", " + entity + ", " + ugi + ")"); + LOG.debug("==> RangerYarnAuthorizer.checkPermission(" + accessType + ", " + toString(entity) + ", " + ugi + ")"); } - boolean ret = false; - - RangerYarnPlugin plugin = yarnPlugin; + boolean ret = false; + RangerYarnPlugin plugin = yarnPlugin; + RangerYarnAuditHandler auditHandler = null; + RangerAccessResult result = null; if(plugin != null) { RangerYarnAccessRequest request = new RangerYarnAccessRequest(entity, getRangerAccessType(accessType), accessType.name(), ugi); - RangerAccessResult result = plugin.isAccessAllowed(request); + auditHandler = new RangerYarnAuditHandler(); + result = plugin.isAccessAllowed(request, auditHandler); + } + + if(RangerYarnAuthorizer.yarnAuthEnabled && (result == null || !result.getIsAccessDetermined())) { + ret = isAllowedByYarnAcl(accessType, entity, ugi, auditHandler); + } else { ret = result == null ? false : result.getIsAllowed(); } + if(auditHandler != null) { + auditHandler.flushAudit(); + } + if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerYarnAuthorizer.checkPermission(" + accessType + ", " + entity + ", " + ugi + "): " + ret); + LOG.debug("<== RangerYarnAuthorizer.checkPermission(" + accessType + ", " + toString(entity) + ", " + ugi + "): " + ret); } return ret; @@ -116,6 +130,8 @@ public boolean isAdmin(UserGroupInformation ugi) { boolean ret = false; + AccessControlList admins = this.admins; + if(admins != null) { ret = admins.isUserAllowed(ugi); } @@ -143,58 +159,51 @@ public void setAdmins(AccessControlList acl, UserGroupInformation ugi) { @Override public void setPermission(PrivilegedEntity entity, Map permission, UserGroupInformation ugi) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerYarnAuthorizer.setPermission(" + entity + ", " + permission + ", " + ugi + ")"); + LOG.debug("==> RangerYarnAuthorizer.setPermission(" + toString(entity) + ", " + permission + ", " + ugi + ")"); } - RangerYarnPlugin plugin = yarnPlugin; + yarnAcl.put(entity, permission); - if(plugin != null && entity != null && !MapUtils.isEmpty(permission) && ugi != null) { - RangerYarnResource resource = new RangerYarnResource(entity); - - GrantRevokeRequest request = new GrantRevokeRequest(); - request.setResource(resource.getAsMap()); - request.setGrantor(ugi.getShortUserName()); - request.setDelegateAdmin(Boolean.FALSE); - request.setEnableAudit(Boolean.TRUE); - request.setReplaceExistingPermissions(Boolean.FALSE); - request.setIsRecursive(Boolean.TRUE); - - for(Map.Entry e : permission.entrySet()) { - AccessType accessType = e.getKey(); - AccessControlList acl = e.getValue(); - - Set accessTypes = new HashSet(); - accessTypes.add(getRangerAccessType(accessType)); - request.setAccessTypes(accessTypes); - - if(acl.isAllAllowed()) { - Set publicGroup = new HashSet(); - publicGroup.add(RangerPolicyEngine.GROUP_PUBLIC); - - request.setUsers(null); - request.setGroups(publicGroup); - } else if(CollectionUtils.isEmpty(acl.getUsers()) && CollectionUtils.isEmpty(acl.getGroups())) { - if(LOG.isDebugEnabled()) { - LOG.debug("grantAccess(): empty users and groups - skipped"); - } - - continue; - } else { - request.setUsers(getSet(acl.getUsers())); - request.setGroups(getSet(acl.getGroups())); - } + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerYarnAuthorizer.setPermission(" + toString(entity) + ", " + permission + ", " + ugi + ")"); + } + } - try { - plugin.grantAccess(request, plugin.getResultProcessor()); - } catch(Exception excp) { - LOG.error("grantAccess(" + request + ") failed", excp); - } + public boolean isAllowedByYarnAcl(AccessType accessType, PrivilegedEntity entity, UserGroupInformation ugi, RangerYarnAuditHandler auditHandler) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerYarnAuthorizer.isAllowedByYarnAcl(" + accessType + ", " + toString(entity) + ", " + ugi + ")"); + } + + boolean ret = false; + + for(Map.Entry> e : yarnAcl.entrySet()) { + PrivilegedEntity aclEntity = e.getKey(); + Map entityPermissions = e.getValue(); + + AccessControlList acl = entityPermissions == null ? null : entityPermissions.get(accessType); + + if(acl == null || !acl.isUserAllowed(ugi)) { + continue; } + + if(! isSelfOrChildOf(entity, aclEntity)) { + continue; + } + + ret = true; + + break; + } + + if(auditHandler != null) { + auditHandler.logYarnAclEvent(ret); } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerYarnAuthorizer.setPermission(" + entity + ", " + permission + ", " + ugi + ")"); + LOG.debug("<== RangerYarnAuthorizer.isAllowedByYarnAcl(" + accessType + ", " + toString(entity) + ", " + ugi + "): " + ret); } + + return ret; } private static String getRangerAccessType(AccessType accessType) { @@ -213,22 +222,32 @@ private static String getRangerAccessType(AccessType accessType) { return ret; } - private Set getSet(Collection strings) { - Set ret = null; + private boolean isSelfOrChildOf(PrivilegedEntity queue, PrivilegedEntity parentQueue) { + boolean ret = queue.equals(parentQueue); + + if(!ret && queue.getType() == EntityType.QUEUE) { + String queueName = queue.getName(); + String parentQueueName = parentQueue.getName(); - if(! CollectionUtils.isEmpty(strings)) { - if(strings instanceof Set) { - ret = (Set)strings; - } else { - ret = new HashSet(); - for(String str : strings) { - ret.add(str); + if(queueName.contains(".") && !StringUtil.isEmpty(parentQueueName)) { + if(parentQueueName.charAt(parentQueueName.length() - 1) != '.') { + parentQueueName += "."; } + + ret = queueName.startsWith(parentQueueName); } } return ret; } + + private String toString(PrivilegedEntity entity) { + if(entity != null) { + return "{name=" + entity.getName() + "; type=" + entity.getType() + "}"; + } + + return "null"; + } } class RangerYarnPlugin extends RangerBasePlugin { @@ -273,4 +292,63 @@ private static String getRemoteIp() { } return ret ; } +} + +class RangerYarnAuditHandler extends RangerDefaultAuditHandler { + private static final Log LOG = LogFactory.getLog(RangerYarnAuditHandler.class); + + private static final String YarnModuleName = RangerConfiguration.getInstance().get(RangerHadoopConstants.AUDITLOG_YARN_MODULE_ACL_NAME_PROP , RangerHadoopConstants.DEFAULT_YARN_MODULE_ACL_NAME) ; + + private boolean isAuditEnabled = false; + private AuthzAuditEvent auditEvent = null; + + public RangerYarnAuditHandler() { + } + + @Override + public void processResult(RangerAccessResult result) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerYarnAuditHandler.logAudit(" + result + ")"); + } + + if(! isAuditEnabled && result.getIsAudited()) { + isAuditEnabled = true; + } + + auditEvent = super.getAuthzEvents(result); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerYarnAuditHandler.logAudit(" + result + "): " + auditEvent); + } + } + + public void logYarnAclEvent(boolean accessGranted) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerYarnAuditHandler.logYarnAclEvent(" + accessGranted + ")"); + } + + if(auditEvent != null) { + auditEvent.setAccessResult((short) (accessGranted ? 1 : 0)); + auditEvent.setAclEnforcer(YarnModuleName); + auditEvent.setPolicyId(-1); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerYarnAuditHandler.logYarnAclEvent(" + accessGranted + "): " + auditEvent); + } + } + + public void flushAudit() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerYarnAuditHandler.flushAudit(" + isAuditEnabled + ", " + auditEvent + ")"); + } + + if(isAuditEnabled) { + super.logAuthzAudit(auditEvent); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerYarnAuditHandler.flushAudit(" + isAuditEnabled + ", " + auditEvent + ")"); + } + } } \ No newline at end of file From cc690cd7a9fd1ec8b4e8bb6013c97fd4ff31d999 Mon Sep 17 00:00:00 2001 From: Madhan Neethiraj Date: Thu, 25 Jun 2015 02:08:14 -0700 Subject: [PATCH 014/202] RANGER-568: fixed RangerTimeOfDayMatcher condition to handle 12am/12pm correctly --- .../RangerTimeOfDayMatcher.java | 14 ++++- .../RangerTimeOfDayMatcherTest.java | 55 ++++++++++++++++++- 2 files changed, 66 insertions(+), 3 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTimeOfDayMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTimeOfDayMatcher.java index 3ddb250e3a8..f65f29ebcbe 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTimeOfDayMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTimeOfDayMatcher.java @@ -105,12 +105,22 @@ int[] extractDuration(String value) { endMinute = Integer.parseInt(m.group(7)); } String endType = m.group(8).toUpperCase(); - if (startType.equals("P")) { + if(startHour == 12) { + if(startType.equals("A")) { + startHour = 0; + } + } else if (startType.equals("P")) { startHour += 12; } - if (endType.equals("P")) { + + if(endHour == 12) { + if(endType.equals("A")) { + endHour = 0; + } + } else if (endType.equals("P")) { endHour += 12; } + result = new int[] { (startHour*60)+startMin, (endHour*60)+endMinute }; } } diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerTimeOfDayMatcherTest.java b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerTimeOfDayMatcherTest.java index e894d985472..7e8ef0ad4be 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerTimeOfDayMatcherTest.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerTimeOfDayMatcherTest.java @@ -51,7 +51,8 @@ public void test_patterMatching_happyPath() { String[] durations = new String[] { "9am-5pm", " 9Am -5 Pm", " 9Am -5 Pm", "9 AM -5 p.m.", "9a.M - 5Pm.", "9:30am-5:30pm", " 9:00Am -5:59 Pm", - " 9 am - 4 pm ", "9pm-5AM" + " 9 am - 4 pm ", "9pm-5AM", + "11am-12pm", "11pm-12am", "12am-12pm", "12pm-12am" }; check(durations, true); } @@ -101,6 +102,10 @@ public void test_patterMatching_happyPath_groups() { { "9:30AM - 5:15pm", "9", "30", "A", "5", "15", "p" }, { "9:30 AM - 5:15 p.m.", "9", "30", "A", "5", "15", "p" }, { "9pm-5am", "9", null, "p", "5", null, "a"}, + { "11am-12pm", "11", null, "a", "12", null, "p" }, + { "11pm-12am", "11", null, "p", "12", null, "a" }, + { "12am-12pm", "12", null, "a", "12", null, "p" }, + { "12pm-12am", "12", null, "p", "12", null, "a" }, }; checkGroups(input); } @@ -126,6 +131,10 @@ public void test_ExtractDuration_happyPath() { { "9am-5pm", true, 9*60, (12+5)*60 }, { "1 PM - 10P.M.", true, (12+1)*60, (12+10)*60 }, { "1PM - 9AM", true, (12+1)*60, 9*60 }, + { "11am-12pm", true, 11*60, 12*60 }, + { "11pm-12am", true, (12+11)*60, 0*60 }, + { "12am-12pm", true, 0*60, 12*60 }, + { "12pm-12am", true, 12*60, 0*60 }, { "1PM", false, null, null }, // illegal patterns should come back as null, too }; for (Object[] data: input) { @@ -217,4 +226,48 @@ public void test_end2end_happyPath() { } } } + + @Test + public void test_end2end_happyPath_12_oClock() { + RangerPolicyItemCondition itemCondition = mock(RangerPolicyItemCondition.class); + when(itemCondition.getValues()).thenReturn(Arrays.asList("12am-1am", "11am-12pm", "12pm-1pm", "11pm-12am")); + + RangerTimeOfDayMatcher matcher = new RangerTimeOfDayMatcher(); + matcher.setConditionDef(null); + matcher.setPolicyItemCondition(itemCondition); + matcher.init(); + + Object[][] input = new Object[][] { + { 0, 00, true }, + { 0, 01, true }, + { 1, 00, true }, + { 1, 01, false }, + { 10, 59, false }, + { 11, 00, true }, + { 11, 59, true }, + { 12, 00, true }, + { 12, 01, true }, + { 12, 59, true }, + { 13, 00, true }, + { 13, 01, false }, + {22, 59, false }, + {23, 0, true }, + {23, 59, true }, + }; + + RangerAccessRequest request = mock(RangerAccessRequest.class); + for (Object[] data : input) { + int hour = (int)data[0]; + int minute = (int)data[1]; + Calendar c = new GregorianCalendar(2015, Calendar.APRIL, 1, hour, minute); + Date aDate = c.getTime(); + when(request.getAccessTime()).thenReturn(aDate); + boolean matchExpected = (boolean)data[2]; + if (matchExpected) { + assertTrue("" + hour, matcher.isMatched(request)); + } else { + assertFalse("" + hour, matcher.isMatched(request)); + } + } + } } From babc79c28cbf10cea1b6e8ca08f38a484ad7b278 Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Thu, 25 Jun 2015 15:04:14 -0700 Subject: [PATCH 015/202] RANGER-570 Knox plugin: added shell classes with old class names so that knox plugin will work after ranger upgrade from 0.4 to 0.5 Signed-off-by: sneethiraj --- .../knox/filter/XASecurePDPKnoxFilter.java | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 knox-agent/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java diff --git a/knox-agent/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java b/knox-agent/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java new file mode 100644 index 00000000000..6b9d6fd1ec1 --- /dev/null +++ b/knox-agent/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java @@ -0,0 +1,25 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package com.xasecure.pdp.knox.filter; + +import org.apache.ranger.authorization.knox.RangerPDPKnoxFilter; + +public class XASecurePDPKnoxFilter extends RangerPDPKnoxFilter { +} From 6af6fe3546be1d6b7dc36e647dcc38f3919fe4d0 Mon Sep 17 00:00:00 2001 From: Velmurugan Periasamy Date: Thu, 25 Jun 2015 19:05:44 -0400 Subject: [PATCH 016/202] RANGER-569: Do not modify hbase.rpc.protection when ranger hbase plugin is enabled Signed-off-by: sneethiraj --- hbase-agent/conf/hbase-site-changes.cfg | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hbase-agent/conf/hbase-site-changes.cfg b/hbase-agent/conf/hbase-site-changes.cfg index e47f80d5959..8c8992acc9f 100644 --- a/hbase-agent/conf/hbase-site-changes.cfg +++ b/hbase-agent/conf/hbase-site-changes.cfg @@ -14,9 +14,9 @@ # limitations under the License. #hbase.security.authentication kerberos mod create-if-not-exists hbase.security.authorization true mod create-if-not-exists +hbase.coprocessor.master.classes com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor delval - , +hbase.coprocessor.region.classes com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor delval - , hbase.coprocessor.master.classes org.apache.hadoop.hbase.security.access.AccessController delval - , hbase.coprocessor.region.classes org.apache.hadoop.hbase.security.access.AccessController delval - , hbase.coprocessor.master.classes org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor append create-if-not-exists , hbase.coprocessor.region.classes org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor append create-if-not-exists , -hbase.rpc.protection privacy mod create-if-not-exists -hbase.rpc.engine org.apache.hadoop.hbase.ipc.SecureRpcEngine mod create-if-not-exists From 1dbb9b05f08485ef93e5a3a5b316bdef1b9c33f8 Mon Sep 17 00:00:00 2001 From: Madhan Neethiraj Date: Sat, 20 Jun 2015 23:18:38 -0400 Subject: [PATCH 017/202] RANGER-563: permissions are duplicated in some policyItems after upgrade Signed-off-by: sneethiraj --- .../ranger/patch/PatchMigration_J10002.java | 22 ++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchMigration_J10002.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchMigration_J10002.java index 44306d83c97..621159d3197 100644 --- a/security-admin/src/main/java/org/apache/ranger/patch/PatchMigration_J10002.java +++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchMigration_J10002.java @@ -471,10 +471,10 @@ private List getPolicyItemListForRes(XXResource xRes, XXServic if(StringUtils.equalsIgnoreCase(accessType, "Admin")) { policyItem.setDelegateAdmin(Boolean.TRUE); if ( svcDef.getId() == EmbeddedServiceDefsUtil.instance().getHBaseServiceDefId()) { - accessList.add(new RangerPolicyItemAccess(accessType)); + addAccessType(accessType, accessList); } } else { - accessList.add(new RangerPolicyItemAccess(accessType)); + addAccessType(accessType, accessList); } ipAddress = permMap.getIpAddress(); @@ -509,7 +509,23 @@ private List getPolicyItemListForRes(XXResource xRes, XXServic return policyItems; } - + + private void addAccessType(String accessType, List accessList) { + boolean alreadyExists = false; + + for(RangerPolicyItemAccess access : accessList) { + if(StringUtils.equalsIgnoreCase(accessType, access.getType())) { + alreadyExists = true; + + break; + } + } + + if(!alreadyExists) { + accessList.add(new RangerPolicyItemAccess(accessType)); + } + } + private void updateSequences() { daoMgr.getXXServiceDef().updateSequence(); daoMgr.getXXService().updateSequence(); From 3c509cd45c8883855f528e61344a85b6b6620c84 Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Thu, 25 Jun 2015 19:17:51 -0700 Subject: [PATCH 018/202] RANGER-571 Storm plugin: added shell classes with old class names so that it will work after ranger upgrade from 0.4 to 0.5 Signed-off-by: sneethiraj --- .../authorizer/XaSecureStormAuthorizer.java | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 storm-agent/src/main/java/com/xasecure/authorization/storm/authorizer/XaSecureStormAuthorizer.java diff --git a/storm-agent/src/main/java/com/xasecure/authorization/storm/authorizer/XaSecureStormAuthorizer.java b/storm-agent/src/main/java/com/xasecure/authorization/storm/authorizer/XaSecureStormAuthorizer.java new file mode 100644 index 00000000000..723dd79bce5 --- /dev/null +++ b/storm-agent/src/main/java/com/xasecure/authorization/storm/authorizer/XaSecureStormAuthorizer.java @@ -0,0 +1,32 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package com.xasecure.authorization.storm.authorizer; + +import org.apache.ranger.authorization.storm.authorizer.RangerStormAuthorizer; + +/** + * This class exists only to provide for seamless upgrade/downgrade capabilities. Class name is in storm conf which must allow for seamles upgrade and downgrade. + * Thus when class names were changed XaSecure* -> Ranger* this shell class serves to allow for seamles upgrade as well as downgrade. + * + * This class is final because if one needs to customize coprocessor it is expected that RangerStormAuthorizer would be modified/extended as that is + * the "real" authorizer! This class, hence, should NEVER be more than an EMPTY shell! + */ +final public class XaSecureStormAuthorizer extends RangerStormAuthorizer { +} From de946a3f01cf22d37110e25faff03b4ce9aa4b55 Mon Sep 17 00:00:00 2001 From: Don Bosco Durai Date: Fri, 12 Jun 2015 16:40:45 -0700 Subject: [PATCH 019/202] RANGER-552 Ranger KMS not able to audit to kerberos HDFS --- .../destination/HDFSAuditDestination.java | 2 +- .../ranger/audit/provider/MiscUtil.java | 183 ++++++++++++++++-- .../authorizer/RangerKafkaAuthorizer.java | 41 +--- .../kms/authorizer/RangerKmsAuthorizer.java | 44 ++++- 4 files changed, 225 insertions(+), 45 deletions(-) diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java b/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java index 4fc3a0b2209..49e5fbbd2c8 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java @@ -216,7 +216,7 @@ synchronized private PrintWriter getLogFileStream() throws Throwable { FileSystem fileSystem = FileSystem.get(uri, conf); Path hdfPath = new Path(fullPath); - logger.info("Checking whether log file exists. hdfPath=" + fullPath); + logger.info("Checking whether log file exists. hdfPath=" + fullPath + ", UGI=" + MiscUtil.getUGILoginUser()); int i = 0; while (fileSystem.exists(hdfPath)) { i++; diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java index 6eee55c2378..bfded938971 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java @@ -20,6 +20,7 @@ import java.io.IOException; import java.net.InetAddress; import java.rmi.dgc.VMID; +import java.security.Principal; import java.text.SimpleDateFormat; import java.util.ArrayList; import java.util.HashMap; @@ -30,18 +31,27 @@ import java.util.Set; import java.util.StringTokenizer; import java.util.UUID; +import java.util.regex.Pattern; import javax.security.auth.Subject; +import javax.security.auth.login.AppConfigurationEntry; +import javax.security.auth.login.Configuration; +import javax.security.auth.login.LoginContext; +import javax.security.auth.login.LoginException; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.authentication.util.KerberosName; +import org.apache.hadoop.security.authentication.util.KerberosUtil; import org.apache.log4j.helpers.LogLog; import org.apache.ranger.authorization.hadoop.utils.RangerCredentialProvider; import com.google.gson.Gson; import com.google.gson.GsonBuilder; +import static org.apache.hadoop.util.PlatformName.IBM_JAVA; + public class MiscUtil { private static final Log logger = LogFactory.getLog(MiscUtil.class); @@ -64,7 +74,7 @@ public class MiscUtil { private static UserGroupInformation ugiLoginUser = null; private static Subject subjectLoginUser = null; - private static Map logHistoryList = new Hashtable(); + private static Map logHistoryList = new Hashtable(); private static int logInterval = 30000; // 30 seconds static { @@ -410,19 +420,51 @@ public static String getCredentialString(String url, String alias) { return ret; } + public static UserGroupInformation createUGIFromSubject(Subject subject) + throws IOException { + logger.info("SUBJECT " + (subject == null ? "not found" : "found")); + UserGroupInformation ugi = null; + if (subject != null) { + logger.info("SUBJECT.PRINCIPALS.size()=" + + subject.getPrincipals().size()); + java.util.Set principals = subject.getPrincipals(); + for (Principal principal : principals) { + logger.info("SUBJECT.PRINCIPAL.NAME=" + principal.getName()); + } + try { + // Do not remove the below statement. The default + // getLoginUser does some initialization which is needed + // for getUGIFromSubject() to work. + logger.info("Default UGI before using Subject from Kafka:" + + UserGroupInformation.getLoginUser()); + } catch (Throwable t) { + logger.error(t); + } + ugi = UserGroupInformation.getUGIFromSubject(subject); + logger.info("SUBJECT.UGI.NAME=" + ugi.getUserName() + ", ugi=" + + ugi); + } else { + logger.info("Server username is not available"); + } + return ugi; + } + /** * @param ugiLoginUser */ - public static void setUGILoginUser(UserGroupInformation newUGI, Subject newSubject) { + public static void setUGILoginUser(UserGroupInformation newUGI, + Subject newSubject) { if (newUGI != null) { UserGroupInformation.setLoginUser(newUGI); ugiLoginUser = newUGI; - logger.info("Setting UGI=" + newUGI ); + logger.info("Setting UGI=" + newUGI); } else { logger.error("UGI is null. Not setting it."); } - logger.info("Setting SUBJECT"); - subjectLoginUser = newSubject; + if (newSubject != null) { + logger.info("Setting SUBJECT"); + subjectLoginUser = newSubject; + } } public static UserGroupInformation getUGILoginUser() { @@ -436,7 +478,6 @@ public static UserGroupInformation getUGILoginUser() { return ugiLoginUser; } - public static Subject getSubjectLoginUser() { return subjectLoginUser; } @@ -462,13 +503,14 @@ static public Set getGroupsForRequestUser(String userName) { return groupsSet; } } catch (Throwable e) { - logErrorMessageByInterval( - logger, "Error getting groups for users. userName=" + userName, e); + logErrorMessageByInterval(logger, + "Error getting groups for users. userName=" + userName, e); } return null; } - static public boolean logErrorMessageByInterval(Log useLogger, String message) { + static public boolean logErrorMessageByInterval(Log useLogger, + String message) { return logErrorMessageByInterval(useLogger, message, null); } @@ -476,7 +518,8 @@ static public boolean logErrorMessageByInterval(Log useLogger, String message) { * @param string * @param e */ - static public boolean logErrorMessageByInterval(Log useLogger, String message, Throwable e) { + static public boolean logErrorMessageByInterval(Log useLogger, + String message, Throwable e) { LogHistory log = logHistoryList.get(message); if (log == null) { log = new LogHistory(); @@ -494,7 +537,7 @@ static public boolean logErrorMessageByInterval(Log useLogger, String message, T } else { useLogger.error(message, e); } - + return true; } else { log.counter++; @@ -503,9 +546,127 @@ static public boolean logErrorMessageByInterval(Log useLogger, String message, T } + public static void authWithKerberos(String keytab, String principal, + String nameRules) { + + if (keytab == null) { + return; + } + Subject serverSubject = new Subject(); + int successLoginCount = 0; + String[] spnegoPrincipals = null; + try { + if (principal.equals("*")) { + spnegoPrincipals = KerberosUtil.getPrincipalNames(keytab, + Pattern.compile("HTTP/.*")); + if (spnegoPrincipals.length == 0) { + logger.error("No principals found in keytab=" + keytab); + } + } else { + spnegoPrincipals = new String[] { principal }; + } + + if (nameRules != null) { + KerberosName.setRules(nameRules); + } + + List loginContexts = new ArrayList(); + for (String spnegoPrincipal : spnegoPrincipals) { + try { + logger.info("Login using keytab " + keytab + + ", for principal " + spnegoPrincipal); + final KerberosConfiguration kerberosConfiguration = new KerberosConfiguration( + keytab, spnegoPrincipal); + final LoginContext loginContext = new LoginContext("", + serverSubject, null, kerberosConfiguration); + loginContext.login(); + successLoginCount++; + logger.info("Login success keytab " + keytab + + ", for principal " + spnegoPrincipal); + loginContexts.add(loginContext); + } catch (Throwable t) { + logger.error("Login failed keytab " + keytab + + ", for principal " + spnegoPrincipal, t); + } + } + } catch (Throwable t) { + logger.error("Failed to login as [" + spnegoPrincipals + "]", t); + } + + if (successLoginCount > 0) { + logger.info("Total login success count=" + successLoginCount); + try { + UserGroupInformation ugi = createUGIFromSubject(serverSubject); + if (ugi != null) { + setUGILoginUser(ugi, serverSubject); + } + } catch (Throwable e) { + logger.error("Error creating UGI from subject. subject=" + + serverSubject); + } + } else { + logger.error("Total logins were successfull from keytab=" + keytab + + ", principal=" + principal); + } + } + static class LogHistory { long lastLogTime = 0; int counter = 0; } + /** + * Kerberos context configuration for the JDK GSS library. + */ + private static class KerberosConfiguration extends Configuration { + private String keytab; + private String principal; + + public KerberosConfiguration(String keytab, String principal) { + this.keytab = keytab; + this.principal = principal; + } + + @Override + public AppConfigurationEntry[] getAppConfigurationEntry(String name) { + Map options = new HashMap(); + if (IBM_JAVA) { + options.put("useKeytab", keytab.startsWith("file://") ? keytab + : "file://" + keytab); + options.put("principal", principal); + options.put("credsType", "acceptor"); + } else { + options.put("keyTab", keytab); + options.put("principal", principal); + options.put("useKeyTab", "true"); + options.put("storeKey", "true"); + options.put("doNotPrompt", "true"); + options.put("useTicketCache", "true"); + options.put("renewTGT", "true"); + options.put("isInitiator", "false"); + } + options.put("refreshKrb5Config", "true"); + String ticketCache = System.getenv("KRB5CCNAME"); + if (ticketCache != null) { + if (IBM_JAVA) { + options.put("useDefaultCcache", "true"); + // The first value searched when "useDefaultCcache" is used. + System.setProperty("KRB5CCNAME", ticketCache); + options.put("renewTGT", "true"); + options.put("credsType", "both"); + } else { + options.put("ticketCache", ticketCache); + } + } + if (logger.isDebugEnabled()) { + options.put("debug", "true"); + } + + return new AppConfigurationEntry[] { new AppConfigurationEntry( + KerberosUtil.getKrb5LoginModuleName(), + AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, + options), }; + } + } + } diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java index 3341f84503a..dbb2723709b 100644 --- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java +++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java @@ -19,6 +19,7 @@ package org.apache.ranger.authorization.kafka.authorizer; +import java.io.IOException; import java.security.Principal; import java.util.Date; @@ -81,43 +82,19 @@ public RangerKafkaAuthorizer() { public void initialize(KafkaConfig kafkaConfig) { if (rangerPlugin == null) { - rangerPlugin = new RangerBasePlugin("kafka", "kafka"); - try { Subject subject = LoginManager.subject(); - logger.info("SUBJECT " - + (subject == null ? "not found" : "found")); - if (subject != null) { - logger.info("SUBJECT.PRINCIPALS.size()=" - + subject.getPrincipals().size()); - java.util.Set principals = subject - .getPrincipals(); - for (Principal principal : principals) { - logger.info("SUBJECT.PRINCIPAL.NAME=" - + principal.getName()); - } - try { - // Do not remove the below statement. The default - // getLoginUser does some initialization which is needed - // for getUGIFromSubject() to work. - logger.info("Default UGI before using Subject from Kafka:" - + UserGroupInformation.getLoginUser()); - } catch (Throwable t) { - logger.error(t); - } - UserGroupInformation ugi = UserGroupInformation - .getUGIFromSubject(subject); - logger.info("SUBJECT.UGI.NAME=" + ugi.getUserName() - + ", ugi=" + ugi); + UserGroupInformation ugi = MiscUtil + .createUGIFromSubject(subject); + if (ugi != null) { MiscUtil.setUGILoginUser(ugi, subject); - } else { - logger.info("Server username is not available"); } logger.info("LoginUser=" + MiscUtil.getUGILoginUser()); } catch (Throwable t) { logger.error("Error getting principal.", t); } + rangerPlugin = new RangerBasePlugin("kafka", "kafka"); logger.info("Calling plugin.init()"); rangerPlugin.init(); @@ -135,12 +112,12 @@ public boolean authorize(Session session, Operation operation, "Authorizer is still not initialized"); return false; } - - //TODO: If resource type if consumer group, then allow it by default - if(resource.resourceType().equals(ResourceType.CONSUMER_GROUP)) { + + // TODO: If resource type if consumer group, then allow it by default + if (resource.resourceType().equals(ResourceType.CONSUMER_GROUP)) { return true; } - + String userName = null; if (session.principal() != null) { userName = session.principal().getName(); diff --git a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java index 3407a1d4749..04b8b916251 100755 --- a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java +++ b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java @@ -26,6 +26,7 @@ import java.util.concurrent.Executors; import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.TimeUnit; +import java.util.regex.Pattern; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.crypto.key.kms.server.KMSACLsType; @@ -40,6 +41,7 @@ import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authorize.AccessControlList; import org.apache.hadoop.security.authorize.AuthorizationException; +import org.apache.ranger.audit.provider.MiscUtil; import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; @@ -81,15 +83,52 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs { private static volatile RangerKMSPlugin kmsPlugin = null; + /** + * Constant that identifies the authentication mechanism. + */ + public static final String TYPE = "kerberos"; + + /** + * Constant for the configuration property that indicates the kerberos principal. + */ + public static final String PRINCIPAL = TYPE + ".principal"; + + /** + * Constant for the configuration property that indicates the keytab file path. + */ + public static final String KEYTAB = TYPE + ".keytab"; + + /** + * Constant for the configuration property that indicates the Kerberos name + * rules for the Kerberos principals. + */ + public static final String NAME_RULES = TYPE + ".name.rules"; + RangerKmsAuthorizer(Configuration conf) { + LOG.info("RangerKmsAuthorizer(conf)..."); + authWithKerberos(); if (conf == null) { conf = loadACLs(); } setKMSACLs(conf); init(conf); + } - public RangerKmsAuthorizer() { + /** + * + */ + private void authWithKerberos() { + //Let's if we can create the login user UGI + Configuration kconf = new Configuration(); + kconf.addResource("kms-site.xml"); + String keytab = kconf.get("hadoop.kms.authentication.kerberos.keytab"); + String principal = kconf.get("hadoop.kms.authentication.kerberos.principal"); + String nameRules = kconf.get(NAME_RULES); + MiscUtil.authWithKerberos(keytab, principal, nameRules); + } + + public RangerKmsAuthorizer() { this(null); } @@ -241,6 +280,7 @@ public void init(Configuration conf) { plugin.init(); kmsPlugin = plugin; + } } } @@ -306,6 +346,8 @@ private static String getRangerAccessType(KMSACLsType.Type accessType) { } } + + class RangerKMSPlugin extends RangerBasePlugin { public RangerKMSPlugin() { super("kms", "kms"); From 34f7e3b078c80bad84791d543ae159acd2aa7fc1 Mon Sep 17 00:00:00 2001 From: Don Bosco Durai Date: Fri, 12 Jun 2015 18:56:51 -0700 Subject: [PATCH 020/202] RANGER-552 Need to get UGI from keytab, instead of subject --- .../audit/provider/BaseAuditHandler.java | 19 +++- .../ranger/audit/provider/MiscUtil.java | 87 +++++++++++-------- .../apache/ranger/audit/queue/AuditQueue.java | 12 +++ 3 files changed, 79 insertions(+), 39 deletions(-) diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java index 3859a7e89e4..30db18bc253 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java @@ -169,6 +169,10 @@ public void setParentPath(String parentPath) { this.parentPath = parentPath; } + public String getFinalPath() { + return getName(); + } + public void setName(String name) { providerName = name; } @@ -249,22 +253,31 @@ public void logStatus() { lastStatusLogTime = currTime; long diffCount = totalCount - lastIntervalCount; - if (diffCount == 0) { - return; - } long diffSuccess = totalSuccessCount - lastIntervalSuccessCount; long diffFailed = totalFailedCount - lastIntervalFailedCount; long diffStashed = totalStashedCount - lastStashedCount; long diffDeferred = totalDeferredCount - lastDeferredCount; + if (diffCount == 0 && diffSuccess == 0 && diffFailed == 0 + && diffStashed == 0 && diffDeferred == 0) { + return; + } + lastIntervalCount = totalCount; lastIntervalSuccessCount = totalSuccessCount; lastIntervalFailedCount = totalFailedCount; lastStashedCount = totalStashedCount; lastDeferredCount = totalDeferredCount; + String finalPath = ""; + String tFinalPath = getFinalPath(); + if (!getName().equals(tFinalPath)) { + finalPath = ", finalDestination=" + tFinalPath; + } + String msg = "Audit Status Log: name=" + getName() + + finalPath + ", interval=" + formatIntervalForLog(diffTime) + ", events=" diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java index bfded938971..a3a3a844ecf 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java @@ -37,8 +37,6 @@ import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.Configuration; import javax.security.auth.login.LoginContext; -import javax.security.auth.login.LoginException; - import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.security.UserGroupInformation; @@ -435,7 +433,8 @@ public static UserGroupInformation createUGIFromSubject(Subject subject) // Do not remove the below statement. The default // getLoginUser does some initialization which is needed // for getUGIFromSubject() to work. - logger.info("Default UGI before using Subject from Kafka:" + UserGroupInformation.getLoginUser(); + logger.info("Default UGI before using new Subject:" + UserGroupInformation.getLoginUser()); } catch (Throwable t) { logger.error(t); @@ -549,7 +548,7 @@ static public boolean logErrorMessageByInterval(Log useLogger, public static void authWithKerberos(String keytab, String principal, String nameRules) { - if (keytab == null) { + if (keytab == null || principal == null) { return; } Subject serverSubject = new Subject(); @@ -570,44 +569,60 @@ public static void authWithKerberos(String keytab, String principal, KerberosName.setRules(nameRules); } - List loginContexts = new ArrayList(); - for (String spnegoPrincipal : spnegoPrincipals) { - try { - logger.info("Login using keytab " + keytab - + ", for principal " + spnegoPrincipal); - final KerberosConfiguration kerberosConfiguration = new KerberosConfiguration( - keytab, spnegoPrincipal); - final LoginContext loginContext = new LoginContext("", - serverSubject, null, kerberosConfiguration); - loginContext.login(); - successLoginCount++; - logger.info("Login success keytab " + keytab - + ", for principal " + spnegoPrincipal); - loginContexts.add(loginContext); - } catch (Throwable t) { - logger.error("Login failed keytab " + keytab - + ", for principal " + spnegoPrincipal, t); + boolean useKeytab = true; + if (!useKeytab) { + logger.info("Creating UGI with subject"); + List loginContexts = new ArrayList(); + for (String spnegoPrincipal : spnegoPrincipals) { + try { + logger.info("Login using keytab " + keytab + + ", for principal " + spnegoPrincipal); + final KerberosConfiguration kerberosConfiguration = new KerberosConfiguration( + keytab, spnegoPrincipal); + final LoginContext loginContext = new LoginContext("", + serverSubject, null, kerberosConfiguration); + loginContext.login(); + successLoginCount++; + logger.info("Login success keytab " + keytab + + ", for principal " + spnegoPrincipal); + loginContexts.add(loginContext); + } catch (Throwable t) { + logger.error("Login failed keytab " + keytab + + ", for principal " + spnegoPrincipal, t); + } + if (successLoginCount > 0) { + logger.info("Total login success count=" + + successLoginCount); + try { + UserGroupInformation + .loginUserFromSubject(serverSubject); + // UserGroupInformation ugi = + // createUGIFromSubject(serverSubject); + // if (ugi != null) { + // setUGILoginUser(ugi, serverSubject); + // } + } catch (Throwable e) { + logger.error("Error creating UGI from subject. subject=" + + serverSubject); + } + } else { + logger.error("Total logins were successfull from keytab=" + + keytab + ", principal=" + principal); + } } + } else { + logger.info("Creating UGI from keytab directly. keytab=" + + keytab + ", principal=" + spnegoPrincipals[0]); + UserGroupInformation ugi = UserGroupInformation + .loginUserFromKeytabAndReturnUGI(spnegoPrincipals[0], + keytab); + MiscUtil.setUGILoginUser(ugi, null); } + } catch (Throwable t) { logger.error("Failed to login as [" + spnegoPrincipals + "]", t); } - if (successLoginCount > 0) { - logger.info("Total login success count=" + successLoginCount); - try { - UserGroupInformation ugi = createUGIFromSubject(serverSubject); - if (ugi != null) { - setUGILoginUser(ugi, serverSubject); - } - } catch (Throwable e) { - logger.error("Error creating UGI from subject. subject=" - + serverSubject); - } - } else { - logger.error("Total logins were successfull from keytab=" + keytab - + ", principal=" + principal); - } } static class LogHistory { diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java index 000a658b276..88c98314b96 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java @@ -132,6 +132,18 @@ public void setParentPath(String parentPath) { } } + @Override + public String getFinalPath() { + if (consumer != null) { + if (consumer instanceof BaseAuditHandler) { + return ((BaseAuditHandler) consumer).getFinalPath(); + } else { + return consumer.getName(); + } + } + return getName(); + } + @Override public void setName(String name) { super.setName(name); From 69e0e8c12e0dad74834e6f92e4d40fe77b5a2a29 Mon Sep 17 00:00:00 2001 From: sneethiraj Date: Tue, 30 Jun 2015 10:21:46 -0400 Subject: [PATCH 021/202] RANGER-574: fixes to add hdfs jars to knox/kms/storm bundles (Changes from Ramesh Mani) --- kms/pom.xml | 5 +++++ knox-agent/pom.xml | 12 +++++++++++- pom.xml | 1 + src/main/assembly/kms.xml | 7 ++++++- src/main/assembly/knox-agent.xml | 9 ++++++--- src/main/assembly/storm-agent.xml | 4 ++++ storm-agent/pom.xml | 15 +++++++++++++++ 7 files changed, 48 insertions(+), 5 deletions(-) diff --git a/kms/pom.xml b/kms/pom.xml index a726a86678d..877ad95d1a8 100644 --- a/kms/pom.xml +++ b/kms/pom.xml @@ -441,6 +441,11 @@ noggit ${noggit.version} + + org.apache.hadoop + hadoop-hdfs + ${hadoop.version} + diff --git a/knox-agent/pom.xml b/knox-agent/pom.xml index d817836e1f3..85506df8f52 100644 --- a/knox-agent/pom.xml +++ b/knox-agent/pom.xml @@ -94,10 +94,20 @@ commons-lang ${commons.lang.version} - + commons-collections commons-collections ${commons.collections.version} + + org.apache.hadoop + hadoop-hdfs + ${hadoop.version} + + + org.htrace + htrace-core + ${htrace-core.version} + diff --git a/pom.xml b/pom.xml index 0cd84f34310..99a23b27cf5 100644 --- a/pom.xml +++ b/pom.xml @@ -132,6 +132,7 @@ 2.7.0 2.7.0 2.7.0 + 3.0.4 1.3 1.1.0 1.2.0 diff --git a/src/main/assembly/kms.xml b/src/main/assembly/kms.xml index a2e0e2a8af2..33da2486c43 100755 --- a/src/main/assembly/kms.xml +++ b/src/main/assembly/kms.xml @@ -96,12 +96,14 @@ com.google.code.findbugs:jsr305 io.netty:netty com.thoughtworks.paranamer:paranamer - com.google.protobuf:protobuf-java org.xerial.snappy:snappy-java xmlenc:xmlenc org.tukaani:xz org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version} org.noggit:noggit:jar:${noggit.version} + com.google.protobuf:protobuf-java:jar:${protobuf-java.version} + org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version} + org.htrace:htrace-core:jar:${htrace-core.version} @@ -135,6 +137,9 @@ org.apache.tomcat.embed:tomcat-embed* org.eclipse.jdt.core.compiler:ecj:jar:P20140317-1600 + com.google.protobuf:protobuf-java:jar:${protobuf-java.version} + org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version} + org.htrace:htrace-core:jar:${htrace-core.version} false diff --git a/src/main/assembly/knox-agent.xml b/src/main/assembly/knox-agent.xml index 85a1d92dd6f..d21487a57c1 100644 --- a/src/main/assembly/knox-agent.xml +++ b/src/main/assembly/knox-agent.xml @@ -35,9 +35,12 @@ /lib commons-configuration:commons-configuration - org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version} - org.noggit:noggit:jar:${noggit.version} - + org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version} + org.noggit:noggit:jar:${noggit.version} + com.google.protobuf:protobuf-java:jar:${protobuf-java.version} + org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version} + org.htrace:htrace-core:jar:${htrace-core.version} + false diff --git a/src/main/assembly/storm-agent.xml b/src/main/assembly/storm-agent.xml index bbf8543c8ca..8753e43b36d 100644 --- a/src/main/assembly/storm-agent.xml +++ b/src/main/assembly/storm-agent.xml @@ -52,6 +52,10 @@ org.apache.httpcomponents:httpcore:jar:${httpcomponent.httpcore.version} org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version} org.noggit:noggit:jar:${noggit.version} + com.google.protobuf:protobuf-java:jar:${protobuf-java.version} + org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version} + org.htrace:htrace-core:jar:${htrace-core.version} + commons-cli:commons-cli:jar:${commons.cli.version} diff --git a/storm-agent/pom.xml b/storm-agent/pom.xml index 507598772d6..b59bd8c5056 100644 --- a/storm-agent/pom.xml +++ b/storm-agent/pom.xml @@ -52,5 +52,20 @@ credentialbuilder ${project.version} + + org.apache.hadoop + hadoop-hdfs + ${hadoop.version} + + + commons-cli + commons-cli + ${commons.cli.version} + + + org.htrace + htrace-core + ${htrace-core.version} + From b0d3cfb686eaad108c574f2cbfe782b63668b80e Mon Sep 17 00:00:00 2001 From: sneethiraj Date: Wed, 1 Jul 2015 12:28:43 -0400 Subject: [PATCH 022/202] RANGER-574: resubmitting the additional jar as the htrace lib should be bundled from org.apache.htrace and not from org.htrace --- kms/pom.xml | 4 ++-- knox-agent/pom.xml | 2 +- pom.xml | 2 +- src/main/assembly/kms.xml | 6 +++--- src/main/assembly/knox-agent.xml | 2 +- src/main/assembly/storm-agent.xml | 2 +- storm-agent/pom.xml | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/kms/pom.xml b/kms/pom.xml index 877ad95d1a8..b89837dcae9 100644 --- a/kms/pom.xml +++ b/kms/pom.xml @@ -332,9 +332,9 @@ ${hadoop-auth.version} - org.htrace + org.apache.htrace htrace-core - 3.0.4 + ${htrace-core.version} org.apache.httpcomponents diff --git a/knox-agent/pom.xml b/knox-agent/pom.xml index 85506df8f52..9e85527e261 100644 --- a/knox-agent/pom.xml +++ b/knox-agent/pom.xml @@ -105,7 +105,7 @@ ${hadoop.version} - org.htrace + org.apache.htrace htrace-core ${htrace-core.version} diff --git a/pom.xml b/pom.xml index 99a23b27cf5..2ae8d3d0b6c 100644 --- a/pom.xml +++ b/pom.xml @@ -132,7 +132,7 @@ 2.7.0 2.7.0 2.7.0 - 3.0.4 + 3.1.0-incubating 1.3 1.1.0 1.2.0 diff --git a/src/main/assembly/kms.xml b/src/main/assembly/kms.xml index 33da2486c43..52ab5a0d1eb 100755 --- a/src/main/assembly/kms.xml +++ b/src/main/assembly/kms.xml @@ -81,7 +81,7 @@ org.apache.curator:curator-recipes com.google.code.gson:gson org.apache.hadoop:hadoop-annotations - org.htrace:htrace-core + org.apache.htrace:htrace-core org.apache.httpcomponents:httpcore org.codehaus.jackson:jackson-core-asl org.codehaus.jackson:jackson-jaxrs @@ -103,7 +103,7 @@ org.noggit:noggit:jar:${noggit.version} com.google.protobuf:protobuf-java:jar:${protobuf-java.version} org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version} - org.htrace:htrace-core:jar:${htrace-core.version} + org.apache.htrace:htrace-core:jar:${htrace-core.version} @@ -139,7 +139,7 @@ org.eclipse.jdt.core.compiler:ecj:jar:P20140317-1600 com.google.protobuf:protobuf-java:jar:${protobuf-java.version} org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version} - org.htrace:htrace-core:jar:${htrace-core.version} + org.apache.htrace:htrace-core:jar:${htrace-core.version} false diff --git a/src/main/assembly/knox-agent.xml b/src/main/assembly/knox-agent.xml index d21487a57c1..7c082708be2 100644 --- a/src/main/assembly/knox-agent.xml +++ b/src/main/assembly/knox-agent.xml @@ -39,7 +39,7 @@ org.noggit:noggit:jar:${noggit.version} com.google.protobuf:protobuf-java:jar:${protobuf-java.version} org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version} - org.htrace:htrace-core:jar:${htrace-core.version} + org.apache.htrace:htrace-core:jar:${htrace-core.version} false diff --git a/src/main/assembly/storm-agent.xml b/src/main/assembly/storm-agent.xml index 8753e43b36d..aacdb78d185 100644 --- a/src/main/assembly/storm-agent.xml +++ b/src/main/assembly/storm-agent.xml @@ -54,7 +54,7 @@ org.noggit:noggit:jar:${noggit.version} com.google.protobuf:protobuf-java:jar:${protobuf-java.version} org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version} - org.htrace:htrace-core:jar:${htrace-core.version} + org.apache.htrace:htrace-core:jar:${htrace-core.version} commons-cli:commons-cli:jar:${commons.cli.version} diff --git a/storm-agent/pom.xml b/storm-agent/pom.xml index b59bd8c5056..5fd0aa35133 100644 --- a/storm-agent/pom.xml +++ b/storm-agent/pom.xml @@ -63,7 +63,7 @@ ${commons.cli.version} - org.htrace + org.apache.htrace htrace-core ${htrace-core.version} From 6729af52109835b882611687562b9d89f9b0669f Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Mon, 6 Jul 2015 13:58:41 +0530 Subject: [PATCH 023/202] RANGER-575 : Allow KMS policies to be assigned to all users Signed-off-by: sneethiraj --- .../webapp/scripts/views/policies/PermissionList.js | 11 +---------- .../src/main/webapp/scripts/views/users/UserForm.js | 3 ++- 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js b/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js index 09018922edb..0cba319728b 100644 --- a/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js +++ b/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js @@ -200,16 +200,7 @@ define(function(require) { url: url, dataType: 'json', data: function (term, page) { - var data = { name : term, isVisible : XAEnums.VisibilityStatus.STATUS_VISIBLE.value }; - var userRoleList = [] - _.each(XAEnums.UserRoles,function(val, key){ - if(SessionMgr.isKeyAdmin() && XAEnums.UserRoles.ROLE_KEY_ADMIN.value == val.value){ - userRoleList.push(key) - }else if(!SessionMgr.isKeyAdmin() && XAEnums.UserRoles.ROLE_KEY_ADMIN.value != val.value){ - userRoleList.push(key) - } - }) - return _.extend(data,{'userRoleList' : userRoleList }); + return {name : term, isVisible : XAEnums.VisibilityStatus.STATUS_VISIBLE.value}; }, results: function (data, page) { var results = [] , selectedVals = []; diff --git a/security-admin/src/main/webapp/scripts/views/users/UserForm.js b/security-admin/src/main/webapp/scripts/views/users/UserForm.js index 31e99ced55b..52a278d2fae 100644 --- a/security-admin/src/main/webapp/scripts/views/users/UserForm.js +++ b/security-admin/src/main/webapp/scripts/views/users/UserForm.js @@ -144,7 +144,8 @@ define(function(require){ if(SessionMgr.getUserProfile().get('loginId') != "admin"){ if(this.model.get('name') != "admin"){ - if(_.contains(SessionMgr.getUserProfile().get('userRoleList'),'ROLE_SYS_ADMIN')){ + if(_.contains(SessionMgr.getUserProfile().get('userRoleList'),'ROLE_SYS_ADMIN') + || _.contains(SessionMgr.getUserProfile().get('userRoleList'),'ROLE_KEY_ADMIN')){ this.fields.userRoleList.editor.$el.attr('disabled',false); }else{ if(!SessionMgr.isKeyAdmin()){ From 353d1a53aa98560a455e735476165a50181e1591 Mon Sep 17 00:00:00 2001 From: rmani Date: Thu, 9 Jul 2015 17:37:06 -0700 Subject: [PATCH 024/202] RANGER-576:Storm audit not showing access type in the Ranger Admin Audit UI --- .../org/apache/ranger/authorization/storm/StormRangerPlugin.java | 1 + 1 file changed, 1 insertion(+) diff --git a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java index 323ab58ca00..f8663af86aa 100644 --- a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java +++ b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java @@ -68,6 +68,7 @@ public RangerAccessRequest buildAccessRequest(String _user, String[] _groups, St } request.setAccessType(_operation); request.setClientIPAddress(_clientIp); + request.setAction(_operation); // build resource and connect stuff into request RangerAccessResourceImpl resource = new RangerAccessResourceImpl(); resource.setValue(ResourceName.Topology, _topology); From 4874016ad8d686710ba6db266cb449800438739f Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Mon, 17 Aug 2015 10:24:19 +0530 Subject: [PATCH 025/202] RANGER-614.2 : Provide support of SQL Anywhere as a DB in Ranger Signed-off-by: sneethiraj --- .../audit/provider/DbAuditProvider.java | 2 +- agents-common/scripts/enable-agent.sh | 4 + hbase-agent/scripts/install.sh | 12 + hdfs-agent/scripts/install.sh | 12 + hive-agent/scripts/install.sh | 12 + .../main/java/org/apache/util/sql/Jisql.java | 13 + .../sqlanywhere/kms_core_db_sqlanywhere.sql | 44 + .../db/sqlserver/kms_core_db_sqlserver.sql | 1 + kms/scripts/db_setup.py | 96 ++ kms/scripts/dba_script.py | 185 ++- kms/scripts/install.properties | 6 +- kms/scripts/setup.sh | 26 + knox-agent/scripts/install.sh | 12 + .../sqlanywhere/create_dbversion_catalog.sql | 26 + .../sqlanywhere/xa_audit_db_sqlanywhere.sql | 56 + .../db/sqlanywhere/xa_core_db_sqlanywhere.sql | 1107 +++++++++++++++++ security-admin/scripts/db_setup.py | 278 +++++ security-admin/scripts/dba_script.py | 214 +++- security-admin/scripts/install.properties | 22 +- security-admin/scripts/setup.sh | 40 + .../org/apache/ranger/biz/RangerBizUtil.java | 4 + .../org/apache/ranger/biz/SessionMgr.java | 9 +- .../apache/ranger/common/AppConstants.java | 1 + .../listener/SpringEventListener.java | 8 +- storm-agent/scripts/install.sh | 12 + 25 files changed, 2180 insertions(+), 22 deletions(-) create mode 100644 kms/scripts/db/sqlanywhere/kms_core_db_sqlanywhere.sql create mode 100644 security-admin/db/sqlanywhere/create_dbversion_catalog.sql create mode 100644 security-admin/db/sqlanywhere/xa_audit_db_sqlanywhere.sql create mode 100644 security-admin/db/sqlanywhere/xa_core_db_sqlanywhere.sql diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/DbAuditProvider.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/DbAuditProvider.java index d475f8976e4..98da1c2d814 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/DbAuditProvider.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/DbAuditProvider.java @@ -199,7 +199,7 @@ private synchronized boolean init() { } LOG.info("DbAuditProvider: init()"); - + LOG.info("java.library.path:"+System.getProperty("java.library.path")); try { entityManagerFactory = Persistence.createEntityManagerFactory("xa_server", mDbProperties); diff --git a/agents-common/scripts/enable-agent.sh b/agents-common/scripts/enable-agent.sh index 16efe7490d1..6adb2c44e90 100755 --- a/agents-common/scripts/enable-agent.sh +++ b/agents-common/scripts/enable-agent.sh @@ -382,6 +382,10 @@ then then export XAAUDIT_DB_JDBC_URL="jdbc:sqlserver://${audit_db_hostname};databaseName=${audit_db_name}" export XAAUDIT_DB_JDBC_DRIVER="com.microsoft.sqlserver.jdbc.SQLServerDriver" + elif [ "${db_flavor}" = "SQLANYWHERE" ] + then + export XAAUDIT_DB_JDBC_URL="jdbc:sqlanywhere:database=${audit_db_name};host=${audit_db_hostname}" + export XAAUDIT_DB_JDBC_DRIVER="sap.jdbc4.sqlanywhere.IDriver" else echo "Audit is not specified with a valid db_flavor: [${db_flavor}]. Ignoring audit ..." export XAAUDIT_DB_JDBC_URL="jdbc:${db_flavor}://${audit_db_hostname}/${audit_db_name}" diff --git a/hbase-agent/scripts/install.sh b/hbase-agent/scripts/install.sh index 8190603b265..116beab58e8 100644 --- a/hbase-agent/scripts/install.sh +++ b/hbase-agent/scripts/install.sh @@ -312,6 +312,18 @@ then newPropertyValue="com.microsoft.sqlserver.jdbc.SQLServerDriver" updatePropertyToFile $propertyName $newPropertyValue $to_file fi +if [ "${DB_FLAVOR}" == "SQLANYWHERE" ] +then + audit_db_hostname=`grep '^XAAUDIT.DB.HOSTNAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` + audit_db_name=`grep '^XAAUDIT.DB.DATABASE_NAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` + propertyName=XAAUDIT.DB.JDBC_URL + newPropertyValue="jdbc:sqlanywhere:database=${audit_db_name};host=${audit_db_hostname}" + updatePropertyToFile $propertyName $newPropertyValue $to_file + + propertyName=XAAUDIT.DB.JDBC_DRIVER + newPropertyValue="sap.jdbc4.sqlanywhere.IDriver" + updatePropertyToFile $propertyName $newPropertyValue $to_file +fi for f in ${install_dir}/installer/conf/*-changes.cfg do if [ -f ${f} ] diff --git a/hdfs-agent/scripts/install.sh b/hdfs-agent/scripts/install.sh index 2afd030872f..e9215fdc720 100644 --- a/hdfs-agent/scripts/install.sh +++ b/hdfs-agent/scripts/install.sh @@ -319,6 +319,18 @@ then newPropertyValue="com.microsoft.sqlserver.jdbc.SQLServerDriver" updatePropertyToFile $propertyName $newPropertyValue $to_file fi +if [ "${DB_FLAVOR}" == "SQLANYWHERE" ] +then + audit_db_hostname=`grep '^XAAUDIT.DB.HOSTNAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` + audit_db_name=`grep '^XAAUDIT.DB.DATABASE_NAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` + propertyName=XAAUDIT.DB.JDBC_URL + newPropertyValue="jdbc:sqlanywhere:database=${audit_db_name};host=${audit_db_hostname}" + updatePropertyToFile $propertyName $newPropertyValue $to_file + + propertyName=XAAUDIT.DB.JDBC_DRIVER + newPropertyValue="sap.jdbc4.sqlanywhere.IDriver" + updatePropertyToFile $propertyName $newPropertyValue $to_file +fi for f in ${install_dir}/installer/conf/*-changes.cfg do if [ -f ${f} ] diff --git a/hive-agent/scripts/install.sh b/hive-agent/scripts/install.sh index 6798a3cb37f..74c6e568a87 100644 --- a/hive-agent/scripts/install.sh +++ b/hive-agent/scripts/install.sh @@ -296,6 +296,18 @@ then newPropertyValue="com.microsoft.sqlserver.jdbc.SQLServerDriver" updatePropertyToFile $propertyName $newPropertyValue $to_file fi +if [ "${DB_FLAVOR}" == "SQLANYWHERE" ] +then + audit_db_hostname=`grep '^XAAUDIT.DB.HOSTNAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` + audit_db_name=`grep '^XAAUDIT.DB.DATABASE_NAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` + propertyName=XAAUDIT.DB.JDBC_URL + newPropertyValue="jdbc:sqlanywhere:database=${audit_db_name};host=${audit_db_hostname}" + updatePropertyToFile $propertyName $newPropertyValue $to_file + + propertyName=XAAUDIT.DB.JDBC_DRIVER + newPropertyValue="sap.jdbc4.sqlanywhere.IDriver" + updatePropertyToFile $propertyName $newPropertyValue $to_file +fi for f in ${install_dir}/installer/conf/*-changes.cfg do if [ -f ${f} ] diff --git a/jisql/src/main/java/org/apache/util/sql/Jisql.java b/jisql/src/main/java/org/apache/util/sql/Jisql.java index b9453e8b96e..cf7563c7130 100644 --- a/jisql/src/main/java/org/apache/util/sql/Jisql.java +++ b/jisql/src/main/java/org/apache/util/sql/Jisql.java @@ -214,6 +214,9 @@ *

*/ public class Jisql { + //Sybase SQL Anywhere JDBC4-Type2 (Native) Driver + private static final String sapJDBC4SqlAnywhereDriverName= "sap.jdbc4.sqlanywhere.IDriver"; + private static final String sybaseJDBC4SqlAnywhereDriverName= "sybase.jdbc4.sqlanywhere.IDriver"; private static final String sybaseJConnect6DriverName = "com.sybase.jdbc3.jdbc.SybDriver"; private static final String sybaseJConnect5DriverName = "com.sybase.jdbc2.jdbc.SybDriver"; private static final String sybaseJConnect4DriverName = "com.sybase.jdbc.SybDriver"; @@ -518,6 +521,12 @@ public void doIsql() throws IOException, SQLException { // Ignore IOE when closing streams } } + if (resultSet != null) { + try { + resultSet.close(); + } catch (SQLException sqle) { + } + } if (statement != null) { try { statement.close(); @@ -649,6 +658,10 @@ else if (driverName.compareToIgnoreCase("mysqlconj") == 0) driverName = mySQLConnectJDriverName; else if (driverName.compareToIgnoreCase("mysqlcaucho") == 0) driverName = mySQLCauchoDriverName; + else if (driverName.compareToIgnoreCase("sapsajdbc4") == 0) + driverName = sapJDBC4SqlAnywhereDriverName; + else if (driverName.compareToIgnoreCase("sybasesajdbc4") == 0) + driverName = sybaseJDBC4SqlAnywhereDriverName; } connectString = (String) options.valueOf("cstring"); diff --git a/kms/scripts/db/sqlanywhere/kms_core_db_sqlanywhere.sql b/kms/scripts/db/sqlanywhere/kms_core_db_sqlanywhere.sql new file mode 100644 index 00000000000..fd7abdda461 --- /dev/null +++ b/kms/scripts/db/sqlanywhere/kms_core_db_sqlanywhere.sql @@ -0,0 +1,44 @@ +-- Licensed to the Apache Software Foundation(ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +--(the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing,software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +CREATE TABLE ranger_masterkey( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + cipher varchar(255) DEFAULT NULL NULL, + bitlength int DEFAULT NULL NULL, + masterkey varchar(2048), + CONSTRAINT ranger_masterkey_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +CREATE TABLE ranger_keystore( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + kms_alias varchar(255) NOT NULL, + kms_createdDate bigint DEFAULT NULL NULL, + kms_cipher varchar(255) DEFAULT NULL NULL, + kms_bitLength bigint DEFAULT NULL NULL, + kms_description varchar(512) DEFAULT NULL NULL, + kms_version bigint DEFAULT NULL NULL, + kms_attributes varchar(1024) DEFAULT NULL NULL, + kms_encoded varchar(2048), + CONSTRAINT ranger_keystore_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +exit diff --git a/kms/scripts/db/sqlserver/kms_core_db_sqlserver.sql b/kms/scripts/db/sqlserver/kms_core_db_sqlserver.sql index 32cc38c16d3..6567d3bd6b8 100644 --- a/kms/scripts/db/sqlserver/kms_core_db_sqlserver.sql +++ b/kms/scripts/db/sqlserver/kms_core_db_sqlserver.sql @@ -44,6 +44,7 @@ CREATE TABLE [dbo].[ranger_keystore]( [create_time] [datetime2] DEFAULT NULL NULL, [update_time] [datetime2] DEFAULT NULL NULL, [added_by_id] [bigint] DEFAULT NULL NULL, + [upd_by_id] [bigint] DEFAULT NULL NULL, [kms_alias] [varchar](255) NOT NULL, [kms_createdDate] [bigint] DEFAULT NULL NULL, [kms_cipher] [varchar](255) DEFAULT NULL NULL, diff --git a/kms/scripts/db_setup.py b/kms/scripts/db_setup.py index 8116049a270..9dbeb04c471 100644 --- a/kms/scripts/db_setup.py +++ b/kms/scripts/db_setup.py @@ -402,6 +402,89 @@ def check_table(self, db_name, db_user, db_password, TABLE_NAME): log("[I] Table '" + TABLE_NAME + "' does not exist in database '" + db_name + "'","info") return False +class SqlAnywhereConf(BaseDB): + # Constructor + def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN): + self.host = host + self.SQL_CONNECTOR_JAR = SQL_CONNECTOR_JAR + self.JAVA_BIN = JAVA_BIN + + def get_jisql_cmd(self, user, password, db_name): + path = RANGER_KMS_HOME + self.JAVA_BIN = self.JAVA_BIN.strip("'") + if os_name == "LINUX": + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) + elif os_name == "WINDOWS": + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) + return jisql_cmd + + def check_connection(self, db_name, db_user, db_password): + log("[I] Checking connection", "info") + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"SELECT 1;\"" + elif os_name == "WINDOWS": + query = get_cmd + " -query \"SELECT 1;\" -c ;" + output = check_output(query) + if output.strip('1 |'): + log("[I] Connection success", "info") + return True + else: + log("[E] Can't establish connection", "error") + sys.exit(1) + + def import_db_file(self, db_name, db_user, db_password, file_name): + name = basename(file_name) + if os.path.isfile(file_name): + log("[I] Importing db schema to database " + db_name + " from file: " + name,"info") + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + if os_name == "LINUX": + query = get_cmd + " -input %s" %file_name + ret = subprocess.call(shlex.split(query)) + elif os_name == "WINDOWS": + query = get_cmd + " -input %s" %file_name + ret = subprocess.call(query) + if ret == 0: + log("[I] "+name + " DB schema imported successfully","info") + else: + log("[E] "+name + " DB Schema import failed!","error") + sys.exit(1) + else: + log("[I] DB Schema file " + name+ " not found","error") + sys.exit(1) + + def check_table(self, db_name, db_user, db_password, TABLE_NAME): + self.set_options(db_name, db_user, db_password, TABLE_NAME) + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"SELECT name FROM sysobjects where name = '%s' and type='U';\"" %(TABLE_NAME) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"SELECT name FROM sysobjects where name = '%s' and type='U';\" -c ;" %(TABLE_NAME) + output = check_output(query) + if output.strip(TABLE_NAME + " |"): + log("[I] Table '" + TABLE_NAME + "' already exists in database '" + db_name + "'","info") + return True + else: + log("[I] Table '" + TABLE_NAME + "' does not exist in database '" + db_name + "'","info") + return False + + def set_options(self, db_name, db_user, db_password, TABLE_NAME): + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"set option public.reserved_keywords='LIMIT';\"" + elif os_name == "WINDOWS": + query = get_cmd + " -query \"set option public.reserved_keywords='LIMIT';\" -c ;" + ret = subprocess.call(shlex.split(query)) + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"set option public.max_statement_count=0;\"" + elif os_name == "WINDOWS": + query = get_cmd + " -query \"set option public.max_statement_count=0;\" -c;" + ret = subprocess.call(shlex.split(query)) + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"set option public.max_cursor_count=0;\"" + elif os_name == "WINDOWS": + query = get_cmd + " -query \"set option public.max_cursor_count=0;\" -c;" + ret = subprocess.call(shlex.split(query)) def main(argv): populate_global_dict() @@ -443,6 +526,9 @@ def main(argv): sqlserver_core_file = globalDict['sqlserver_core_file'] sqlserver_patches = os.path.join('db','sqlserver','patches') + sqlanywhere_core_file = globalDict['sqlanywhere_core_file'] + sqlanywhere_patches = os.path.join('db','sqlanywhere','patches') + db_name = globalDict['db_name'] db_user = globalDict['db_user'] db_password = globalDict['db_password'] @@ -470,6 +556,16 @@ def main(argv): SQLSERVER_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] xa_sqlObj = SqlServerConf(xa_db_host, SQLSERVER_CONNECTOR_JAR, JAVA_BIN) xa_db_core_file = os.path.join(RANGER_KMS_HOME , sqlserver_core_file) + + elif XA_DB_FLAVOR == "SQLANYWHERE": + if not os_name == "WINDOWS" : + if os.environ['LD_LIBRARY_PATH'] == "": + log("[E] ---------- LD_LIBRARY_PATH environment property not defined, aborting installation. ----------", "error") + sys.exit(1) + SQLANYWHERE_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] + xa_sqlObj = SqlAnywhereConf(xa_db_host, SQLANYWHERE_CONNECTOR_JAR, JAVA_BIN) + xa_db_core_file = os.path.join(RANGER_KMS_HOME , sqlanywhere_core_file) + else: log("[E] --------- NO SUCH SUPPORTED DB FLAVOUR!! ---------", "error") sys.exit(1) diff --git a/kms/scripts/dba_script.py b/kms/scripts/dba_script.py index c549fadd64c..0830af4e6fb 100644 --- a/kms/scripts/dba_script.py +++ b/kms/scripts/dba_script.py @@ -887,6 +887,177 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas logFile("ALTER LOGIN [%s] WITH DEFAULT_DATABASE=[%s];" %(db_user, db_name)) logFile("USE %s EXEC sp_addrolemember N'db_owner', N'%s';" %(db_name, db_user)) +class SqlAnywhereConf(BaseDB): + # Constructor + def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN): + self.host = host + self.SQL_CONNECTOR_JAR = SQL_CONNECTOR_JAR + self.JAVA_BIN = JAVA_BIN + + def get_jisql_cmd(self, user, password, db_name): + #TODO: User array for forming command + path = RANGER_KMS_HOME + self.JAVA_BIN = self.JAVA_BIN.strip("'") + if os_name == "LINUX": + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) + elif os_name == "WINDOWS": + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) + return jisql_cmd + def verify_user(self, root_user, db_root_password, db_user,dryMode): + if dryMode == False: + log("[I] Verifying user " + db_user , "info") + get_cmd = self.get_jisql_cmd(root_user, db_root_password, '') + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"select name from syslogins where name = '%s';\"" %(db_user) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"select name from syslogins where name = '%s';\" -c ;" %(db_user) + output = check_output(query) + if output.strip(db_user + " |"): + return True + else: + return False + + def check_connection(self, db_name, db_user, db_password): + log("[I] Checking connection", "info") + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"SELECT 1;\"" + elif os_name == "WINDOWS": + query = get_cmd + " -query \"SELECT 1;\" -c ;" + output = check_output(query) + if output.strip('1 |'): + log("[I] Connection success", "info") + return True + else: + log("[E] Can't establish connection", "error") + sys.exit(1) + def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password,dryMode): + if self.check_connection('', root_user, db_root_password): + if self.verify_user(root_user, db_root_password, db_user,dryMode): + if dryMode == False: + log("[I] SQL Anywhere user " + db_user + " already exists.", "info") + else: + if dryMode == False: + get_cmd = self.get_jisql_cmd(root_user, db_root_password, '') + log("[I] User does not exists, Creating Login user " + db_user, "info") + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"CREATE USER %s IDENTIFIED BY '%s';\"" %(db_user,db_password) + ret = subprocess.call(shlex.split(query)) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"CREATE USER %s IDENTIFIED BY '%s';\" -c ;" %(db_user,db_password) + ret = subprocess.call(query) + if ret == 0: + if self.verify_user(root_user, db_root_password, db_user,dryMode): + log("[I] SQL Anywhere user " + db_user + " created", "info") + else: + log("[E] SQL Anywhere user " +db_user+" creation failed..", "error") + sys.exit(1) + else: + log("[E] SQL Anywhere user " +db_user+" creation failed..", "error") + sys.exit(1) + else: + logFile("CREATE USER %s IDENTIFIED BY = '%s';" %(db_user,db_password)) + + def verify_db(self, root_user, db_root_password, db_name,dryMode): + if dryMode == False: + log("[I] Verifying database " + db_name, "info") + get_cmd = self.get_jisql_cmd(root_user, db_root_password, '') + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"select alias from sa_db_info() where alias='%s';\"" %(db_name) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"select alias from sa_db_info() where alias='%s';\" -c ;" %(db_name) + output = check_output(query) + if output.strip(db_name + " |"): + return True + else: + return False + def create_db(self, root_user, db_root_password, db_name, db_user, db_password,dryMode): + if self.verify_db(root_user, db_root_password, db_name,dryMode): + if dryMode == False: + log("[I] Database " + db_name + " already exists.","info") + else: + if dryMode == False: + log("[I] Database does not exist. Creating database : " + db_name,"info") + get_cmd = self.get_jisql_cmd(root_user, db_root_password, '') + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"create database '%s' dba user '%s' dba password '%s' database size 100MB;\"" %(db_name,db_user, db_password) + ret = subprocess.call(shlex.split(query)) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"create database '%s' dba user '%s' dba password '%s' database size 100MB;\" -c ;" %(db_name,db_user, db_password) + ret = subprocess.call(query) + if ret != 0: + log("[E] Database creation failed..","error") + sys.exit(1) + else: + self.start_db(root_user, db_root_password, db_name,dryMode) + if self.verify_db(root_user, db_root_password, db_name,dryMode): + self.create_user(root_user, db_name ,db_user, db_password, db_root_password,dryMode) + log("[I] Creating database " + db_name + " succeeded", "info") + return True + else: + log("[E] Database creation failed..","error") + sys.exit(1) + else: + logFile("create database '%s' dba user '%s' dba password '%s' database size 100MB;" %(db_name,db_user, db_password)) + + def create_user(self, root_user, db_name ,db_user, db_password, db_root_password,dryMode): + get_cmd = self.get_jisql_cmd(root_user, db_root_password, '') + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"select name from syslogins where name ='%s';\"" %(db_user) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"select name from syslogins where name ='%s';\" -c ;" %(db_user) + output = check_output(query) + if output.strip(db_user + " |"): + if dryMode == False: + log("[I] User "+db_user+" exist ","info") + else: + if dryMode == False: + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"CREATE USER %s IDENTIFIED BY '%s';\"" %(db_user, db_password) + ret = subprocess.call(shlex.split(query)) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"CREATE USER %s IDENTIFIED BY '%s';\" -c ;" %(db_user, db_password) + ret = subprocess.call(query) + if ret == 0: + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"select name from syslogins where name ='%s';\"" %(db_user) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"select name from syslogins where name ='%s';\" -c ;" %(db_user) + output = check_output(query) + if output.strip(db_user + " |"): + log("[I] User "+db_user+" exist ","info") + else: + log("[E] Database creation failed..","error") + sys.exit(1) + else: + log("[E] Database creation failed..","error") + sys.exit(1) + else: + logFile("CREATE USER %s IDENTIFIED BY '%s';" %(db_user, db_password)) + def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_password, is_revoke,dryMode): + if dryMode == False: + log("[I] Granting permission to user '" + db_user + "' on db '" + db_name + "'" , "info") + get_cmd = self.get_jisql_cmd(root_user, db_root_password, '') + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"GRANT CONNECT to %s IDENTIFIED BY '%s';\"" %(db_user, db_password) + ret = subprocess.call(shlex.split(query)) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"GRANT CONNECT to %s IDENTIFIED BY '%s';\" -c ;" %(db_user, db_password) + ret = subprocess.call(query) + if ret != 0: + sys.exit(1) + else: + logFile("GRANT CONNECT to %s IDENTIFIED BY '%s';" %(db_user, db_password)) + + def start_db(self,root_user, db_root_password, db_name,dryMode): + if dryMode == False: + log("[I] Starting database " + db_name, "info") + get_cmd = self.get_jisql_cmd(root_user, db_root_password, '') + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"start database '%s' autostop off;\"" %(db_name) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"start database '%s' autostop off;\" -c ;" %(db_name) + output = check_output(query) def main(argv): @@ -967,7 +1138,7 @@ def main(argv): else: XA_DB_FLAVOR='' while XA_DB_FLAVOR == "": - log("Enter db flavour{MYSQL|ORACLE|POSTGRES|MSSQL} :","info") + log("Enter db flavour{MYSQL|ORACLE|POSTGRES|MSSQL|SQLANYWHERE} :","info") XA_DB_FLAVOR=raw_input() XA_DB_FLAVOR = XA_DB_FLAVOR.upper() @@ -1042,6 +1213,8 @@ def main(argv): #sqlserver_core_file = globalDict['sqlserver_core_file'] sqlserver_core_file = os.path.join('db','sqlserver','xa_core_db_sqlserver.sql') + sqlanywhere_core_file = os.path.join('db','sqlanywhere','xa_core_db_sqlanywhere.sql') + x_db_version = 'x_db_version_h' x_user = 'x_portal_user' @@ -1068,6 +1241,16 @@ def main(argv): SQLSERVER_CONNECTOR_JAR=CONNECTOR_JAR xa_sqlObj = SqlServerConf(xa_db_host, SQLSERVER_CONNECTOR_JAR, JAVA_BIN) xa_db_core_file = os.path.join(RANGER_KMS_HOME,sqlserver_core_file) + + elif XA_DB_FLAVOR == "SQLANYWHERE": + if not os_name == "WINDOWS" : + if os.environ['LD_LIBRARY_PATH'] == "": + log("[E] ---------- LD_LIBRARY_PATH environment property not defined, aborting installation. ----------", "error") + sys.exit(1) + SQLANYWHERE_CONNECTOR_JAR=CONNECTOR_JAR + xa_sqlObj = SqlAnywhereConf(xa_db_host, SQLANYWHERE_CONNECTOR_JAR, JAVA_BIN) + xa_db_core_file = os.path.join(RANGER_KMS_HOME,sqlanywhere_core_file) + else: log("[E] ---------- NO SUCH SUPPORTED DB FLAVOUR.. ----------", "error") sys.exit(1) diff --git a/kms/scripts/install.properties b/kms/scripts/install.properties index cfe9adf6d28..bad7f204626 100755 --- a/kms/scripts/install.properties +++ b/kms/scripts/install.properties @@ -23,7 +23,7 @@ PYTHON_COMMAND_INVOKER=python -#DB_FLAVOR=MYSQL|ORACLE|POSTGRES|MSSQL +#DB_FLAVOR=MYSQL|ORACLE|POSTGRES|MSSQL|SQLANYWHERE DB_FLAVOR=MYSQL # # The executable path to be used to invoke command-line MYSQL @@ -39,6 +39,7 @@ SQL_COMMAND_INVOKER='mysql' #SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar #SQL_CONNECTOR_JAR=/usr/share/java/postgresql.jar #SQL_CONNECTOR_JAR=/usr/share/java/sqljdbc4.jar +#SQL_CONNECTOR_JAR=/opt/sqlanywhere17/java/sajdbc4.jar SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar @@ -49,7 +50,7 @@ SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar # ** it will be prompted to enter the password during installation process # ************************************************************************** # -#db_root_user=root|SYS|postgres|sa +#db_root_user=root|SYS|postgres|sa|dba db_root_user=root db_root_password= db_host=localhost @@ -224,6 +225,7 @@ postgres_core_file=db/postgres/kms_core_db_postgres.sql sqlserver_core_file=db/sqlserver/kms_core_db_sqlserver.sql +sqlanywhere_core_file=db/sqlanywhere/kms_core_db_sqlanywhere.sql cred_keystore_filename=$app_home/WEB-INF/classes/conf/.jceks/rangerkms.jceks KMS_BLACKLIST_DECRYPT_EEK=hdfs diff --git a/kms/scripts/setup.sh b/kms/scripts/setup.sh index 972e55e0270..1410f460c21 100755 --- a/kms/scripts/setup.sh +++ b/kms/scripts/setup.sh @@ -277,6 +277,19 @@ sanity_check_files() { log "[E] ${sqlserver_core_file} does not exists" ; exit 1; fi fi + if [ "${DB_FLAVOR}" == "SQLANYWHERE" ] + then + if [ "${LD_LIBRARY_PATH}" == "" ] + then + log "[E] LD_LIBRARY_PATH environment property not defined, aborting installation." + exit 1 + fi + if test -f ${sqlanywhere_core_file}; then + log "[I] ${sqlanywhere_core_file} file found" + else + log "[E] ${sqlanywhere_core_file} does not exists" ; exit 1; + fi + fi } create_rollback_point() { @@ -397,7 +410,20 @@ update_properties() { updatePropertyToFilePy $propertyName $newPropertyValue $to_file fi + if [ "${DB_FLAVOR}" == "SQLANYWHERE" ] + then + propertyName=ranger.ks.jpa.jdbc.url + newPropertyValue="jdbc:sqlanywhere:database=${db_name};host=${DB_HOST}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file + + propertyName=ranger.ks.jpa.jdbc.dialect + newPropertyValue="org.eclipse.persistence.platform.database.SQLAnywherePlatform" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file + propertyName=ranger.ks.jpa.jdbc.driver + newPropertyValue="sap.jdbc4.sqlanywhere.IDriver" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file + fi keystore="${cred_keystore_filename}" echo "Starting configuration for XA DB credentials:" diff --git a/knox-agent/scripts/install.sh b/knox-agent/scripts/install.sh index 2255eac8261..163dbc56677 100644 --- a/knox-agent/scripts/install.sh +++ b/knox-agent/scripts/install.sh @@ -215,6 +215,18 @@ then newPropertyValue="com.microsoft.sqlserver.jdbc.SQLServerDriver" updatePropertyToFile $propertyName $newPropertyValue $to_file fi +if [ "${DB_FLAVOR}" == "SQLANYWHERE" ] +then + audit_db_hostname=`grep '^XAAUDIT.DB.HOSTNAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` + audit_db_name=`grep '^XAAUDIT.DB.DATABASE_NAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` + propertyName=XAAUDIT.DB.JDBC_URL + newPropertyValue="jdbc:sqlanywhere:database=${audit_db_name};host=${audit_db_hostname}" + updatePropertyToFile $propertyName $newPropertyValue $to_file + + propertyName=XAAUDIT.DB.JDBC_DRIVER + newPropertyValue="sap.jdbc4.sqlanywhere.IDriver" + updatePropertyToFile $propertyName $newPropertyValue $to_file +fi for f in ${install_dir}/installer/conf/*-changes.cfg do if [ -f ${f} ] diff --git a/security-admin/db/sqlanywhere/create_dbversion_catalog.sql b/security-admin/db/sqlanywhere/create_dbversion_catalog.sql new file mode 100644 index 00000000000..59d1b2c548b --- /dev/null +++ b/security-admin/db/sqlanywhere/create_dbversion_catalog.sql @@ -0,0 +1,26 @@ +-- Licensed to the Apache Software Foundation(ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +--(the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing,software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. + +create table dbo.x_db_version_h( +id bigint identity not null primary key, +version varchar(64) not null, +inst_at datetime not null, +inst_by varchar(256) not null, +updated_at datetime not null, +updated_by varchar(256) not null, +active varchar(1) default 'Y' check(active IN ('Y', 'N')) +) +GO +exit \ No newline at end of file diff --git a/security-admin/db/sqlanywhere/xa_audit_db_sqlanywhere.sql b/security-admin/db/sqlanywhere/xa_audit_db_sqlanywhere.sql new file mode 100644 index 00000000000..8154a9a8704 --- /dev/null +++ b/security-admin/db/sqlanywhere/xa_audit_db_sqlanywhere.sql @@ -0,0 +1,56 @@ +-- Licensed to the Apache Software Foundation(ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +--(the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing,software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. + +CREATE TABLE dbo.xa_access_audit( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + audit_type int DEFAULT 0 NOT NULL, + access_result int DEFAULT 0 NULL, + access_type varchar(255) DEFAULT NULL NULL, + acl_enforcer varchar(255) DEFAULT NULL NULL, + agent_id varchar(255) DEFAULT NULL NULL, + client_ip varchar(255) DEFAULT NULL NULL, + client_type varchar(255) DEFAULT NULL NULL, + policy_id bigint DEFAULT 0 NULL, + repo_name varchar(255) DEFAULT NULL NULL, + repo_type int DEFAULT 0 NULL, + result_reason varchar(255) DEFAULT NULL NULL, + session_id varchar(255) DEFAULT NULL NULL, + event_time datetime DEFAULT NULL NULL, + request_user varchar(255) DEFAULT NULL NULL, + action varchar(2000) DEFAULT NULL NULL, + request_data varchar(4000) DEFAULT NULL NULL, + resource_path varchar(4000) DEFAULT NULL NULL, + resource_type varchar(255) DEFAULT NULL NULL, + seq_num bigint DEFAULT 0 NULL, + event_count bigint DEFAULT 1 NULL, + event_dur_ms bigint DEFAULT 1 NULL, + CONSTRAINT xa_access_audit_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +CREATE NONCLUSTERED INDEX xa_access_audit_cr_time ON dbo.xa_access_audit(create_time ASC) +GO +CREATE NONCLUSTERED INDEX xa_access_audit_event_time ON dbo.xa_access_audit(event_time ASC) +GO +CREATE NONCLUSTERED INDEX xa_access_audit_added_by_id ON dbo.xa_access_audit(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX xa_access_audit_upd_by_id ON dbo.xa_access_audit(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX xa_access_audit_up_time ON dbo.xa_access_audit(update_time ASC) +GO +exit \ No newline at end of file diff --git a/security-admin/db/sqlanywhere/xa_core_db_sqlanywhere.sql b/security-admin/db/sqlanywhere/xa_core_db_sqlanywhere.sql new file mode 100644 index 00000000000..0760cb87596 --- /dev/null +++ b/security-admin/db/sqlanywhere/xa_core_db_sqlanywhere.sql @@ -0,0 +1,1107 @@ +-- Licensed to the Apache Software Foundation(ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +--(the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing,software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. + +create table dbo.x_portal_user( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + first_name varchar(256) DEFAULT NULL NULL, + last_name varchar(256) DEFAULT NULL NULL, + pub_scr_name varchar(2048) DEFAULT NULL NULL, + login_id varchar(767) DEFAULT NULL NULL, + password varchar(512) NOT NULL, + email varchar(512) DEFAULT NULL NULL, + status int DEFAULT 0 NOT NULL, + user_src int DEFAULT 0 NOT NULL, + notes varchar(4000) DEFAULT NULL NULL, + CONSTRAINT x_portal_user_PK_id PRIMARY KEY CLUSTERED(id), + CONSTRAINT x_portal_user_UK_email UNIQUE NONCLUSTERED (email), + CONSTRAINT x_portal_user_UK_login_id UNIQUE NONCLUSTERED (login_id) +) +GO +create table dbo.x_portal_user_role( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + user_id bigint NOT NULL, + user_role varchar(128) DEFAULT NULL NULL, + status int DEFAULT 0 NOT NULL, + CONSTRAINT x_portal_user_role_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.xa_access_audit( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + audit_type int DEFAULT 0 NOT NULL, + access_result int DEFAULT 0 NULL, + access_type varchar(255) DEFAULT NULL NULL, + acl_enforcer varchar(255) DEFAULT NULL NULL, + agent_id varchar(255) DEFAULT NULL NULL, + client_ip varchar(255) DEFAULT NULL NULL, + client_type varchar(255) DEFAULT NULL NULL, + policy_id bigint DEFAULT 0 NULL, + repo_name varchar(255) DEFAULT NULL NULL, + repo_type int DEFAULT 0 NULL, + result_reason varchar(255) DEFAULT NULL NULL, + session_id varchar(255) DEFAULT NULL NULL, + event_time datetime DEFAULT NULL NULL, + request_user varchar(255) DEFAULT NULL NULL, + action varchar(2000) DEFAULT NULL NULL, + request_data varchar(4000) DEFAULT NULL NULL, + resource_path varchar(4000) DEFAULT NULL NULL, + resource_type varchar(255) DEFAULT NULL NULL, + seq_num bigint DEFAULT 0 NULL, + event_count bigint DEFAULT 1 NULL, + event_dur_ms bigint DEFAULT 1 NULL, + CONSTRAINT xa_access_audit_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_asset( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + asset_name varchar(1024) NOT NULL, + descr varchar(4000) NOT NULL, + act_status int DEFAULT 0 NOT NULL, + asset_type int DEFAULT 0 NOT NULL, + config text NULL, + sup_native tinyint DEFAULT 0 NOT NULL, + CONSTRAINT x_asset_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_auth_sess( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + login_id varchar(767) NOT NULL, + user_id bigint DEFAULT NULL NULL, + ext_sess_id varchar(512) DEFAULT NULL NULL, + auth_time datetime NOT NULL, + auth_status int DEFAULT 0 NOT NULL, + auth_type int DEFAULT 0 NOT NULL, + auth_provider int DEFAULT 0 NOT NULL, + device_type int DEFAULT 0 NOT NULL, + req_ip varchar(48) NOT NULL, + req_ua varchar(1024) DEFAULT NULL NULL, + CONSTRAINT x_auth_sess_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_cred_store( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + store_name varchar(1024) NOT NULL, + descr varchar(4000) NOT NULL, + CONSTRAINT x_cred_store_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_db_base( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + CONSTRAINT x_db_base_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_group( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + group_name varchar(1024) NOT NULL, + descr varchar(4000) NOT NULL, + status int DEFAULT 0 NOT NULL, + group_type int DEFAULT 0 NOT NULL, + cred_store_id bigint DEFAULT NULL NULL, + group_src int DEFAULT 0 NOT NULL, + is_visible int DEFAULT 1 NOT NULL, + CONSTRAINT x_group_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_group_groups( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + group_name varchar(1024) NOT NULL, + p_group_id bigint DEFAULT NULL NULL, + group_id bigint DEFAULT NULL NULL, + CONSTRAINT x_group_groups_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_user( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + user_name varchar(1024) NOT NULL, + descr varchar(4000) NOT NULL, + status int DEFAULT 0 NOT NULL, + cred_store_id bigint DEFAULT NULL NULL, + is_visible int DEFAULT 1 NOT NULL, + CONSTRAINT x_user_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_group_users( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + group_name varchar(1024) NOT NULL, + p_group_id bigint DEFAULT NULL NULL, + user_id bigint DEFAULT NULL NULL, + CONSTRAINT x_group_users_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_policy_export_audit( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + client_ip varchar(255) NOT NULL, + agent_id varchar(255) DEFAULT NULL NULL, + req_epoch bigint NOT NULL, + last_updated datetime DEFAULT NULL NULL, + repository_name varchar(1024) DEFAULT NULL NULL, + exported_json text DEFAULT NULL NULL, + http_ret_code int DEFAULT 0 NOT NULL, + CONSTRAINT x_policy_export_audit_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_resource( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + res_name varchar(4000) DEFAULT NULL NULL, + descr varchar(4000) DEFAULT NULL NULL, + res_type int DEFAULT 0 NOT NULL, + asset_id bigint NOT NULL, + parent_id bigint DEFAULT NULL NULL, + parent_path varchar(4000) DEFAULT NULL NULL, + is_encrypt int DEFAULT 0 NOT NULL, + is_recursive int DEFAULT 0 NOT NULL, + res_group varchar(1024) DEFAULT NULL NULL, + res_dbs text NULL, + res_tables text NULL, + res_col_fams text NULL, + res_cols text NULL, + res_udfs text NULL, + res_status int DEFAULT 1 NOT NULL, + table_type int DEFAULT 0 NOT NULL, + col_type int DEFAULT 0 NOT NULL, + policy_name varchar(500) DEFAULT NULL NULL, + res_topologies text DEFAULT NULL NULL, + res_services text DEFAULT NULL NULL, + CONSTRAINT x_resource_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_trx_log( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + class_type int DEFAULT 0 NOT NULL, + object_id bigint DEFAULT NULL NULL, + parent_object_id bigint DEFAULT NULL NULL, + parent_object_class_type int DEFAULT 0 NOT NULL, + parent_object_name varchar(1024) DEFAULT NULL NULL, + object_name varchar(1024) DEFAULT NULL NULL, + attr_name varchar(255) DEFAULT NULL NULL, + prev_val text DEFAULT NULL NULL, + new_val text DEFAULT NULL NULL, + trx_id varchar(1024)DEFAULT NULL NULL, + action varchar(255) DEFAULT NULL NULL, + sess_id varchar(512) DEFAULT NULL NULL, + req_id varchar(30) DEFAULT NULL NULL, + sess_type varchar(30) DEFAULT NULL NULL, + CONSTRAINT x_trx_log_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_perm_map( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + perm_group varchar(1024) DEFAULT NULL NULL, + res_id bigint DEFAULT NULL NULL, + group_id bigint DEFAULT NULL NULL, + user_id bigint DEFAULT NULL NULL, + perm_for int DEFAULT 0 NOT NULL, + perm_type int DEFAULT 0 NOT NULL, + is_recursive int DEFAULT 0 NOT NULL, + is_wild_card tinyint DEFAULT 1 NOT NULL, + grant_revoke tinyint DEFAULT 1 NOT NULL, + ip_address text DEFAULT NULL NULL, + CONSTRAINT x_perm_map_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_audit_map( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + res_id bigint DEFAULT NULL NULL, + group_id bigint DEFAULT NULL NULL, + user_id bigint DEFAULT NULL NULL, + audit_type int DEFAULT 0 NOT NULL, + CONSTRAINT x_audit_map_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +CREATE VIEW dbo.vx_trx_log AS select x_trx_log.id AS id,x_trx_log.create_time AS create_time,x_trx_log.update_time AS update_time,x_trx_log.added_by_id AS added_by_id,x_trx_log.upd_by_id AS upd_by_id,x_trx_log.class_type AS class_type,x_trx_log.object_id AS object_id,x_trx_log.parent_object_id AS parent_object_id,x_trx_log.parent_object_class_type AS parent_object_class_type,x_trx_log.attr_name AS attr_name,x_trx_log.parent_object_name AS parent_object_name,x_trx_log.object_name AS object_name,x_trx_log.prev_val AS prev_val,x_trx_log.new_val AS new_val,x_trx_log.trx_id AS trx_id,x_trx_log.action AS action,x_trx_log.sess_id AS sess_id,x_trx_log.req_id AS req_id,x_trx_log.sess_type AS sess_type from x_trx_log where id in(select min(x_trx_log.id) from x_trx_log group by x_trx_log.trx_id) +GO +create table dbo.x_service_def( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + version bigint DEFAULT NULL NULL, + name varchar(1024) DEFAULT NULL NULL, + impl_class_name varchar(1024) DEFAULT NULL NULL, + label varchar(1024) DEFAULT NULL NULL, + description varchar(1024) DEFAULT NULL NULL, + rb_key_label varchar(1024) DEFAULT NULL NULL, + rb_key_description varchar(1024) DEFAULT NULL NULL, + is_enabled tinyint DEFAULT 1 NULL, + CONSTRAINT x_service_def_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_service ( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + version bigint DEFAULT NULL NULL, + type bigint DEFAULT NULL NULL, + name varchar(512) DEFAULT NULL NULL, + policy_version bigint DEFAULT NULL NULL, + policy_update_time datetime DEFAULT NULL NULL, + description varchar(1024) DEFAULT NULL NULL, + is_enabled tinyint DEFAULT 0 NOT NULL, + CONSTRAINT x_service_def_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_policy ( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + version bigint DEFAULT NULL NULL, + service bigint DEFAULT NULL NULL, + name varchar(512) DEFAULT NULL NULL, + policy_type int DEFAULT 0 NULL, + description varchar(1024) DEFAULT NULL NULL, + resource_signature varchar(128) DEFAULT NULL NULL, + is_enabled tinyint DEFAULT 0 NOT NULL, + is_audit_enabled tinyint DEFAULT 0 NOT NULL, + CONSTRAINT x_policy_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_service_config_def ( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + def_id bigint NOT NULL, + item_id bigint NOT NULL, + name varchar(1024) DEFAULT NULL NULL, + type varchar(1024) DEFAULT NULL NULL, + sub_type varchar(1024) DEFAULT NULL NULL, + is_mandatory tinyint DEFAULT 0 NOT NULL, + default_value varchar(1024) DEFAULT NULL NULL, + validation_reg_ex varchar(1024) DEFAULT NULL NULL, + validation_message varchar(1024) DEFAULT NULL NULL, + ui_hint varchar(1024) DEFAULT NULL NULL, + label varchar(1024) DEFAULT NULL NULL, + description varchar(1024) DEFAULT NULL NULL, + rb_key_label varchar(1024) DEFAULT NULL NULL, + rb_key_description varchar(1024) DEFAULT NULL NULL, + rb_key_validation_message varchar(1024) DEFAULT NULL NULL, + sort_order tinyint DEFAULT 0 NULL, + CONSTRAINT x_service_config_def_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_resource_def ( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + def_id bigint NOT NULL, + item_id bigint NOT NULL, + name varchar(1024) DEFAULT NULL NULL, + type varchar(1024) DEFAULT NULL NULL, + res_level bigint DEFAULT NULL NULL, + parent bigint DEFAULT NULL NULL, + mandatory tinyint DEFAULT 0 NOT NULL, + look_up_supported tinyint DEFAULT 0 NOT NULL, + recursive_supported tinyint DEFAULT 0 NOT NULL, + excludes_supported tinyint DEFAULT 0 NOT NULL, + matcher varchar(1024) DEFAULT NULL NULL, + matcher_options varchar(1024) DEFAULT NULL NULL, + validation_reg_ex varchar(1024) DEFAULT NULL NULL, + validation_message varchar(1024) DEFAULT NULL NULL, + ui_hint varchar(1024) DEFAULT NULL NULL, + label varchar(1024) DEFAULT NULL NULL, + description varchar(1024) DEFAULT NULL NULL, + rb_key_label varchar(1024) DEFAULT NULL NULL, + rb_key_description varchar(1024) DEFAULT NULL NULL, + rb_key_validation_message varchar(1024) DEFAULT NULL NULL, + sort_order tinyint DEFAULT 0 NULL, + CONSTRAINT x_resource_def_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_access_type_def ( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + def_id bigint NOT NULL, + item_id bigint NOT NULL, + name varchar(1024) DEFAULT NULL NULL, + label varchar(1024) DEFAULT NULL NULL, + rb_key_label varchar(1024) DEFAULT NULL NULL, + sort_order tinyint DEFAULT 0 NULL, + CONSTRAINT x_access_type_def_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_access_type_def_grants( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + atd_id bigint NOT NULL, + implied_grant varchar(1024) DEFAULT NULL NULL, + CONSTRAINT x_access_type_def_grants_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_policy_condition_def ( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + def_id bigint NOT NULL, + item_id bigint NOT NULL, + name varchar(1024) DEFAULT NULL NULL, + evaluator varchar(1024) DEFAULT NULL NULL, + evaluator_options varchar(1024) DEFAULT NULL NULL, + validation_reg_ex varchar(1024) DEFAULT NULL NULL, + validation_message varchar(1024) DEFAULT NULL NULL, + ui_hint varchar(1024) DEFAULT NULL NULL, + label varchar(1024) DEFAULT NULL NULL, + description varchar(1024) DEFAULT NULL NULL, + rb_key_label varchar(1024) DEFAULT NULL NULL, + rb_key_description varchar(1024) DEFAULT NULL NULL, + rb_key_validation_message varchar(1024) DEFAULT NULL NULL, + sort_order tinyint DEFAULT 0 NULL, + CONSTRAINT x_policy_condition_def_grants_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_context_enricher_def( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + def_id bigint NOT NULL, + item_id bigint NOT NULL, + name varchar(1024) DEFAULT NULL NULL, + enricher varchar(1024) DEFAULT NULL NULL, + enricher_options varchar(1024) DEFAULT NULL NULL, + sort_order tinyint DEFAULT 0 NULL, + CONSTRAINT x_context_enricher_def_grants_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_enum_def ( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + def_id bigint NOT NULL, + item_id bigint NOT NULL, + name varchar(1024) DEFAULT NULL NULL, + default_index bigint DEFAULT NULL NULL, + CONSTRAINT x_enum_def_grants_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_enum_element_def ( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + enum_def_id bigint NOT NULL, + item_id bigint NOT NULL, + name varchar(1024) DEFAULT NULL NULL, + label varchar(1024) DEFAULT NULL NULL, + rb_key_label varchar(1024) DEFAULT NULL NULL, + sort_order tinyint DEFAULT 0 NULL, + CONSTRAINT x_enum_element_def_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_service_config_map ( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + service bigint NOT NULL, + config_key varchar(1024) DEFAULT NULL NULL, + config_value varchar(4000) DEFAULT NULL NULL, + CONSTRAINT x_service_config_map_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_policy_resource ( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + policy_id bigint NOT NULL, + res_def_id bigint NOT NULL, + is_excludes tinyint DEFAULT 0 NOT NULL, + is_recursive tinyint DEFAULT 0 NOT NULL, + CONSTRAINT x_policy_resource_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_policy_resource_map ( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + resource_id bigint NOT NULL, + value varchar(1024) DEFAULT NULL NULL, + sort_order tinyint DEFAULT 0 NULL, + CONSTRAINT x_policy_resource_map_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_policy_item ( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + policy_id bigint NOT NULL, + delegate_admin tinyint DEFAULT 0 NOT NULL, + sort_order tinyint DEFAULT 0 NULL, + CONSTRAINT x_policy_item_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_policy_item_access ( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + policy_item_id bigint NOT NULL, + type bigint NOT NULL, + is_allowed tinyint DEFAULT 0 NOT NULL, + sort_order tinyint DEFAULT 0 NULL, + CONSTRAINT x_policy_item_access_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_policy_item_condition ( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + policy_item_id bigint NOT NULL, + type bigint NOT NULL, + value varchar(1024) DEFAULT NULL NULL, + sort_order tinyint DEFAULT 0 NULL, + CONSTRAINT x_policy_item_condition_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_policy_item_user_perm ( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + policy_item_id bigint NOT NULL, + user_id bigint DEFAULT NULL NULL, + sort_order tinyint DEFAULT 0 NULL, + CONSTRAINT x_policy_item_user_perm_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_policy_item_group_perm ( + id bigint IDENTITY NOT NULL, + guid varchar(1024) DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + policy_item_id bigint NOT NULL, + group_id bigint DEFAULT NULL NULL, + sort_order tinyint DEFAULT 0 NULL, + CONSTRAINT x_policy_item_group_perm_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_data_hist ( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + obj_guid varchar(1024) NOT NULL, + obj_class_type int NOT NULL, + obj_id bigint NOT NULL, + obj_name varchar(1024) NOT NULL, + version bigint DEFAULT NULL NULL, + action varchar(512) NOT NULL, + from_time datetime NOT NULL, + to_time datetime DEFAULT NULL NULL, + content text NOT NULL, + CONSTRAINT x_data_hist_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_modules_master ( + id bigint IDENTITY NOT NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + module varchar(1024)NOT NULL, + url varchar(1024) DEFAULT NULL NULL, + CONSTRAINT x_modules_master_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_user_module_perm ( + id bigint IDENTITY NOT NULL, + user_id bigint DEFAULT NULL NULL, + module_id bigint DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + is_allowed int DEFAULT 1 NOT NULL, + CONSTRAINT x_user_module_perm_PK_id PRIMARY KEY CLUSTERED(id) +) +GO +create table dbo.x_group_module_perm ( + id bigint IDENTITY NOT NULL, + group_id bigint DEFAULT NULL NULL, + module_id bigint DEFAULT NULL NULL, + create_time datetime DEFAULT NULL NULL, + update_time datetime DEFAULT NULL NULL, + added_by_id bigint DEFAULT NULL NULL, + upd_by_id bigint DEFAULT NULL NULL, + is_allowed int DEFAULT 1 NOT NULL, + CONSTRAINT x_group_module_perm_PK_id PRIMARY KEY CLUSTERED(id) +) +ALTER TABLE dbo.x_asset ADD CONSTRAINT x_asset_FK_added_by_id FOREIGN KEY(added_by_id) REFERENCES dbo.x_portal_user(id) +GO +ALTER TABLE dbo.x_asset ADD CONSTRAINT x_asset_FK_upd_by_id FOREIGN KEY(upd_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_audit_map ADD CONSTRAINT x_audit_map_FK_added_by_id FOREIGN KEY(added_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_audit_map ADD CONSTRAINT x_audit_map_FK_group_id FOREIGN KEY(group_id) REFERENCES dbo.x_group (id) +GO +ALTER TABLE dbo.x_audit_map ADD CONSTRAINT x_audit_map_FK_res_id FOREIGN KEY(res_id) REFERENCES dbo.x_resource (id) +GO +ALTER TABLE dbo.x_audit_map ADD CONSTRAINT x_audit_map_FK_upd_by_id FOREIGN KEY(upd_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_audit_map ADD CONSTRAINT x_audit_map_FK_user_id FOREIGN KEY(user_id) REFERENCES dbo.x_user (id) +GO +ALTER TABLE dbo.x_auth_sess ADD CONSTRAINT x_auth_sess_FK_added_by_id FOREIGN KEY(added_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_auth_sess ADD CONSTRAINT x_auth_sess_FK_upd_by_id FOREIGN KEY(upd_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_auth_sess ADD CONSTRAINT x_auth_sess_FK_user_id FOREIGN KEY(user_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_cred_store ADD CONSTRAINT x_cred_store_FK_added_by_id FOREIGN KEY(added_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_cred_store ADD CONSTRAINT x_cred_store_FK_upd_by_id FOREIGN KEY(upd_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_db_base ADD CONSTRAINT x_db_base_FK_added_by_id FOREIGN KEY(added_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_db_base ADD CONSTRAINT x_db_base_FK_upd_by_id FOREIGN KEY(upd_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_group ADD CONSTRAINT x_group_FK_added_by_id FOREIGN KEY(added_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_group ADD CONSTRAINT x_group_FK_cred_store_id FOREIGN KEY(cred_store_id) REFERENCES dbo.x_cred_store (id) +GO +ALTER TABLE dbo.x_group ADD CONSTRAINT x_group_FK_upd_by_id FOREIGN KEY(upd_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_group_groups ADD CONSTRAINT x_group_groups_FK_added_by_id FOREIGN KEY(added_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_group_groups ADD CONSTRAINT x_group_groups_FK_group_id FOREIGN KEY(group_id) REFERENCES dbo.x_group (id) +GO +ALTER TABLE dbo.x_group_groups ADD CONSTRAINT x_group_groups_FK_p_group_id FOREIGN KEY(p_group_id) REFERENCES dbo.x_group (id) +GO +ALTER TABLE dbo.x_group_users ADD CONSTRAINT x_group_users_FK_added_by_id FOREIGN KEY(added_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_group_users ADD CONSTRAINT x_group_users_FK_p_group_id FOREIGN KEY(p_group_id) REFERENCES dbo.x_group (id) +GO +ALTER TABLE dbo.x_group_users ADD CONSTRAINT x_group_users_FK_upd_by_id FOREIGN KEY(upd_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_group_users ADD CONSTRAINT x_group_users_FK_user_id FOREIGN KEY(user_id) REFERENCES dbo.x_user (id) +GO +ALTER TABLE dbo.x_perm_map ADD CONSTRAINT x_perm_map_FK_added_by_id FOREIGN KEY(added_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_perm_map ADD CONSTRAINT x_perm_map_FK_group_id FOREIGN KEY(group_id) REFERENCES dbo.x_group (id) +GO +ALTER TABLE dbo.x_perm_map ADD CONSTRAINT x_perm_map_FK_res_id FOREIGN KEY(res_id) REFERENCES dbo.x_resource (id) +GO +ALTER TABLE dbo.x_perm_map ADD CONSTRAINT x_perm_map_FK_upd_by_id FOREIGN KEY(upd_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_perm_map ADD CONSTRAINT x_perm_map_FK_user_id FOREIGN KEY(user_id) REFERENCES dbo.x_user (id) +GO +ALTER TABLE dbo.x_policy_export_audit ADD CONSTRAINT x_policy_export_audit_FK_added_by_id FOREIGN KEY(added_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy_export_audit ADD CONSTRAINT x_policy_export_audit_FK_upd_by_id FOREIGN KEY(upd_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_portal_user ADD CONSTRAINT x_portal_user_FK_added_by_id FOREIGN KEY(added_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_portal_user ADD CONSTRAINT x_portal_user_FK_upd_by_id FOREIGN KEY(upd_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_portal_user_role ADD CONSTRAINT x_portal_user_role_FK_added_by_id FOREIGN KEY(added_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_portal_user_role ADD CONSTRAINT x_portal_user_role_FK_upd_by_id FOREIGN KEY(upd_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_portal_user_role ADD CONSTRAINT x_portal_user_role_FK_user_id FOREIGN KEY(user_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_resource ADD CONSTRAINT x_resource_FK_added_by_id FOREIGN KEY(added_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_resource ADD CONSTRAINT x_resource_FK_asset_id FOREIGN KEY(asset_id) REFERENCES dbo.x_asset (id) +GO +ALTER TABLE dbo.x_resource ADD CONSTRAINT x_resource_FK_parent_id FOREIGN KEY(parent_id) REFERENCES dbo.x_resource (id) +GO +ALTER TABLE dbo.x_resource ADD CONSTRAINT x_resource_FK_upd_by_id FOREIGN KEY(upd_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_trx_log ADD CONSTRAINT x_trx_log_FK_added_by_id FOREIGN KEY(added_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_trx_log ADD CONSTRAINT x_trx_log_FK_upd_by_id FOREIGN KEY(upd_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_user ADD CONSTRAINT x_user_FK_added_by_id FOREIGN KEY(added_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_user ADD CONSTRAINT x_user_FK_cred_store_id FOREIGN KEY(cred_store_id) REFERENCES dbo.x_cred_store (id) +GO +ALTER TABLE dbo.x_user ADD CONSTRAINT x_user_FK_upd_by_id FOREIGN KEY(upd_by_id) REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_service_def ADD CONSTRAINT x_service_def_FK_added_by_id FOREIGN KEY(added_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_service_def ADD CONSTRAINT x_service_def_FK_upd_by_id FOREIGN KEY(upd_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_service ADD CONSTRAINT x_service_FK_added_by_id FOREIGN KEY(added_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_service ADD CONSTRAINT x_service_FK_upd_by_id FOREIGN KEY(upd_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_service ADD CONSTRAINT x_service_FK_type FOREIGN KEY(type)REFERENCES dbo.x_service_def (id) +GO +ALTER TABLE dbo.x_policy ADD CONSTRAINT x_policy_FK_added_by_id FOREIGN KEY(added_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy ADD CONSTRAINT x_policy_FK_upd_by_id FOREIGN KEY(upd_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy ADD CONSTRAINT x_policy_FK_service FOREIGN KEY(service)REFERENCES dbo.x_service (id) +GO +ALTER TABLE dbo.x_service_config_def ADD CONSTRAINT x_service_config_def_FK_defid FOREIGN KEY(def_id)REFERENCES dbo.x_service_def (id) +GO +ALTER TABLE dbo.x_service_config_def ADD CONSTRAINT x_service_conf_def_FK_added_by FOREIGN KEY(added_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_service_config_def ADD CONSTRAINT x_service_conf_def_FK_upd_by FOREIGN KEY(upd_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_resource_def ADD CONSTRAINT x_resource_def_FK_parent FOREIGN KEY(parent)REFERENCES dbo.x_resource_def (id) +GO +ALTER TABLE dbo.x_resource_def ADD CONSTRAINT x_resource_def_FK_defid FOREIGN KEY(def_id)REFERENCES dbo.x_service_def (id) +GO +ALTER TABLE dbo.x_resource_def ADD CONSTRAINT x_resource_def_FK_added_by FOREIGN KEY(added_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_resource_def ADD CONSTRAINT x_resource_def_FK_upd_by FOREIGN KEY(upd_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_access_type_def ADD CONSTRAINT x_access_type_def_FK_defid FOREIGN KEY(def_id)REFERENCES dbo.x_service_def (id) +GO +ALTER TABLE dbo.x_access_type_def ADD CONSTRAINT x_access_type_def_FK_added_by FOREIGN KEY(added_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_access_type_def ADD CONSTRAINT x_access_type_def_FK_upd_by FOREIGN KEY(upd_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_access_type_def_grants ADD CONSTRAINT x_atd_grants_FK_atdid FOREIGN KEY(atd_id)REFERENCES dbo.x_access_type_def (id) +GO +ALTER TABLE dbo.x_access_type_def_grants ADD CONSTRAINT x_access_type_def_grants_FK_added_by FOREIGN KEY(added_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_access_type_def_grants ADD CONSTRAINT x_access_type_def_grants_FK_upd_by FOREIGN KEY(upd_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy_condition_def ADD CONSTRAINT x_policy_condition_def_FK_defid FOREIGN KEY(def_id)REFERENCES dbo.x_service_def (id) +GO +ALTER TABLE dbo.x_policy_condition_def ADD CONSTRAINT x_policy_condition_def_FK_added_by FOREIGN KEY(added_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy_condition_def ADD CONSTRAINT x_policy_condition_def_FK_upd_by FOREIGN KEY(upd_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_context_enricher_def ADD CONSTRAINT x_context_enricher_def_FK_defid FOREIGN KEY(def_id)REFERENCES dbo.x_service_def (id) +GO +ALTER TABLE dbo.x_context_enricher_def ADD CONSTRAINT x_context_enricher_def_FK_added_by_id FOREIGN KEY(added_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_context_enricher_def ADD CONSTRAINT x_context_enricher_def_FK_upd_by_id FOREIGN KEY(upd_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_enum_def ADD CONSTRAINT x_enum_def_FK_defid FOREIGN KEY(def_id)REFERENCES dbo.x_service_def (id) +GO +ALTER TABLE dbo.x_enum_element_def ADD CONSTRAINT x_enum_element_def_FK_defid FOREIGN KEY(enum_def_id)REFERENCES dbo.x_enum_def (id) +GO +ALTER TABLE dbo.x_enum_def ADD CONSTRAINT x_enum_def_FK_added_by FOREIGN KEY(added_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_enum_def ADD CONSTRAINT x_enum_def_FK_upd_by FOREIGN KEY(upd_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_service_config_map ADD CONSTRAINT x_service_config_map_FK_ FOREIGN KEY(service)REFERENCES dbo.x_service (id) +GO +ALTER TABLE dbo.x_service_config_map ADD CONSTRAINT x_service_config_map_FK_added_by FOREIGN KEY(added_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_service_config_map ADD CONSTRAINT x_service_config_map_FK_upd_by FOREIGN KEY(upd_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy_resource ADD CONSTRAINT x_policy_resource_FK_policy_id FOREIGN KEY(policy_id)REFERENCES dbo.x_policy (id) +GO +ALTER TABLE dbo.x_policy_resource ADD CONSTRAINT x_policy_resource_FK_res_def_id FOREIGN KEY(res_def_id)REFERENCES dbo.x_resource_def (id) +GO +ALTER TABLE dbo.x_policy_resource ADD CONSTRAINT x_policy_resource_FK_added_by FOREIGN KEY(added_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy_resource ADD CONSTRAINT x_policy_resource_FK_upd_by FOREIGN KEY(upd_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy_resource_map ADD CONSTRAINT x_policy_resource_map_FK_resource_id FOREIGN KEY(resource_id)REFERENCES dbo.x_policy_resource (id) +GO +ALTER TABLE dbo.x_policy_resource_map ADD CONSTRAINT x_policy_resource_map_FK_added_by FOREIGN KEY(added_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy_resource_map ADD CONSTRAINT x_policy_resource_map_FK_upd_by FOREIGN KEY(upd_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy_item ADD CONSTRAINT x_policy_item_FK_policy_id FOREIGN KEY(policy_id)REFERENCES dbo.x_policy (id) +GO +ALTER TABLE dbo.x_policy_item ADD CONSTRAINT x_policy_item_FK_added_by FOREIGN KEY(added_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy_item ADD CONSTRAINT x_policy_item_FK_upd_by FOREIGN KEY(upd_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy_item_access ADD CONSTRAINT x_policy_item_access_FK_pi_id FOREIGN KEY(policy_item_id)REFERENCES dbo.x_policy_item (id) +GO +ALTER TABLE dbo.x_policy_item_access ADD CONSTRAINT x_policy_item_access_FK_atd_id FOREIGN KEY(type)REFERENCES dbo.x_access_type_def (id) +GO +ALTER TABLE dbo.x_policy_item_access ADD CONSTRAINT x_policy_item_access_FK_added_by FOREIGN KEY(added_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy_item_access ADD CONSTRAINT x_policy_item_access_FK_upd_by FOREIGN KEY(upd_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy_item_condition ADD CONSTRAINT x_policy_item_condition_FK_pi_id FOREIGN KEY(policy_item_id)REFERENCES dbo.x_policy_item (id) +GO +ALTER TABLE dbo.x_policy_item_condition ADD CONSTRAINT x_policy_item_condition_FK_pcd_id FOREIGN KEY(type)REFERENCES dbo.x_policy_condition_def (id) +GO +ALTER TABLE dbo.x_policy_item_condition ADD CONSTRAINT x_policy_item_condition_FK_added_by FOREIGN KEY(added_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy_item_condition ADD CONSTRAINT x_policy_item_condition_FK_upd_by FOREIGN KEY(upd_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy_item_user_perm ADD CONSTRAINT x_policy_item_user_perm_FK_pi_id FOREIGN KEY(policy_item_id)REFERENCES dbo.x_policy_item (id) +GO +ALTER TABLE dbo.x_policy_item_user_perm ADD CONSTRAINT x_policy_item_user_perm_FK_user_id FOREIGN KEY(user_id)REFERENCES dbo.x_user (id) +GO +ALTER TABLE dbo.x_policy_item_user_perm ADD CONSTRAINT x_policy_item_user_perm_FK_added_by FOREIGN KEY(added_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy_item_user_perm ADD CONSTRAINT x_policy_item_user_perm_FK_upd_by FOREIGN KEY(upd_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy_item_group_perm ADD CONSTRAINT x_policy_item_group_perm_FK_pi_id FOREIGN KEY(policy_item_id)REFERENCES dbo.x_policy_item (id) +GO +ALTER TABLE dbo.x_policy_item_group_perm ADD CONSTRAINT x_policy_item_group_perm_FK_group_id FOREIGN KEY(group_id)REFERENCES dbo.x_group (id) +GO +ALTER TABLE dbo.x_policy_item_group_perm ADD CONSTRAINT x_policy_item_group_perm_FK_added_by FOREIGN KEY(added_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_policy_item_group_perm ADD CONSTRAINT x_policy_item_group_perm_FK_upd_by FOREIGN KEY(upd_by_id)REFERENCES dbo.x_portal_user (id) +GO +ALTER TABLE dbo.x_user_module_perm ADD CONSTRAINT x_user_module_perm_FK_moduleid FOREIGN KEY(module_id) REFERENCES dbo.x_modules_master(id) +GO +ALTER TABLE dbo.x_user_module_perm ADD CONSTRAINT x_user_module_perm_FK_userid FOREIGN KEY(user_id) REFERENCES dbo.x_portal_user(id) +GO +ALTER TABLE dbo.x_group_module_perm ADD CONSTRAINT x_grp_module_perm_FK_module_id FOREIGN KEY(module_id) REFERENCES dbo.x_modules_master(id) +GO +ALTER TABLE dbo.x_group_module_perm ADD CONSTRAINT x_grp_module_perm_FK_group_id FOREIGN KEY(group_id) REFERENCES dbo.x_group(id) +GO +CREATE NONCLUSTERED INDEX x_asset_cr_time ON dbo.x_asset(create_time ASC) +GO +CREATE NONCLUSTERED INDEX x_asset_FK_added_by_id ON dbo.x_asset(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_asset_FK_upd_by_id ON dbo.x_asset(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_asset_up_time ON dbo.x_asset(update_time ASC) +GO +CREATE NONCLUSTERED INDEX x_audit_map_cr_time ON dbo.x_audit_map(create_time ASC) +GO +CREATE NONCLUSTERED INDEX x_audit_map_FK_added_by_id ON dbo.x_audit_map(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_audit_map_FK_group_id ON dbo.x_audit_map(group_id ASC) +GO +CREATE NONCLUSTERED INDEX x_audit_map_FK_res_id ON dbo.x_audit_map(res_id ASC) +GO +CREATE NONCLUSTERED INDEX x_audit_map_FK_upd_by_id ON dbo.x_audit_map(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_audit_map_FK_user_id ON dbo.x_audit_map(user_id ASC) +GO +CREATE NONCLUSTERED INDEX x_audit_map_up_time ON dbo.x_audit_map(update_time ASC) +GO +CREATE NONCLUSTERED INDEX x_auth_sess_cr_time ON dbo.x_auth_sess(create_time ASC) +GO +CREATE NONCLUSTERED INDEX x_auth_sess_FK_added_by_id ON dbo.x_auth_sess(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_auth_sess_FK_upd_by_id ON dbo.x_auth_sess(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_auth_sess_FK_user_id ON dbo.x_auth_sess(user_id ASC) +GO +CREATE NONCLUSTERED INDEX x_auth_sess_up_time ON dbo.x_auth_sess(update_time ASC) +GO +CREATE NONCLUSTERED INDEX x_cred_store_cr_time ON dbo.x_cred_store(create_time ASC) +GO +CREATE NONCLUSTERED INDEX x_cred_store_FK_added_by_id ON dbo.x_cred_store(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_cred_store_FK_upd_by_id ON dbo.x_cred_store(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_cred_store_up_time ON dbo.x_cred_store(update_time ASC) +GO +CREATE NONCLUSTERED INDEX x_db_base_cr_time ON dbo.x_db_base(create_time ASC) +GO +CREATE NONCLUSTERED INDEX x_db_base_FK_added_by_id ON dbo.x_db_base(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_db_base_FK_upd_by_id ON dbo.x_db_base(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_db_base_up_time ON dbo.x_db_base(update_time ASC) +GO +CREATE NONCLUSTERED INDEX x_group_cr_time ON dbo.x_group(create_time ASC) +GO +CREATE NONCLUSTERED INDEX x_group_FK_added_by_id ON dbo.x_group(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_group_FK_cred_store_id ON dbo.x_group(cred_store_id ASC) +GO +CREATE NONCLUSTERED INDEX x_group_FK_upd_by_id ON dbo.x_group(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_group_groups_cr_time ON dbo.x_group_groups(create_time ASC) +GO +CREATE NONCLUSTERED INDEX x_group_groups_FK_added_by_id ON dbo.x_group_groups(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_group_groups_FK_group_id ON dbo.x_group_groups(group_id ASC) +GO +CREATE NONCLUSTERED INDEX x_group_groups_FK_p_group_id ON dbo.x_group_groups(p_group_id ASC) +GO +CREATE NONCLUSTERED INDEX x_group_groups_FK_upd_by_id ON dbo.x_group_groups(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_group_groups_up_time ON dbo.x_group_groups(update_time ASC) +GO +CREATE NONCLUSTERED INDEX x_group_up_time ON dbo.x_group(update_time ASC) +GO +CREATE NONCLUSTERED INDEX x_group_users_cr_time ON dbo.x_group_users(create_time ASC) +GO +CREATE NONCLUSTERED INDEX x_group_users_FK_added_by_id ON dbo.x_group_users(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_group_users_FK_p_group_id ON dbo.x_group_users(p_group_id ASC) +GO +CREATE NONCLUSTERED INDEX x_group_users_FK_upd_by_id ON dbo.x_group_users(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_group_users_FK_user_id ON dbo.x_group_users(user_id ASC) +GO +CREATE NONCLUSTERED INDEX x_group_users_up_time ON dbo.x_group_users(update_time ASC) +GO +CREATE NONCLUSTERED INDEX x_perm_map_cr_time ON dbo.x_perm_map(create_time ASC) +GO +CREATE NONCLUSTERED INDEX x_perm_map_FK_added_by_id ON dbo.x_perm_map(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_perm_map_FK_group_id ON dbo.x_perm_map(group_id ASC) +GO +CREATE NONCLUSTERED INDEX x_perm_map_FK_res_id ON dbo.x_perm_map(res_id ASC) +GO +CREATE NONCLUSTERED INDEX x_perm_map_FK_upd_by_id ON dbo.x_perm_map(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_perm_map_FK_user_id ON dbo.x_perm_map(user_id ASC) +GO +CREATE NONCLUSTERED INDEX x_perm_map_up_time ON dbo.x_perm_map(update_time ASC) +GO +CREATE NONCLUSTERED INDEX x_policy_export_audit_cr_time ON dbo.x_policy_export_audit(create_time ASC) +GO +CREATE NONCLUSTERED INDEX x_policy_export_audit_FK_added_by_id ON dbo.x_policy_export_audit(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_policy_export_audit_FK_upd_by_id ON dbo.x_policy_export_audit(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_policy_export_audit_up_time ON dbo.x_policy_export_audit(update_time ASC) +GO +CREATE NONCLUSTERED INDEX x_portal_user_cr_time ON dbo.x_portal_user(create_time ASC) +GO +CREATE NONCLUSTERED INDEX x_portal_user_email ON dbo.x_portal_user(email ASC) +GO +CREATE NONCLUSTERED INDEX x_portal_user_FK_added_by_id ON dbo.x_portal_user(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_portal_user_FK_upd_by_id ON dbo.x_portal_user(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_portal_user_name ON dbo.x_portal_user(first_name ASC) +GO +CREATE NONCLUSTERED INDEX x_portal_user_role_cr_time ON dbo.x_portal_user_role(create_time ASC) +GO +CREATE NONCLUSTERED INDEX x_portal_user_role_FK_added_by_id ON dbo.x_portal_user_role(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_portal_user_role_FK_upd_by_id ON dbo.x_portal_user_role(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_portal_user_role_FK_user_id ON dbo.x_portal_user_role(user_id ASC) +GO +CREATE NONCLUSTERED INDEX x_portal_user_role_up_time ON dbo.x_portal_user_role(update_time ASC) +GO +CREATE NONCLUSTERED INDEX x_portal_user_up_time ON dbo.x_portal_user(update_time ASC) +GO +CREATE NONCLUSTERED INDEX x_resource_cr_time ON dbo.x_resource(create_time ASC) +GO +CREATE NONCLUSTERED INDEX x_resource_FK_added_by_id ON dbo.x_resource(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_resource_FK_asset_id ON dbo.x_resource(asset_id ASC) +GO +CREATE NONCLUSTERED INDEX x_resource_FK_parent_id ON dbo.x_resource(parent_id ASC) +GO +CREATE NONCLUSTERED INDEX x_resource_FK_upd_by_id ON dbo.x_resource(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_resource_up_time ON dbo.x_resource(update_time ASC) +GO +CREATE NONCLUSTERED INDEX x_trx_log_cr_time ON dbo.x_trx_log(create_time ASC) +GO +CREATE NONCLUSTERED INDEX x_trx_log_FK_added_by_id ON dbo.x_trx_log(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_trx_log_FK_upd_by_id ON dbo.x_trx_log(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_trx_log_up_time ON dbo.x_trx_log(update_time ASC) +GO +CREATE NONCLUSTERED INDEX x_user_cr_time ON dbo.x_user(create_time ASC) +GO +CREATE NONCLUSTERED INDEX x_user_FK_added_by_id ON dbo.x_user(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_user_FK_cred_store_id ON dbo.x_user(cred_store_id ASC) +GO +CREATE NONCLUSTERED INDEX x_user_FK_upd_by_id ON dbo.x_user(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_user_up_time ON dbo.x_user(update_time ASC) +GO +CREATE NONCLUSTERED INDEX xa_access_audit_cr_time ON dbo.xa_access_audit(create_time ASC) +GO +CREATE NONCLUSTERED INDEX xa_access_audit_event_time ON dbo.xa_access_audit(event_time ASC) +GO +CREATE NONCLUSTERED INDEX xa_access_audit_added_by_id ON dbo.xa_access_audit(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX xa_access_audit_upd_by_id ON dbo.xa_access_audit(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX xa_access_audit_up_time ON dbo.xa_access_audit(update_time ASC) +GO +CREATE NONCLUSTERED INDEX x_service_def_added_by_id ON dbo.x_service_def(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_service_def_upd_by_id ON dbo.x_service_def(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_service_def_cr_time ON dbo.x_service_def(create_time ASC) +GO +CREATE NONCLUSTERED INDEX x_service_def_up_time ON dbo.x_service_def(update_time ASC) +GO +CREATE NONCLUSTERED INDEX x_service_added_by_id ON dbo.x_service(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_service_upd_by_id ON dbo.x_service(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_service_cr_time ON dbo.x_service(create_time ASC) +GO +CREATE NONCLUSTERED INDEX x_service_up_time ON dbo.x_service(update_time ASC) +GO +CREATE NONCLUSTERED INDEX x_service_type ON dbo.x_service(type ASC) +GO +CREATE NONCLUSTERED INDEX x_policy_added_by_id ON dbo.x_policy(added_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_policy_upd_by_id ON dbo.x_policy(upd_by_id ASC) +GO +CREATE NONCLUSTERED INDEX x_policy_cr_time ON dbo.x_policy(create_time ASC) +GO +CREATE NONCLUSTERED INDEX x_policy_up_time ON dbo.x_policy(update_time ASC) +GO +CREATE NONCLUSTERED INDEX x_policy_service ON dbo.x_policy(service ASC) +GO +CREATE NONCLUSTERED INDEX x_policy_resource_signature ON dbo.x_policy(resource_signature ASC) +GO +CREATE NONCLUSTERED INDEX x_resource_def_parent ON dbo.x_resource_def(parent ASC) +GO +CREATE NONCLUSTERED INDEX x_usr_module_perm_idx_moduleid ON dbo.x_user_module_perm(module_id ASC) +GO +CREATE NONCLUSTERED INDEX x_usr_module_perm_idx_userid ON dbo.x_user_module_perm(user_id ASC) +GO +CREATE NONCLUSTERED INDEX x_grp_module_perm_idx_groupid ON dbo.x_group_module_perm(group_id ASC) +GO +CREATE NONCLUSTERED INDEX x_grp_module_perm_idx_moduleid ON dbo.x_group_module_perm(module_id ASC) +GO +insert into x_portal_user (create_time,update_time,first_name,last_name,pub_scr_name,login_id,password,email,status) values (GETDATE(),GETDATE(),'Admin','','Admin','admin','ceb4f32325eda6142bd65215f4c0f371','',1) +GO +insert into x_portal_user_role (create_time,update_time,user_id,user_role,status) values (GETDATE(),GETDATE(),1,'ROLE_SYS_ADMIN',1) +GO +insert into x_user (create_time,update_time,user_name,status,descr) values (GETDATE(),GETDATE(),'admin',0,'Administrator') +GO +insert into x_group (added_by_id,create_time,descr,group_type,group_name,status,update_time,upd_by_id) values (1,GETDATE(),'public group',0,'public',0,GETDATE(),1) +GO +INSERT INTO x_modules_master(create_time,update_time,added_by_id,upd_by_id,module,url) VALUES(GETDATE(),GETDATE(),1,1,'Resource Based Policies','') +GO +INSERT INTO x_modules_master(create_time,update_time,added_by_id,upd_by_id,module,url) VALUES(GETDATE(),GETDATE(),1,1,'Users/Groups','') +GO +INSERT INTO x_modules_master(create_time,update_time,added_by_id,upd_by_id,module,url) VALUES(GETDATE(),GETDATE(),1,1,'Reports','') +GO +INSERT INTO x_modules_master(create_time,update_time,added_by_id,upd_by_id,module,url) VALUES(GETDATE(),GETDATE(),1,1,'Audit','') +GO +INSERT INTO x_modules_master(create_time,update_time,added_by_id,upd_by_id,module,url) VALUES(GETDATE(),GETDATE(),1,1,'Key Manager','') +GO +insert into x_portal_user (create_time,update_time,first_name,last_name,pub_scr_name,login_id,password,email,status) values (GETDATE(),GETDATE(),'rangerusersync','','rangerusersync','rangerusersync','70b8374d3dfe0325aaa5002a688c7e3b','rangerusersync',1) +GO +insert into x_portal_user_role (create_time,update_time,user_id,user_role,status) values (GETDATE(),GETDATE(),2,'ROLE_SYS_ADMIN',1) +GO +insert into x_user (create_time,update_time,user_name,status,descr) values (GETDATE(),GETDATE(),'rangerusersync',0,'rangerusersync') +GO +insert into x_portal_user (create_time,update_time,first_name,last_name,pub_scr_name,login_id,password,email,status) values (GETDATE(),GETDATE(),'keyadmin','','keyadmin','keyadmin','a05f34d2dce2b4688fa82e82a89ba958','keyadmin',1) +GO +insert into x_portal_user_role (create_time,update_time,user_id,user_role,status) values (GETDATE(),GETDATE(),3,'ROLE_KEY_ADMIN',1) +GO +insert into x_user (create_time,update_time,user_name,status,descr) values (GETDATE(),GETDATE(),'keyadmin',0,'keyadmin') +GO +exit \ No newline at end of file diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py index 0d6c49b5029..a010e19aa12 100644 --- a/security-admin/scripts/db_setup.py +++ b/security-admin/scripts/db_setup.py @@ -1162,6 +1162,260 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): log("[E] java patch "+ className +" failed", "error") sys.exit(1) +class SqlAnywhereConf(BaseDB): + # Constructor + def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN): + self.host = host + self.SQL_CONNECTOR_JAR = SQL_CONNECTOR_JAR + self.JAVA_BIN = JAVA_BIN + + def get_jisql_cmd(self, user, password, db_name): + path = RANGER_ADMIN_HOME + self.JAVA_BIN = self.JAVA_BIN.strip("'") + if os_name == "LINUX": + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) + elif os_name == "WINDOWS": + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) + return jisql_cmd + + def check_connection(self, db_name, db_user, db_password): + log("[I] Checking connection", "info") + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"SELECT 1;\"" + elif os_name == "WINDOWS": + query = get_cmd + " -query \"SELECT 1;\" -c ;" + output = check_output(query) + if output.strip('1 |'): + log("[I] Connection success", "info") + return True + else: + log("[E] Can't establish connection", "error") + sys.exit(1) + + def import_db_file(self, db_name, db_user, db_password, file_name): + name = basename(file_name) + if os.path.isfile(file_name): + log("[I] Importing db schema to database " + db_name + " from file: " + name,"info") + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + if os_name == "LINUX": + query = get_cmd + " -input %s" %file_name + ret = subprocess.call(shlex.split(query)) + elif os_name == "WINDOWS": + query = get_cmd + " -input %s" %file_name + ret = subprocess.call(query) + if ret == 0: + log("[I] "+name + " DB schema imported successfully","info") + else: + log("[E] "+name + " DB Schema import failed!","error") + sys.exit(1) + + def check_table(self, db_name, db_user, db_password, TABLE_NAME): + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"SELECT name FROM sysobjects where name = '%s' and type='U';\"" %(TABLE_NAME) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"SELECT name FROM sysobjects where name = '%s' and type='U';\" -c ;" %(TABLE_NAME) + output = check_output(query) + if output.strip(TABLE_NAME + " |"): + log("[I] Table '" + TABLE_NAME + "' already exists in database '" + db_name + "'","info") + return True + else: + log("[I] Table '" + TABLE_NAME + "' does not exist in database '" + db_name + "'","info") + return False + + def grant_audit_db_user(self, audit_db_name, db_user, audit_db_user, db_password, audit_db_password,TABLE_NAME): + log("[I] Granting permission to audit user '" + audit_db_user + "' on db '" + audit_db_name + "'","info") + get_cmd = self.get_jisql_cmd(db_user, db_password,audit_db_name) + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"GRANT INSERT ON XA_ACCESS_AUDIT to %s;\"" %(audit_db_user) + ret = subprocess.call(shlex.split(query)) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"GRANT INSERT ON XA_ACCESS_AUDIT to %s;\" -c ;" %(audit_db_user) + ret = subprocess.call(query) + if ret != 0 : + sys.exit(1) + else: + log("[I] Permission granted to audit user " + audit_db_user , "info") + + def import_db_patches(self, db_name, db_user, db_password, file_name): + name = basename(file_name) + if os.path.isfile(file_name): + version = name.split('-')[0] + log("[I] Executing patch on " + db_name + " from file: " + name,"info") + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + if os_name == "LINUX": + query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\"" %(version) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c ;" %(version) + output = check_output(query) + if output.strip(version + " |"): + log("[I] Patch "+ name +" is already applied" ,"info") + else: + if os_name == "LINUX": + query = get_cmd + " -input %s" %file_name + ret = subprocess.call(shlex.split(query)) + elif os_name == "WINDOWS": + query = get_cmd + " -input %s" %file_name + ret = subprocess.call(query) + if ret == 0: + log("[I] "+name + " patch applied","info") + if os_name == "LINUX": + query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c \;" %(version,db_user,xa_db_host,db_user,xa_db_host) + ret = subprocess.call(shlex.split(query)) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c ;" %(version,db_user,xa_db_host,db_user,xa_db_host) + ret = subprocess.call(query) + if ret == 0: + log("[I] Patch version updated", "info") + else: + log("[E] Updating patch version failed", "error") + sys.exit(1) + else: + log("[E] "+name + " import failed!","error") + sys.exit(1) + + def import_auditdb_patches(self, xa_sqlObj,xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, file_name, TABLE_NAME): + log("[I] --------- Checking XA_ACCESS_AUDIT table to apply audit db patches --------- ","info") + self.set_options(audit_db_name, db_user, db_password, TABLE_NAME) + output = self.check_table(audit_db_name, db_user, db_password, TABLE_NAME) + if output == True: + name = basename(file_name) + if os.path.isfile(file_name): + version = name.split('-')[0] + log("[I] Executing patch on " + audit_db_name + " from file: " + name,"info") + get_cmd1 = xa_sqlObj.get_jisql_cmd(db_user, db_password, db_name) + if os_name == "LINUX": + query = get_cmd1 + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\"" %(version) + elif os_name == "WINDOWS": + query = get_cmd1 + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c ;" %(version) + output = check_output(query) + if output.strip(version + " |"): + log("[I] Patch "+ name +" is already applied" ,"info") + else: + get_cmd2 = self.get_jisql_cmd(db_user, db_password, audit_db_name) + if os_name == "LINUX": + query = get_cmd2 + " -input %s" %file_name + ret = subprocess.call(shlex.split(query)) + elif os_name == "WINDOWS": + query = get_cmd2 + " -input %s" %file_name + ret = subprocess.call(query) + if ret == 0: + log("[I] "+name + " patch applied","info") + if os_name == "LINUX": + query = get_cmd1 + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c \;" %(version,db_user,xa_db_host,db_user,xa_db_host) + ret = subprocess.call(shlex.split(query)) + elif os_name == "WINDOWS": + query = get_cmd1 + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c ;" %(version,db_user,xa_db_host,db_user,xa_db_host) + ret = subprocess.call(query) + if ret == 0: + log("[I] Patch version updated", "info") + else: + log("[E] Updating patch version failed", "error") + sys.exit(1) + else: + log("[E] "+name + " import failed!","error") + sys.exit(1) + else: + log("[I] Table XA_ACCESS_AUDIT does not exists in " +audit_db_name,"error") + sys.exit(1) + + def auditdb_operation(self, xa_db_host, audit_db_host, db_name, audit_db_name,db_user, audit_db_user, db_password, audit_db_password, file_name, TABLE_NAME): + log("[I] --------- Check admin user connection --------- ","info") + self.check_connection(audit_db_name, db_user, db_password) + log("[I] --------- Check audit user connection --------- ","info") + self.check_connection(audit_db_name, audit_db_user, audit_db_password) + log("[I] --------- Check audit table exists --------- ","info") + self.set_options(audit_db_name, db_user, db_password, TABLE_NAME) + output = self.check_table(audit_db_name, db_user, db_password, TABLE_NAME) + if output == False: + self.import_db_file(audit_db_name ,db_user, db_password, file_name) + self.grant_audit_db_user( audit_db_name ,db_user, audit_db_user, db_password,audit_db_password,TABLE_NAME) + + def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): + my_dict = {} + version = "" + className = "" + app_home = os.path.join(RANGER_ADMIN_HOME,"ews","webapp") + ranger_log = os.path.join(RANGER_ADMIN_HOME,"ews","logs") + javaFiles = os.path.join(app_home,"WEB-INF","classes","org","apache","ranger","patch") + + if not os.path.exists(javaFiles): + log("[I] No java patches to apply!","info") + else: + files = os.listdir(javaFiles) + if files: + for filename in files: + f = re.match("^Patch.*?.class$",filename) + if f: + className = re.match("(Patch.*?)_.*.class",filename) + className = className.group(1) + version = re.match("Patch.*?_(.*).class",filename) + version = version.group(1) + key3 = int(version.strip("J")) + my_dict[key3] = filename + + keylist = my_dict.keys() + keylist.sort() + for key in keylist: + #print "%s: %s" % (key, my_dict[key]) + version = str(key) + className = my_dict[key] + className = className.strip(".class") + if version != "": + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + if os_name == "LINUX": + query = get_cmd + " -query \"select version from x_db_version_h where version = 'J%s' and active = 'Y';\" -c \;" %(version) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"select version from x_db_version_h where version = 'J%s' and active = 'Y';\" -c ;" %(version) + output = check_output(query) + if output.strip(version + " |"): + log("[I] java patch "+ className +" is already applied" ,"info") + else: + log ("[I] java patch "+ className +" is being applied..","info") + if os_name == "LINUX": + path = os.path.join("%s","WEB-INF","classes","conf:%s","WEB-INF","classes","lib","*:%s","WEB-INF",":%s","META-INF",":%s","WEB-INF","lib","*:%s","WEB-INF","classes",":%s","WEB-INF","classes","META-INF:%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) + elif os_name == "WINDOWS": + path = os.path.join("%s","WEB-INF","classes","conf;%s","WEB-INF","classes","lib","*;%s","WEB-INF",";%s","META-INF",";%s","WEB-INF","lib","*;%s","WEB-INF","classes",";%s","WEB-INF","classes","META-INF;%s" )%(app_home ,app_home ,app_home, app_home, app_home, app_home ,app_home ,self.SQL_CONNECTOR_JAR) + get_cmd = "%s -Dlogdir=%s -Dlog4j.configuration=db_patch.log4j.xml -cp %s org.apache.ranger.patch.%s"%(self.JAVA_BIN,ranger_log,path,className) + if os_name == "LINUX": + ret = subprocess.call(shlex.split(get_cmd)) + elif os_name == "WINDOWS": + ret = subprocess.call(get_cmd) + if ret == 0: + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + if os_name == "LINUX": + query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('J%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c \;" %(version,db_user,xa_db_host,db_user,xa_db_host) + ret = subprocess.call(shlex.split(query)) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('J%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c ;" %(version,db_user,xa_db_host,db_user,xa_db_host) + ret = subprocess.call(query) + if ret == 0: + log("[I] java patch "+ className +" applied", "info") + else: + log("[E] java patch "+ className +" failed", "error") + sys.exit(1) + else: + log("[E] java patch "+ className +" failed", "error") + sys.exit(1) + + def set_options(self, db_name, db_user, db_password, TABLE_NAME): + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"set option public.reserved_keywords='LIMIT';\"" + elif os_name == "WINDOWS": + query = get_cmd + " -query \"set option public.reserved_keywords='LIMIT';\" -c ;" + ret = subprocess.call(shlex.split(query)) + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"set option public.max_statement_count=0;\"" + elif os_name == "WINDOWS": + query = get_cmd + " -query \"set option public.max_statement_count=0;\" -c;" + ret = subprocess.call(shlex.split(query)) + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"set option public.max_cursor_count=0;\"" + elif os_name == "WINDOWS": + query = get_cmd + " -query \"set option public.max_cursor_count=0;\" -c;" + ret = subprocess.call(shlex.split(query)) def main(argv): populate_global_dict() @@ -1218,6 +1472,12 @@ def main(argv): sqlserver_patches = os.path.join('db','sqlserver','patches') sqlserver_auditdb_patches = os.path.join('db','sqlserver','patches','audit') + sqlanywhere_dbversion_catalog = os.path.join('db','sqlanywhere','create_dbversion_catalog.sql') + sqlanywhere_core_file = globalDict['sqlanywhere_core_file'] + sqlanywhere_audit_file = globalDict['sqlanywhere_audit_file'] + sqlanywhere_patches = os.path.join('db','sqlanywhere','patches') + sqlanywhere_auditdb_patches = os.path.join('db','sqlanywhere','patches','audit') + db_name = globalDict['db_name'] db_user = globalDict['db_user'] db_password = globalDict['db_password'] @@ -1261,6 +1521,19 @@ def main(argv): xa_db_core_file = os.path.join(RANGER_ADMIN_HOME , sqlserver_core_file) xa_patch_file = os.path.join(RANGER_ADMIN_HOME , sqlserver_patches) audit_patch_file = os.path.join(RANGER_ADMIN_HOME ,sqlserver_auditdb_patches) + + elif XA_DB_FLAVOR == "SQLANYWHERE": + if not os_name == "WINDOWS" : + if os.environ['LD_LIBRARY_PATH'] == "": + log("[E] ---------- LD_LIBRARY_PATH environment property not defined, aborting installation. ----------", "error") + sys.exit(1) + SQLANYWHERE_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] + xa_sqlObj = SqlAnywhereConf(xa_db_host, SQLANYWHERE_CONNECTOR_JAR, JAVA_BIN) + xa_db_version_file = os.path.join(RANGER_ADMIN_HOME ,sqlanywhere_dbversion_catalog) + xa_db_core_file = os.path.join(RANGER_ADMIN_HOME , sqlanywhere_core_file) + xa_patch_file = os.path.join(RANGER_ADMIN_HOME , sqlanywhere_patches) + audit_patch_file = os.path.join(RANGER_ADMIN_HOME ,sqlanywhere_auditdb_patches) + else: log("[E] --------- NO SUCH SUPPORTED DB FLAVOUR!! ---------", "error") sys.exit(1) @@ -1284,6 +1557,11 @@ def main(argv): SQLSERVER_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] audit_sqlObj = SqlServerConf(audit_db_host, SQLSERVER_CONNECTOR_JAR, JAVA_BIN) audit_db_file = os.path.join(RANGER_ADMIN_HOME , sqlserver_audit_file) + + elif AUDIT_DB_FLAVOR == "SQLANYWHERE": + SQLANYWHERE_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] + audit_sqlObj = SqlAnywhereConf(audit_db_host, SQLANYWHERE_CONNECTOR_JAR, JAVA_BIN) + audit_db_file = os.path.join(RANGER_ADMIN_HOME , sqlanywhere_audit_file) else: log("[E] --------- NO SUCH SUPPORTED DB FLAVOUR!! ---------", "error") sys.exit(1) diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py index 045990dc625..0d5d573888d 100644 --- a/security-admin/scripts/dba_script.py +++ b/security-admin/scripts/dba_script.py @@ -1086,6 +1086,191 @@ def create_auditdb_user(self, xa_db_host, audit_db_host, db_name, audit_db_name, self.create_user(xa_db_root_user, audit_db_name ,db_user, db_password, xa_db_root_password,dryMode) self.grant_xa_db_user(audit_db_root_user, audit_db_name, db_user, db_password, audit_db_root_password, is_revoke, dryMode) +class SqlAnywhereConf(BaseDB): + # Constructor + def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN): + self.host = host + self.SQL_CONNECTOR_JAR = SQL_CONNECTOR_JAR + self.JAVA_BIN = JAVA_BIN + + def get_jisql_cmd(self, user, password, db_name): + path = RANGER_ADMIN_HOME + self.JAVA_BIN = self.JAVA_BIN.strip("'") + if os_name == "LINUX": + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) + elif os_name == "WINDOWS": + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) + return jisql_cmd + + def verify_user(self, root_user, db_root_password, db_user,dryMode): + if dryMode == False: + log("[I] Verifying user " + db_user , "info") + get_cmd = self.get_jisql_cmd(root_user, db_root_password, '') + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"select name from syslogins where name = '%s';\"" %(db_user) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"select name from syslogins where name = '%s';\" -c ;" %(db_user) + output = check_output(query) + if output.strip(db_user + " |"): + return True + else: + return False + + def check_connection(self, db_name, db_user, db_password): + log("[I] Checking connection", "info") + get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"SELECT 1;\"" + elif os_name == "WINDOWS": + query = get_cmd + " -query \"SELECT 1;\" -c ;" + output = check_output(query) + if output.strip('1 |'): + log("[I] Connection success", "info") + return True + else: + log("[E] Can't establish connection", "error") + sys.exit(1) + + def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password,dryMode): + if self.check_connection('', root_user, db_root_password): + if self.verify_user(root_user, db_root_password, db_user,dryMode): + if dryMode == False: + log("[I] SQL Anywhere user " + db_user + " already exists.", "info") + else: + if dryMode == False: + get_cmd = self.get_jisql_cmd(root_user, db_root_password, '') + log("[I] User does not exists, Creating Login user " + db_user, "info") + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"CREATE USER %s IDENTIFIED BY '%s';\"" %(db_user,db_password) + ret = subprocess.call(shlex.split(query)) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"CREATE USER %s IDENTIFIED BY '%s';\" -c ;" %(db_user,db_password) + ret = subprocess.call(query) + if ret == 0: + if self.verify_user(root_user, db_root_password, db_user,dryMode): + log("[I] SQL Anywhere user " + db_user + " created", "info") + else: + log("[E] SQL Anywhere user " +db_user+" creation failed..", "error") + sys.exit(1) + else: + log("[E] SQL Anywhere user " +db_user+" creation failed..", "error") + sys.exit(1) + else: + logFile("CREATE USER %s IDENTIFIED BY '%s';" %(db_user,db_password)) + + def start_db(self,root_user, db_root_password, db_name,dryMode): + if dryMode == False: + log("[I] Starting database " + db_name, "info") + get_cmd = self.get_jisql_cmd(root_user, db_root_password, '') + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"start database '%s' autostop off;\"" %(db_name) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"start database '%s' autostop off;\" -c ;" %(db_name) + output = check_output(query) + + def verify_db(self, root_user, db_root_password, db_name,dryMode): + if dryMode == False: + log("[I] Verifying database " + db_name, "info") + get_cmd = self.get_jisql_cmd(root_user, db_root_password, '') + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"select alias from sa_db_info() where alias='%s';\"" %(db_name) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"select alias from sa_db_info() where alias='%s';\" -c ;" %(db_name) + output = check_output(query) + if output.strip(db_name + " |"): + return True + else: + return False + + def create_db(self, root_user, db_root_password, db_name, db_user, db_password,dryMode): + if self.verify_db(root_user, db_root_password, db_name,dryMode): + if dryMode == False: + log("[I] Database " + db_name + " already exists.","info") + else: + if dryMode == False: + log("[I] Database does not exist. Creating database : " + db_name,"info") + get_cmd = self.get_jisql_cmd(root_user, db_root_password, '') + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"create database '%s' dba user '%s' dba password '%s' database size 100MB;\"" %(db_name,db_user, db_password) + ret = subprocess.call(shlex.split(query)) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"create database '%s' dba user '%s' dba password '%s' database size 100MB;\" -c ;" %(db_name,db_user, db_password) + ret = subprocess.call(query) + if ret != 0: + log("[E] Database creation failed..","error") + sys.exit(1) + else: + self.start_db(root_user, db_root_password, db_name,dryMode) + if self.verify_db(root_user, db_root_password, db_name,dryMode): + self.create_user(root_user, db_name ,db_user, db_password, db_root_password,dryMode) + log("[I] Creating database " + db_name + " succeeded", "info") + return True + else: + log("[E] Database creation failed..","error") + sys.exit(1) + else: + logFile("create database %s dba user '%s' dba password '%s' database size 100MB;" %(db_name,db_user, db_password)) + + def create_user(self, root_user, db_name ,db_user, db_password, db_root_password,dryMode): + get_cmd = self.get_jisql_cmd(root_user, db_root_password, '') + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"select name from syslogins where name ='%s';\"" %(db_user) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"select name from syslogins where name ='%s';\" -c ;" %(db_user) + output = check_output(query) + if output.strip(db_user + " |"): + if dryMode == False: + log("[I] User "+db_user+" exist ","info") + else: + if dryMode == False: + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"CREATE USER %s IDENTIFIED BY '%s';\"" %(db_user, db_password) + ret = subprocess.call(shlex.split(query)) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"CREATE USER %s IDENTIFIED BY '%s';\" -c ;" %(db_user, db_password) + ret = subprocess.call(query) + if ret == 0: + if os_name == "LINUX": + query = get_cmd + " -c \; -query \"select name from syslogins where name ='%s';\"" %(db_user) + elif os_name == "WINDOWS": + query = get_cmd + " -query \"select name from syslogins where name ='%s';\" -c ;" %(db_user) + output = check_output(query) + if output.strip(db_user + " |"): + log("[I] User "+db_user+" exist ","info") + else: + log("[E] Database creation failed..","error") + sys.exit(1) + else: + log("[E] Database creation failed..","error") + sys.exit(1) + else: + logFile("CREATE USER %s IDENTIFIED BY '%s';" %(db_user, db_password)) + + def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_password, is_revoke,dryMode): + if dryMode == False: + log("[I] Granting permission to user '" + db_user + "' on db '" + db_name + "'" , "info") + get_cmd = self.get_jisql_cmd(root_user, db_root_password, db_name) + if os_name == "LINUX": + query = get_cmd + " -c \; -query \" GRANT CONNECT to %s IDENTIFIED BY '%s';\"" %(db_user,db_password) + ret = subprocess.call(shlex.split(query)) + elif os_name == "WINDOWS": + query = get_cmd + " -query \" GRANT CONNECT to %s IDENTIFIED BY '%s';\"" %(db_user,db_password) + ret = subprocess.call(query) + if ret != 0: + sys.exit(1) + else: + logFile("GRANT CONNECT to %s IDENTIFIED BY '%s';" %(db_user, db_password)) + + def create_auditdb_user(self, xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode): + is_revoke=False + if DBA_MODE == "TRUE": + if dryMode == False: + log("[I] ---------- Setup audit user ---------- ","info") + self.create_rangerdb_user(audit_db_root_user, db_user, db_password, audit_db_root_password,dryMode) + self.create_rangerdb_user(audit_db_root_user, audit_db_user, audit_db_password, audit_db_root_password,dryMode) + self.create_db(audit_db_root_user, audit_db_root_password ,audit_db_name, db_user, db_password,dryMode) + self.create_user(xa_db_root_user, audit_db_name ,db_user, db_password, xa_db_root_password,dryMode) + self.grant_xa_db_user(db_user, audit_db_name, audit_db_user, audit_db_password, db_password, is_revoke, dryMode) def main(argv): @@ -1167,7 +1352,7 @@ def main(argv): else: XA_DB_FLAVOR='' while XA_DB_FLAVOR == "": - log("Enter db flavour{MYSQL|ORACLE|POSTGRES|MSSQL} :","info") + log("Enter db flavour{MYSQL|ORACLE|POSTGRES|MSSQL|SQLANYWHERE} :","info") XA_DB_FLAVOR=raw_input() AUDIT_DB_FLAVOR = XA_DB_FLAVOR @@ -1296,6 +1481,11 @@ def main(argv): sqlserver_audit_file = os.path.join('db','sqlserver','xa_audit_db_sqlserver.sql') sqlserver_patches = os.path.join('db','sqlserver','patches') + sqlanywhere_dbversion_catalog = os.path.join('db','sqlanywhere','create_dbversion_catalog.sql') + sqlanywhere_core_file = os.path.join('db','sqlanywhere','xa_core_db_sqlanywhere.sql') + sqlanywhere_audit_file = os.path.join('db','sqlanywhere','xa_audit_db_sqlanywhere.sql') + sqlanywhere_patches = os.path.join('db','sqlanywhere','patches') + x_db_version = 'x_db_version_h' xa_access_audit = 'xa_access_audit' x_user = 'x_portal_user' @@ -1339,6 +1529,17 @@ def main(argv): xa_db_version_file = os.path.join(RANGER_ADMIN_HOME,sqlserver_dbversion_catalog) xa_db_core_file = os.path.join(RANGER_ADMIN_HOME,sqlserver_core_file) xa_patch_file = os.path.join(RANGER_ADMIN_HOME,sqlserver_patches) + + elif XA_DB_FLAVOR == "SQLANYWHERE": + if not os_name == "WINDOWS" : + if os.environ['LD_LIBRARY_PATH'] == "": + log("[E] ---------- LD_LIBRARY_PATH environment property not defined, aborting installation. ----------", "error") + sys.exit(1) + SQLANYWHERE_CONNECTOR_JAR=CONNECTOR_JAR + xa_sqlObj = SqlAnywhereConf(xa_db_host, SQLANYWHERE_CONNECTOR_JAR, JAVA_BIN) + xa_db_version_file = os.path.join(RANGER_ADMIN_HOME,sqlanywhere_dbversion_catalog) + xa_db_core_file = os.path.join(RANGER_ADMIN_HOME,sqlanywhere_core_file) + xa_patch_file = os.path.join(RANGER_ADMIN_HOME,sqlanywhere_patches) else: log("[E] ---------- NO SUCH SUPPORTED DB FLAVOUR.. ----------", "error") sys.exit(1) @@ -1374,6 +1575,11 @@ def main(argv): SQLSERVER_CONNECTOR_JAR=CONNECTOR_JAR audit_sqlObj = SqlServerConf(audit_db_host, SQLSERVER_CONNECTOR_JAR, JAVA_BIN) audit_db_file = os.path.join(RANGER_ADMIN_HOME,sqlserver_audit_file) + + elif AUDIT_DB_FLAVOR == "SQLANYWHERE": + SQLANYWHERE_CONNECTOR_JAR=CONNECTOR_JAR + audit_sqlObj = SqlAnywhereConf(audit_db_host, SQLANYWHERE_CONNECTOR_JAR, JAVA_BIN) + audit_db_file = os.path.join(RANGER_ADMIN_HOME,sqlanywhere_audit_file) else: log("[E] ---------- NO SUCH SUPPORTED DB FLAVOUR.. ----------", "error") sys.exit(1) @@ -1394,7 +1600,8 @@ def main(argv): logFile("===============================================\n") xa_sqlObj.create_rangerdb_user(xa_db_root_user, db_user, db_password, xa_db_root_password,dryMode) xa_sqlObj.create_db(xa_db_root_user, xa_db_root_password, db_name, db_user, db_password,dryMode) - xa_sqlObj.grant_xa_db_user(xa_db_root_user, db_name, db_user, db_password, xa_db_root_password, is_revoke,dryMode) + if not XA_DB_FLAVOR == "SQLANYWHERE": + xa_sqlObj.grant_xa_db_user(xa_db_root_user, db_name, db_user, db_password, xa_db_root_password, is_revoke,dryMode) audit_sqlObj.create_auditdb_user(xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode) logFile("===============================================\n") if (dryMode==False): @@ -1403,7 +1610,8 @@ def main(argv): log("[I] ---------- Creating Ranger Admin database ----------","info") xa_sqlObj.create_db(xa_db_root_user, xa_db_root_password, db_name, db_user, db_password,dryMode) log("[I] ---------- Granting permission to Ranger Admin db user ----------","info") - xa_sqlObj.grant_xa_db_user(xa_db_root_user, db_name, db_user, db_password, xa_db_root_password, is_revoke,dryMode) + if not XA_DB_FLAVOR == "SQLANYWHERE": + xa_sqlObj.grant_xa_db_user(xa_db_root_user, db_name, db_user, db_password, xa_db_root_password, is_revoke,dryMode) # Ranger Admin DB Host AND Ranger Audit DB Host are Different OR Same if audit_store == "db": log("[I] ---------- Verifying/Creating audit user --------- ","info") diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties index 820d9c7fdcd..294b0e8df74 100644 --- a/security-admin/scripts/install.properties +++ b/security-admin/scripts/install.properties @@ -14,7 +14,7 @@ # limitations under the License. # -# This file provides list of deployment variables for the Policy Manager Web Application +# This file provides list of deployment variables for the Policy Manager Web Application # #------------------------- DB CONFIG - BEGIN ---------------------------------- @@ -23,10 +23,10 @@ PYTHON_COMMAND_INVOKER=python -#DB_FLAVOR=MYSQL|ORACLE|POSTGRES|MSSQL +#DB_FLAVOR=MYSQL|ORACLE|POSTGRES|MSSQL|SQLANYWHERE DB_FLAVOR=MYSQL # -# The executable path to be used to invoke command-line MYSQL +# The executable path to be used to invoke command-line MYSQL # #SQL_COMMAND_INVOKER='mysql' #SQL_COMMAND_INVOKER='sqlplus' @@ -39,17 +39,18 @@ SQL_COMMAND_INVOKER='mysql' #SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar #SQL_CONNECTOR_JAR=/usr/share/java/postgresql.jar #SQL_CONNECTOR_JAR=/usr/share/java/sqljdbc4.jar +#SQL_CONNECTOR_JAR=/opt/sqlanywhere17/java/sajdbc4.jar SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar # # DB password for the DB admin user-id # ************************************************************************** -# ** If the password is left empty or not-defined here, -# ** it will be prompted to enter the password during installation process +# ** If the password is left empty or not-defined here, +# ** it will be prompted to enter the password during installation process # ************************************************************************** # -#db_root_user=root|SYS|postgres|sa +#db_root_user=root|SYS|postgres|sa|dba db_root_user=root db_root_password= db_host=localhost @@ -61,7 +62,7 @@ db_name=ranger db_user=rangeradmin db_password= -#Source for Audit DB +#Source for Audit DB # * audit_db is solr or db audit_store=db @@ -74,9 +75,9 @@ audit_solr_zookeepers= # # DB UserId for storing auditlog infromation -# +# # * audit_db can be same as the Ranger schema db -# * audit_db must exists in the same ${db_host} as Ranger database ${db_name} +# * audit_db must exists in the same ${db_host} as Ranger database ${db_name} # * audit_user must be a different user than db_user (as audit user has access to only audit tables) # audit_db_name=ranger_audit @@ -197,4 +198,7 @@ postgres_core_file=db/postgres/xa_core_db_postgres.sql postgres_audit_file=db/postgres/xa_audit_db_postgres.sql sqlserver_core_file=db/sqlserver/xa_core_db_sqlserver.sql sqlserver_audit_file=db/sqlserver/xa_audit_db_sqlserver.sql +# +sqlanywhere_core_file=db/sqlanywhere/xa_core_db_sqlanywhere.sql +sqlanywhere_audit_file=db/sqlanywhere/xa_audit_db_sqlanywhere.sql cred_keystore_filename=$app_home/WEB-INF/classes/conf/.jceks/rangeradmin.jceks diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index b79cba47545..a88b264d81a 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -303,6 +303,19 @@ sanity_check_files() { log "[E] ${sqlserver_core_file} does not exists" ; exit 1; fi fi + if [ "${DB_FLAVOR}" == "SQLANYWHERE" ] + then + if [ "${LD_LIBRARY_PATH}" == "" ] + then + log "[E] LD_LIBRARY_PATH environment property not defined, aborting installation." + exit 1 + fi + if test -f ${sqlanywhere_core_file}; then + log "[I] ${sqlanywhere_core_file} file found" + else + log "[E] ${sqlanywhere_core_file} does not exists" ; exit 1; + fi + fi } create_rollback_point() { @@ -874,6 +887,33 @@ update_properties() { updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger fi + if [ "${DB_FLAVOR}" == "SQLANYWHERE" ] + then + propertyName=ranger.jpa.jdbc.url + newPropertyValue="jdbc:sqlanywhere:database=${db_name};host=${DB_HOST}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + + propertyName=ranger.jpa.audit.jdbc.url + newPropertyValue="jdbc:sqlanywhere:database=${audit_db_name};host=${DB_HOST}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + + propertyName=ranger.jpa.jdbc.dialect + newPropertyValue="org.eclipse.persistence.platform.database.SQLAnywherePlatform" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default + + propertyName=ranger.jpa.jdbc.dialect + newPropertyValue="org.eclipse.persistence.platform.database.SQLAnywherePlatform" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default + + propertyName=ranger.jpa.jdbc.driver + newPropertyValue="sap.jdbc4.sqlanywhere.IDriver" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + + propertyName=ranger.jpa.audit.jdbc.driver + newPropertyValue="sap.jdbc4.sqlanywhere.IDriver" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + fi + if [ "${audit_store}" == "solr" ] then propertyName=ranger.audit.solr.urls diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java index 6ffcd665c7c..a536a1a3462 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java @@ -1366,6 +1366,10 @@ public static int getDBFlavor() { return AppConstants.DB_FLAVOR_POSTGRES; } else if (StringUtils.containsIgnoreCase(propertyValue, "sqlserver")) { return AppConstants.DB_FLAVOR_SQLSERVER; + } else if (StringUtils.containsIgnoreCase(propertyValue, "mssql")) { + return AppConstants.DB_FLAVOR_SQLSERVER; + } else if (StringUtils.containsIgnoreCase(propertyValue, "sqlanywhere")) { + return AppConstants.DB_FLAVOR_SQLANYWHERE; } else { if(logger.isDebugEnabled()) { logger.debug("DB Falvor could not be determined from property - " + propertyName + "=" + propertyValue); diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java index bcbb2af6593..ccb18550dcc 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java @@ -20,6 +20,7 @@ package org.apache.ranger.biz; import java.util.ArrayList; +import java.util.Calendar; import java.util.List; import javax.servlet.http.HttpServletRequest; @@ -135,16 +136,18 @@ public UserSessionBase processSuccessLogin(int authType, String userAgent, userSession.setXXPortalUser(gjUser); userSession.setXXAuthSession(gjAuthSession); resetUserSessionForProfiles(userSession); - + Calendar cal = Calendar.getInstance(); if (details != null) { logger.info("Login Success: loginId=" + currentLoginId + ", sessionId=" + gjAuthSession.getId() + ", sessionId=" + details.getSessionId() - + ", requestId=" + details.getRemoteAddress()); + + ", requestId=" + details.getRemoteAddress() + + ", epoch=" + cal.getTimeInMillis()); } else { logger.info("Login Success: loginId=" + currentLoginId + ", sessionId=" + gjAuthSession.getId() - + ", details is null"); + + ", details is null" + + ", epoch=" + cal.getTimeInMillis()); } } diff --git a/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java b/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java index 491726f9b42..5de18f6fb33 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java +++ b/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java @@ -372,6 +372,7 @@ public class AppConstants extends RangerCommonEnums { * DB Favor SQLServer */ public static final int DB_FLAVOR_SQLSERVER = 4; + public static final int DB_FLAVOR_SQLANYWHERE = 5; /*************************************************************** diff --git a/security-admin/src/main/java/org/apache/ranger/security/listener/SpringEventListener.java b/security-admin/src/main/java/org/apache/ranger/security/listener/SpringEventListener.java index ebdabed0574..5876445f663 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/listener/SpringEventListener.java +++ b/security-admin/src/main/java/org/apache/ranger/security/listener/SpringEventListener.java @@ -19,6 +19,7 @@ package org.apache.ranger.security.listener; +import java.util.Calendar; import org.apache.log4j.Logger; import org.apache.ranger.biz.SessionMgr; import org.apache.ranger.entity.XXAuthSession; @@ -66,9 +67,10 @@ protected void process(AuthenticationSuccessEvent authSuccessEvent) { : ""; String sessionId = details != null ? details.getSessionId() : ""; - logger.info("Login Successful:" + auth.getName() + " | Ip Address:" - + remoteAddress + " | sessionId=" + sessionId); - + Calendar cal = Calendar.getInstance(); + logger.info("Login Successful:" + auth.getName() + " | Ip Address:" + + remoteAddress + " | sessionId=" + sessionId + " | Epoch=" +cal.getTimeInMillis() ); + // success logins are processed further in // AKASecurityContextFormationFilter } diff --git a/storm-agent/scripts/install.sh b/storm-agent/scripts/install.sh index d0063794749..5b7674a3bf5 100644 --- a/storm-agent/scripts/install.sh +++ b/storm-agent/scripts/install.sh @@ -258,6 +258,18 @@ then newPropertyValue="com.microsoft.sqlserver.jdbc.SQLServerDriver" updatePropertyToFile $propertyName $newPropertyValue $to_file fi +if [ "${DB_FLAVOR}" == "SQLANYWHERE" ] +then + audit_db_hostname=`grep '^XAAUDIT.DB.HOSTNAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` + audit_db_name=`grep '^XAAUDIT.DB.DATABASE_NAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` + propertyName=XAAUDIT.DB.JDBC_URL + newPropertyValue="jdbc:sqlanywhere:database=${audit_db_name};host=${audit_db_hostname}" + updatePropertyToFile $propertyName $newPropertyValue $to_file + + propertyName=XAAUDIT.DB.JDBC_DRIVER + newPropertyValue="sap.jdbc4.sqlanywhere.IDriver" + updatePropertyToFile $propertyName $newPropertyValue $to_file +fi for f in ${install_dir}/installer/conf/*-changes.cfg do if [ -f ${f} ] From a451e028e14711fb2fe83103d8eab6f8a6d47f1f Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Thu, 20 Aug 2015 18:04:35 -0700 Subject: [PATCH 026/202] RANGER-622 Hive plugin - add jar via beeline throws NPE in ranger code --- .../hive/authorizer/RangerHiveAuthorizer.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 9075b574f00..7aaf8a18884 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -241,6 +241,10 @@ public void checkPrivileges(HiveOperationType hiveOpType, for(HivePrivilegeObject hiveObj : inputHObjs) { RangerHiveResource resource = getHiveResource(hiveOpType, hiveObj); + if (resource == null) { // possible if input object/object is of a kind that we don't currently authorize + continue; + } + if(resource.getObjectType() == HiveObjectType.URI) { String path = hiveObj.getObjectName(); FsAction permission = FsAction.READ; @@ -270,6 +274,10 @@ public void checkPrivileges(HiveOperationType hiveOpType, for(HivePrivilegeObject hiveObj : outputHObjs) { RangerHiveResource resource = getHiveResource(hiveOpType, hiveObj); + if (resource == null) { // possible if input object/object is of a kind that we don't currently authorize + continue; + } + if(resource.getObjectType() == HiveObjectType.URI) { String path = hiveObj.getObjectName(); FsAction permission = FsAction.WRITE; From 3b3b8d95ec42089548a128d26c213f1bc0071508 Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Thu, 13 Aug 2015 08:48:14 -0700 Subject: [PATCH 027/202] RANGER-615 Audit to db: Truncate all string values of audit record so that writing of audit does not fail --- .../audit/destination/DBAuditDestination.java | 5 +- .../audit/entity/AuthzAuditEventDbObj.java | 143 ++++++++++++++++-- .../ranger/audit/model/AuditEventBase.java | 14 +- .../ranger/audit/model/AuthzAuditEvent.java | 12 +- .../audit/provider/DbAuditProvider.java | 4 + 5 files changed, 144 insertions(+), 34 deletions(-) diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/destination/DBAuditDestination.java b/agents-audit/src/main/java/org/apache/ranger/audit/destination/DBAuditDestination.java index 3d31c06406c..376e724cff5 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/destination/DBAuditDestination.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/destination/DBAuditDestination.java @@ -33,6 +33,7 @@ import javax.persistence.Persistence; import org.apache.ranger.audit.dao.DaoManager; +import org.apache.ranger.audit.entity.AuthzAuditEventDbObj; import org.apache.ranger.audit.model.AuditEventBase; import org.apache.ranger.audit.provider.MiscUtil; @@ -63,9 +64,11 @@ public DBAuditDestination() { public void init(Properties props, String propPrefix) { logger.info("init() called"); super.init(props, propPrefix); - // Initial connect connect(); + + // initialize the database related classes + AuthzAuditEventDbObj.init(props); } /* diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/entity/AuthzAuditEventDbObj.java b/agents-audit/src/main/java/org/apache/ranger/audit/entity/AuthzAuditEventDbObj.java index 435393e40fe..d52a60ae1e2 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/entity/AuthzAuditEventDbObj.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/entity/AuthzAuditEventDbObj.java @@ -21,6 +21,7 @@ import java.io.Serializable; import java.util.Date; +import java.util.Properties; import javax.persistence.Column; import javax.persistence.Entity; @@ -32,8 +33,11 @@ import javax.persistence.TemporalType; import javax.persistence.SequenceGenerator; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; import org.apache.ranger.audit.model.EnumRepositoryType; import org.apache.ranger.audit.model.AuthzAuditEvent; +import org.apache.ranger.audit.provider.MiscUtil; /** * Entity implementation class for Entity: AuthzAuditEventDbObj @@ -42,8 +46,25 @@ @Entity @Table(name="xa_access_audit") public class AuthzAuditEventDbObj implements Serializable { + + private static final Log LOG = LogFactory.getLog(AuthzAuditEventDbObj.class); + private static final long serialVersionUID = 1L; + static int MaxValueLengthAccessType = 255; + static int MaxValueLengthAclEnforcer = 255; + static int MaxValueLengthAgentId = 255; + static int MaxValueLengthClientIp = 255; + static int MaxValueLengthClientType = 255; + static int MaxValueLengthRepoName = 255; + static int MaxValueLengthResultReason = 255; + static int MaxValueLengthSessionId = 255; + static int MaxValueLengthRequestUser = 255; + static int MaxValueLengthAction = 2000; + static int MaxValueLengthRequestData = 4000; + static int MaxValueLengthResourcePath = 4000; + static int MaxValueLengthResourceType = 255; + private long auditId; private int repositoryType; private String repositoryName; @@ -63,6 +84,60 @@ public class AuthzAuditEventDbObj implements Serializable { private String clientIP; private String requestData; + public static void init(Properties props) + { + LOG.info("AuthzAuditEventDbObj.init()"); + + final String AUDIT_DB_MAX_COLUMN_VALUE = "xasecure.audit.destination.db.max.column.length"; + MaxValueLengthAccessType = MiscUtil.getIntProperty(props, AUDIT_DB_MAX_COLUMN_VALUE + "." + "access_type", MaxValueLengthAccessType); + logMaxColumnValue("access_type", MaxValueLengthAccessType); + + MaxValueLengthAclEnforcer = MiscUtil.getIntProperty(props, AUDIT_DB_MAX_COLUMN_VALUE + "." + "acl_enforcer", MaxValueLengthAclEnforcer); + logMaxColumnValue("acl_enforcer", MaxValueLengthAclEnforcer); + + MaxValueLengthAction = MiscUtil.getIntProperty(props, AUDIT_DB_MAX_COLUMN_VALUE + "." + "action", MaxValueLengthAction); + logMaxColumnValue("action", MaxValueLengthAction); + + MaxValueLengthAgentId = MiscUtil.getIntProperty(props, AUDIT_DB_MAX_COLUMN_VALUE + "." + "agent_id", MaxValueLengthAgentId); + logMaxColumnValue("agent_id", MaxValueLengthAgentId); + + MaxValueLengthClientIp = MiscUtil.getIntProperty(props, AUDIT_DB_MAX_COLUMN_VALUE + "." + "client_id", MaxValueLengthClientIp); + logMaxColumnValue("client_id", MaxValueLengthClientIp); + + MaxValueLengthClientType = MiscUtil.getIntProperty(props, AUDIT_DB_MAX_COLUMN_VALUE + "." + "client_type", MaxValueLengthClientType); + logMaxColumnValue("client_type", MaxValueLengthClientType); + + MaxValueLengthRepoName = MiscUtil.getIntProperty(props, AUDIT_DB_MAX_COLUMN_VALUE + "." + "repo_name", MaxValueLengthRepoName); + logMaxColumnValue("repo_name", MaxValueLengthRepoName); + + MaxValueLengthResultReason = MiscUtil.getIntProperty(props, AUDIT_DB_MAX_COLUMN_VALUE + "." + "result_reason", MaxValueLengthResultReason); + logMaxColumnValue("result_reason", MaxValueLengthResultReason); + + MaxValueLengthSessionId = MiscUtil.getIntProperty(props, AUDIT_DB_MAX_COLUMN_VALUE + "." + "session_id", MaxValueLengthSessionId); + logMaxColumnValue("session_id", MaxValueLengthSessionId); + + MaxValueLengthRequestUser = MiscUtil.getIntProperty(props, AUDIT_DB_MAX_COLUMN_VALUE + "." + "request_user", MaxValueLengthRequestUser); + logMaxColumnValue("request_user", MaxValueLengthRequestUser); + + MaxValueLengthRequestData = MiscUtil.getIntProperty(props, AUDIT_DB_MAX_COLUMN_VALUE + "." + "request_data", MaxValueLengthRequestData); + logMaxColumnValue("request_data", MaxValueLengthRequestData); + + MaxValueLengthResourcePath = MiscUtil.getIntProperty(props, AUDIT_DB_MAX_COLUMN_VALUE + "." + "resource_path", MaxValueLengthResourcePath); + logMaxColumnValue("resource_path", MaxValueLengthResourcePath); + + MaxValueLengthResourceType = MiscUtil.getIntProperty(props, AUDIT_DB_MAX_COLUMN_VALUE + "." + "resource_type", MaxValueLengthResourceType); + logMaxColumnValue("resource_type", MaxValueLengthResourceType); + } + + public static void logMaxColumnValue(String columnName, int configuredMaxValueLength) { + LOG.info("Setting max column value for column[" + columnName + "] to [" + configuredMaxValueLength + "]."); + if (configuredMaxValueLength == 0) { + LOG.info("Max length of column[" + columnName + "] was 0! Column will NOT be emitted in the audit."); + } else if (configuredMaxValueLength < 0) { + LOG.info("Max length of column[" + columnName + "] was less than 0! Column value will never be truncated."); + } + } + public AuthzAuditEventDbObj() { super(); @@ -113,7 +188,7 @@ public void setRepositoryType(int repositoryType) { @Column(name = "repo_name") public String getRepositoryName() { - return this.repositoryName; + return truncate(this.repositoryName, MaxValueLengthRepoName, "repo_name"); } public void setRepositoryName(String repositoryName) { @@ -122,7 +197,7 @@ public void setRepositoryName(String repositoryName) { @Column(name = "request_user") public String getUser() { - return this.user; + return truncate(this.user, MaxValueLengthRequestUser, "request_user"); } public void setUser(String user) { @@ -141,7 +216,7 @@ public void setTimeStamp(Date timeStamp) { @Column(name = "access_type") public String getAccessType() { - return this.accessType; + return truncate(this.accessType, MaxValueLengthAccessType, "access_type"); } public void setAccessType(String accessType) { @@ -150,7 +225,7 @@ public void setAccessType(String accessType) { @Column(name = "resource_path") public String getResourcePath() { - return this.resourcePath; + return truncate(this.resourcePath, MaxValueLengthResourcePath, "resource_path"); } public void setResourcePath(String resourcePath) { @@ -159,7 +234,7 @@ public void setResourcePath(String resourcePath) { @Column(name = "resource_type") public String getResourceType() { - return this.resourceType; + return truncate(this.resourceType, MaxValueLengthResourceType, "resource_type"); } public void setResourceType(String resourceType) { @@ -168,7 +243,7 @@ public void setResourceType(String resourceType) { @Column(name = "action") public String getAction() { - return this.action; + return truncate(this.action, MaxValueLengthAction, "action"); } public void setAction(String action) { @@ -186,7 +261,7 @@ public void setAccessResult(int accessResult) { @Column(name = "agent_id") public String getAgentId() { - return agentId; + return truncate(this.agentId, MaxValueLengthAgentId, "agent_id"); } public void setAgentId(String agentId) { @@ -204,7 +279,7 @@ public void setPolicyId(long policyId) { @Column(name = "result_reason") public String getResultReason() { - return this.resultReason; + return truncate(this.resultReason, MaxValueLengthResultReason, "result_reason"); } public void setResultReason(String resultReason) { @@ -213,7 +288,7 @@ public void setResultReason(String resultReason) { @Column(name = "acl_enforcer") public String getAclEnforcer() { - return this.aclEnforcer; + return truncate(this.aclEnforcer, MaxValueLengthAclEnforcer, "acl_enforcer"); } public void setAclEnforcer(String aclEnforcer) { @@ -222,7 +297,7 @@ public void setAclEnforcer(String aclEnforcer) { @Column(name = "session_id") public String getSessionId() { - return this.sessionId; + return truncate(this.sessionId, MaxValueLengthSessionId, "session_id"); } public void setSessionId(String sessionId) { @@ -231,7 +306,7 @@ public void setSessionId(String sessionId) { @Column(name = "client_type") public String getClientType() { - return this.clientType; + return truncate(this.clientType, MaxValueLengthClientType, "client_type"); } public void setClientType(String clientType) { @@ -240,7 +315,7 @@ public void setClientType(String clientType) { @Column(name = "client_ip") public String getClientIP() { - return this.clientIP; + return truncate(this.clientIP, MaxValueLengthClientIp, "client_ip"); } public void setClientIP(String clientIP) { @@ -249,10 +324,52 @@ public void setClientIP(String clientIP) { @Column(name = "request_data") public String getRequestData() { - return this.requestData; + return truncate(this.requestData, MaxValueLengthRequestData, "request_data"); } public void setRequestData(String requestData) { this.requestData = requestData; } + static final String TruncationMarker = "..."; + static final int TruncationMarkerLength = TruncationMarker.length(); + + protected String truncate(String value, int limit, String columnName) { + if (LOG.isDebugEnabled()) { + LOG.debug(String.format("==> getTrunctedValue(%s, %d, %s)", value, limit, columnName)); + } + + String result = value; + if (value != null) { + if (limit < 0) { + if (LOG.isDebugEnabled()) { + LOG.debug(String.format("Truncation is suppressed for column[%s]: old value [%s], new value[%s]", columnName, value, result)); + } + } else if (limit == 0) { + if (LOG.isDebugEnabled()) { + LOG.debug(String.format("Column[%s] is to be excluded from audit: old value [%s], new value[%s]", columnName, value, result)); + } + result = null; + } else { + if (value.length() > limit) { + if (limit <= TruncationMarkerLength) { + // NOTE: If value is to be truncated to a size that is less than of equal to the Truncation Marker then we won't put the marker in!! + result = value.substring(0, limit); + } else { + StringBuilder sb = new StringBuilder(value.substring(0, limit - TruncationMarkerLength)); + sb.append(TruncationMarker); + result = sb.toString(); + } + if (LOG.isDebugEnabled()) { + LOG.debug(String.format("Truncating value for column[%s] to [%d] characters: old value [%s], new value[%s]", columnName, limit, value, result)); + } + } + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug(String.format("<== getTrunctedValue(%s, %d, %s): %s", value, limit, columnName, result)); + } + return result; + } + } diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/model/AuditEventBase.java b/agents-audit/src/main/java/org/apache/ranger/audit/model/AuditEventBase.java index 2c6a87f3413..2a07e94af46 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/model/AuditEventBase.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/model/AuditEventBase.java @@ -21,6 +21,8 @@ import java.util.Date; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; import org.apache.ranger.audit.dao.DaoManager; public abstract class AuditEventBase { @@ -34,16 +36,4 @@ protected AuditEventBase() { public abstract Date getEventTime (); public abstract void setEventCount(long eventCount); public abstract void setEventDurationMS(long eventDurationMS); - - protected String trim(String str, int len) { - String ret = str; - if (str != null) { - if (str.length() > len) { - ret = str.substring(0, len); - } - } - return ret; - } - - } diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java b/agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java index d648de32cd2..2a8d79249b0 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java @@ -190,8 +190,8 @@ public Date getEventTime() { } /** - * @param timeStamp - * the timeStamp to set + * @param eventTime + * the eventTime to set */ public void setEventTime(Date eventTime) { this.eventTime = eventTime; @@ -245,9 +245,7 @@ public void setResourceType(String resourceType) { /** * @return the action */ - public String getAction() { - return trim(action, MAX_ACTION_FIELD_SIZE); - } + public String getAction() { return action; } /** * @param action @@ -380,9 +378,7 @@ public void setClientIP(String clientIP) { /** * @return the requestData */ - public String getRequestData() { - return trim(requestData, MAX_REQUEST_DATA_FIELD_SIZE); - } + public String getRequestData() { return requestData; } /** * @param requestData diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/DbAuditProvider.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/DbAuditProvider.java index 98da1c2d814..f23f17d21e9 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/DbAuditProvider.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/DbAuditProvider.java @@ -32,6 +32,7 @@ import org.apache.commons.logging.LogFactory; import org.apache.ranger.audit.dao.DaoManager; import org.apache.ranger.audit.destination.AuditDestination; +import org.apache.ranger.audit.entity.AuthzAuditEventDbObj; import org.apache.ranger.audit.model.AuditEventBase; import org.apache.ranger.audit.model.AuthzAuditEvent; import org.apache.ranger.authorization.hadoop.utils.RangerCredentialProvider; @@ -91,6 +92,9 @@ public void init(Properties props) { if(jdbcPassword != null && !jdbcPassword.isEmpty()) { mDbProperties.put(AUDIT_JPA_JDBC_PASSWORD, jdbcPassword); } + + // initialize the database related classes + AuthzAuditEventDbObj.init(props); } @Override From fc66b15f2c037c4763a47017211471eb6096b175 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Sat, 22 Aug 2015 03:42:47 +0530 Subject: [PATCH 028/202] RANGER-624 : Fix Windows installation issue after SQLAnywhere support Signed-off-by: Velmurugan Periasamy --- security-admin/src/bin/ranger_install.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/security-admin/src/bin/ranger_install.py b/security-admin/src/bin/ranger_install.py index 42142fe7c10..2970715219f 100644 --- a/security-admin/src/bin/ranger_install.py +++ b/security-admin/src/bin/ranger_install.py @@ -310,6 +310,8 @@ def init_variables(switch): conf_dict['postgres_audit_file']=os.path.join(db_dir,'postgres','xa_audit_db_postgres.sql') conf_dict['sqlserver_core_file']=os.path.join(db_dir,'sqlserver','xa_core_db_sqlserver.sql') conf_dict['sqlserver_audit_file']=os.path.join(db_dir,'sqlserver','xa_audit_db_sqlserver.sql') + conf_dict['sqlanywhere_core_file']= os.path.join(db_dir,'sqlanywhere','xa_core_db_sqlanywhere.sql') + conf_dict['sqlanywhere_audit_file']= os.path.join(db_dir, 'sqlanywhere','xa_audit_db_sqlanywhere.sql') #conf_dict['db_core_file'] = os.path.join(db_dir, "xa_core_db.sql") #conf_dict['db_create_user_file'] = os.path.join(db_dir, "create_dev_user.sql") #conf_dict['db_audit_file'] = os.path.join(db_dir, "xa_audit_db.sql") @@ -1281,4 +1283,4 @@ def configure(): # copy_mysql_connector() #log(" --------- Creatin Audit DB --------- ","info") setup_admin_db_user() - setup_audit_user_db() \ No newline at end of file + setup_audit_user_db() From 4a5a4f29bb8a0cc6ecda51cdc9031bb6d510a6b3 Mon Sep 17 00:00:00 2001 From: Velmurugan Periasamy Date: Mon, 24 Aug 2015 21:05:11 -0700 Subject: [PATCH 029/202] RANGER-625:Change db flavor input parameter value from SQLAnywhere to SQLA --- agents-common/scripts/enable-agent.sh | 2 +- hbase-agent/scripts/install.sh | 2 +- hdfs-agent/scripts/install.sh | 2 +- hive-agent/scripts/install.sh | 2 +- jisql/src/main/java/org/apache/util/sql/Jisql.java | 1 + kms/scripts/db_setup.py | 2 +- kms/scripts/dba_script.py | 4 ++-- kms/scripts/install.properties | 2 +- kms/scripts/setup.sh | 4 ++-- knox-agent/scripts/install.sh | 2 +- security-admin/scripts/db_setup.py | 7 +++---- security-admin/scripts/dba_script.py | 10 +++++----- security-admin/scripts/install.properties | 2 +- security-admin/scripts/setup.sh | 4 ++-- .../main/java/org/apache/ranger/biz/RangerBizUtil.java | 6 ++++-- storm-agent/scripts/install.sh | 2 +- 16 files changed, 28 insertions(+), 26 deletions(-) diff --git a/agents-common/scripts/enable-agent.sh b/agents-common/scripts/enable-agent.sh index 6adb2c44e90..9f677098c3c 100755 --- a/agents-common/scripts/enable-agent.sh +++ b/agents-common/scripts/enable-agent.sh @@ -382,7 +382,7 @@ then then export XAAUDIT_DB_JDBC_URL="jdbc:sqlserver://${audit_db_hostname};databaseName=${audit_db_name}" export XAAUDIT_DB_JDBC_DRIVER="com.microsoft.sqlserver.jdbc.SQLServerDriver" - elif [ "${db_flavor}" = "SQLANYWHERE" ] + elif [ "${db_flavor}" = "SQLA" ] then export XAAUDIT_DB_JDBC_URL="jdbc:sqlanywhere:database=${audit_db_name};host=${audit_db_hostname}" export XAAUDIT_DB_JDBC_DRIVER="sap.jdbc4.sqlanywhere.IDriver" diff --git a/hbase-agent/scripts/install.sh b/hbase-agent/scripts/install.sh index 116beab58e8..a7b67f3ef20 100644 --- a/hbase-agent/scripts/install.sh +++ b/hbase-agent/scripts/install.sh @@ -312,7 +312,7 @@ then newPropertyValue="com.microsoft.sqlserver.jdbc.SQLServerDriver" updatePropertyToFile $propertyName $newPropertyValue $to_file fi -if [ "${DB_FLAVOR}" == "SQLANYWHERE" ] +if [ "${DB_FLAVOR}" == "SQLA" ] then audit_db_hostname=`grep '^XAAUDIT.DB.HOSTNAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` audit_db_name=`grep '^XAAUDIT.DB.DATABASE_NAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` diff --git a/hdfs-agent/scripts/install.sh b/hdfs-agent/scripts/install.sh index e9215fdc720..9eef8dabaf7 100644 --- a/hdfs-agent/scripts/install.sh +++ b/hdfs-agent/scripts/install.sh @@ -319,7 +319,7 @@ then newPropertyValue="com.microsoft.sqlserver.jdbc.SQLServerDriver" updatePropertyToFile $propertyName $newPropertyValue $to_file fi -if [ "${DB_FLAVOR}" == "SQLANYWHERE" ] +if [ "${DB_FLAVOR}" == "SQLA" ] then audit_db_hostname=`grep '^XAAUDIT.DB.HOSTNAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` audit_db_name=`grep '^XAAUDIT.DB.DATABASE_NAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` diff --git a/hive-agent/scripts/install.sh b/hive-agent/scripts/install.sh index 74c6e568a87..cf7180dd3e4 100644 --- a/hive-agent/scripts/install.sh +++ b/hive-agent/scripts/install.sh @@ -296,7 +296,7 @@ then newPropertyValue="com.microsoft.sqlserver.jdbc.SQLServerDriver" updatePropertyToFile $propertyName $newPropertyValue $to_file fi -if [ "${DB_FLAVOR}" == "SQLANYWHERE" ] +if [ "${DB_FLAVOR}" == "SQLA" ] then audit_db_hostname=`grep '^XAAUDIT.DB.HOSTNAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` audit_db_name=`grep '^XAAUDIT.DB.DATABASE_NAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` diff --git a/jisql/src/main/java/org/apache/util/sql/Jisql.java b/jisql/src/main/java/org/apache/util/sql/Jisql.java index cf7563c7130..9c743564a44 100644 --- a/jisql/src/main/java/org/apache/util/sql/Jisql.java +++ b/jisql/src/main/java/org/apache/util/sql/Jisql.java @@ -755,6 +755,7 @@ private void printAllExceptions(SQLException sqle) { + sqle.getErrorCode()); sqle = sqle.getNextException(); } + System.out.println("java.library.path:"+System.getProperty("java.library.path")); } /** diff --git a/kms/scripts/db_setup.py b/kms/scripts/db_setup.py index 9dbeb04c471..61940cca3ce 100644 --- a/kms/scripts/db_setup.py +++ b/kms/scripts/db_setup.py @@ -557,7 +557,7 @@ def main(argv): xa_sqlObj = SqlServerConf(xa_db_host, SQLSERVER_CONNECTOR_JAR, JAVA_BIN) xa_db_core_file = os.path.join(RANGER_KMS_HOME , sqlserver_core_file) - elif XA_DB_FLAVOR == "SQLANYWHERE": + elif XA_DB_FLAVOR == "SQLA": if not os_name == "WINDOWS" : if os.environ['LD_LIBRARY_PATH'] == "": log("[E] ---------- LD_LIBRARY_PATH environment property not defined, aborting installation. ----------", "error") diff --git a/kms/scripts/dba_script.py b/kms/scripts/dba_script.py index 0830af4e6fb..03e0a19e193 100644 --- a/kms/scripts/dba_script.py +++ b/kms/scripts/dba_script.py @@ -1138,7 +1138,7 @@ def main(argv): else: XA_DB_FLAVOR='' while XA_DB_FLAVOR == "": - log("Enter db flavour{MYSQL|ORACLE|POSTGRES|MSSQL|SQLANYWHERE} :","info") + log("Enter db flavour{MYSQL|ORACLE|POSTGRES|MSSQL|SQLA} :","info") XA_DB_FLAVOR=raw_input() XA_DB_FLAVOR = XA_DB_FLAVOR.upper() @@ -1242,7 +1242,7 @@ def main(argv): xa_sqlObj = SqlServerConf(xa_db_host, SQLSERVER_CONNECTOR_JAR, JAVA_BIN) xa_db_core_file = os.path.join(RANGER_KMS_HOME,sqlserver_core_file) - elif XA_DB_FLAVOR == "SQLANYWHERE": + elif XA_DB_FLAVOR == "SQLA": if not os_name == "WINDOWS" : if os.environ['LD_LIBRARY_PATH'] == "": log("[E] ---------- LD_LIBRARY_PATH environment property not defined, aborting installation. ----------", "error") diff --git a/kms/scripts/install.properties b/kms/scripts/install.properties index bad7f204626..563a0e08165 100755 --- a/kms/scripts/install.properties +++ b/kms/scripts/install.properties @@ -23,7 +23,7 @@ PYTHON_COMMAND_INVOKER=python -#DB_FLAVOR=MYSQL|ORACLE|POSTGRES|MSSQL|SQLANYWHERE +#DB_FLAVOR=MYSQL|ORACLE|POSTGRES|MSSQL|SQLA DB_FLAVOR=MYSQL # # The executable path to be used to invoke command-line MYSQL diff --git a/kms/scripts/setup.sh b/kms/scripts/setup.sh index 1410f460c21..2e7dd8ecd65 100755 --- a/kms/scripts/setup.sh +++ b/kms/scripts/setup.sh @@ -277,7 +277,7 @@ sanity_check_files() { log "[E] ${sqlserver_core_file} does not exists" ; exit 1; fi fi - if [ "${DB_FLAVOR}" == "SQLANYWHERE" ] + if [ "${DB_FLAVOR}" == "SQLA" ] then if [ "${LD_LIBRARY_PATH}" == "" ] then @@ -410,7 +410,7 @@ update_properties() { updatePropertyToFilePy $propertyName $newPropertyValue $to_file fi - if [ "${DB_FLAVOR}" == "SQLANYWHERE" ] + if [ "${DB_FLAVOR}" == "SQLA" ] then propertyName=ranger.ks.jpa.jdbc.url newPropertyValue="jdbc:sqlanywhere:database=${db_name};host=${DB_HOST}" diff --git a/knox-agent/scripts/install.sh b/knox-agent/scripts/install.sh index 163dbc56677..271a2d44e1c 100644 --- a/knox-agent/scripts/install.sh +++ b/knox-agent/scripts/install.sh @@ -215,7 +215,7 @@ then newPropertyValue="com.microsoft.sqlserver.jdbc.SQLServerDriver" updatePropertyToFile $propertyName $newPropertyValue $to_file fi -if [ "${DB_FLAVOR}" == "SQLANYWHERE" ] +if [ "${DB_FLAVOR}" == "SQLA" ] then audit_db_hostname=`grep '^XAAUDIT.DB.HOSTNAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` audit_db_name=`grep '^XAAUDIT.DB.DATABASE_NAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py index a010e19aa12..1edc628d96d 100644 --- a/security-admin/scripts/db_setup.py +++ b/security-admin/scripts/db_setup.py @@ -1211,6 +1211,7 @@ def import_db_file(self, db_name, db_user, db_password, file_name): sys.exit(1) def check_table(self, db_name, db_user, db_password, TABLE_NAME): + self.set_options(db_name, db_user, db_password, TABLE_NAME) get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) if os_name == "LINUX": query = get_cmd + " -c \; -query \"SELECT name FROM sysobjects where name = '%s' and type='U';\"" %(TABLE_NAME) @@ -1277,7 +1278,6 @@ def import_db_patches(self, db_name, db_user, db_password, file_name): def import_auditdb_patches(self, xa_sqlObj,xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, file_name, TABLE_NAME): log("[I] --------- Checking XA_ACCESS_AUDIT table to apply audit db patches --------- ","info") - self.set_options(audit_db_name, db_user, db_password, TABLE_NAME) output = self.check_table(audit_db_name, db_user, db_password, TABLE_NAME) if output == True: name = basename(file_name) @@ -1326,7 +1326,6 @@ def auditdb_operation(self, xa_db_host, audit_db_host, db_name, audit_db_name,db log("[I] --------- Check audit user connection --------- ","info") self.check_connection(audit_db_name, audit_db_user, audit_db_password) log("[I] --------- Check audit table exists --------- ","info") - self.set_options(audit_db_name, db_user, db_password, TABLE_NAME) output = self.check_table(audit_db_name, db_user, db_password, TABLE_NAME) if output == False: self.import_db_file(audit_db_name ,db_user, db_password, file_name) @@ -1522,7 +1521,7 @@ def main(argv): xa_patch_file = os.path.join(RANGER_ADMIN_HOME , sqlserver_patches) audit_patch_file = os.path.join(RANGER_ADMIN_HOME ,sqlserver_auditdb_patches) - elif XA_DB_FLAVOR == "SQLANYWHERE": + elif XA_DB_FLAVOR == "SQLA": if not os_name == "WINDOWS" : if os.environ['LD_LIBRARY_PATH'] == "": log("[E] ---------- LD_LIBRARY_PATH environment property not defined, aborting installation. ----------", "error") @@ -1558,7 +1557,7 @@ def main(argv): audit_sqlObj = SqlServerConf(audit_db_host, SQLSERVER_CONNECTOR_JAR, JAVA_BIN) audit_db_file = os.path.join(RANGER_ADMIN_HOME , sqlserver_audit_file) - elif AUDIT_DB_FLAVOR == "SQLANYWHERE": + elif AUDIT_DB_FLAVOR == "SQLA": SQLANYWHERE_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] audit_sqlObj = SqlAnywhereConf(audit_db_host, SQLANYWHERE_CONNECTOR_JAR, JAVA_BIN) audit_db_file = os.path.join(RANGER_ADMIN_HOME , sqlanywhere_audit_file) diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py index 0d5d573888d..90ae5615e71 100644 --- a/security-admin/scripts/dba_script.py +++ b/security-admin/scripts/dba_script.py @@ -1352,7 +1352,7 @@ def main(argv): else: XA_DB_FLAVOR='' while XA_DB_FLAVOR == "": - log("Enter db flavour{MYSQL|ORACLE|POSTGRES|MSSQL|SQLANYWHERE} :","info") + log("Enter db flavour{MYSQL|ORACLE|POSTGRES|MSSQL|SQLA} :","info") XA_DB_FLAVOR=raw_input() AUDIT_DB_FLAVOR = XA_DB_FLAVOR @@ -1530,7 +1530,7 @@ def main(argv): xa_db_core_file = os.path.join(RANGER_ADMIN_HOME,sqlserver_core_file) xa_patch_file = os.path.join(RANGER_ADMIN_HOME,sqlserver_patches) - elif XA_DB_FLAVOR == "SQLANYWHERE": + elif XA_DB_FLAVOR == "SQLA": if not os_name == "WINDOWS" : if os.environ['LD_LIBRARY_PATH'] == "": log("[E] ---------- LD_LIBRARY_PATH environment property not defined, aborting installation. ----------", "error") @@ -1576,7 +1576,7 @@ def main(argv): audit_sqlObj = SqlServerConf(audit_db_host, SQLSERVER_CONNECTOR_JAR, JAVA_BIN) audit_db_file = os.path.join(RANGER_ADMIN_HOME,sqlserver_audit_file) - elif AUDIT_DB_FLAVOR == "SQLANYWHERE": + elif AUDIT_DB_FLAVOR == "SQLA": SQLANYWHERE_CONNECTOR_JAR=CONNECTOR_JAR audit_sqlObj = SqlAnywhereConf(audit_db_host, SQLANYWHERE_CONNECTOR_JAR, JAVA_BIN) audit_db_file = os.path.join(RANGER_ADMIN_HOME,sqlanywhere_audit_file) @@ -1600,7 +1600,7 @@ def main(argv): logFile("===============================================\n") xa_sqlObj.create_rangerdb_user(xa_db_root_user, db_user, db_password, xa_db_root_password,dryMode) xa_sqlObj.create_db(xa_db_root_user, xa_db_root_password, db_name, db_user, db_password,dryMode) - if not XA_DB_FLAVOR == "SQLANYWHERE": + if not XA_DB_FLAVOR == "SQLA": xa_sqlObj.grant_xa_db_user(xa_db_root_user, db_name, db_user, db_password, xa_db_root_password, is_revoke,dryMode) audit_sqlObj.create_auditdb_user(xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode) logFile("===============================================\n") @@ -1610,7 +1610,7 @@ def main(argv): log("[I] ---------- Creating Ranger Admin database ----------","info") xa_sqlObj.create_db(xa_db_root_user, xa_db_root_password, db_name, db_user, db_password,dryMode) log("[I] ---------- Granting permission to Ranger Admin db user ----------","info") - if not XA_DB_FLAVOR == "SQLANYWHERE": + if not XA_DB_FLAVOR == "SQLA": xa_sqlObj.grant_xa_db_user(xa_db_root_user, db_name, db_user, db_password, xa_db_root_password, is_revoke,dryMode) # Ranger Admin DB Host AND Ranger Audit DB Host are Different OR Same if audit_store == "db": diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties index 294b0e8df74..4618ee3b44a 100644 --- a/security-admin/scripts/install.properties +++ b/security-admin/scripts/install.properties @@ -23,7 +23,7 @@ PYTHON_COMMAND_INVOKER=python -#DB_FLAVOR=MYSQL|ORACLE|POSTGRES|MSSQL|SQLANYWHERE +#DB_FLAVOR=MYSQL|ORACLE|POSTGRES|MSSQL|SQLA DB_FLAVOR=MYSQL # # The executable path to be used to invoke command-line MYSQL diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index a88b264d81a..4fc1cef5428 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -303,7 +303,7 @@ sanity_check_files() { log "[E] ${sqlserver_core_file} does not exists" ; exit 1; fi fi - if [ "${DB_FLAVOR}" == "SQLANYWHERE" ] + if [ "${DB_FLAVOR}" == "SQLA" ] then if [ "${LD_LIBRARY_PATH}" == "" ] then @@ -887,7 +887,7 @@ update_properties() { updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger fi - if [ "${DB_FLAVOR}" == "SQLANYWHERE" ] + if [ "${DB_FLAVOR}" == "SQLA" ] then propertyName=ranger.jpa.jdbc.url newPropertyValue="jdbc:sqlanywhere:database=${db_name};host=${DB_HOST}" diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java index a536a1a3462..689e16596be 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java @@ -123,7 +123,7 @@ public RangerBizUtil() { auditDBType = PropertiesUtil.getProperty("ranger.audit.source.type", auditDBType).toLowerCase(); - + logger.info("java.library.path is " + System.getProperty("java.library.path")); logger.info("Audit datasource is " + auditDBType); random = new Random(); } @@ -1370,7 +1370,9 @@ public static int getDBFlavor() { return AppConstants.DB_FLAVOR_SQLSERVER; } else if (StringUtils.containsIgnoreCase(propertyValue, "sqlanywhere")) { return AppConstants.DB_FLAVOR_SQLANYWHERE; - } else { + } else if (StringUtils.containsIgnoreCase(propertyValue, "sqla")) { + return AppConstants.DB_FLAVOR_SQLANYWHERE; + }else { if(logger.isDebugEnabled()) { logger.debug("DB Falvor could not be determined from property - " + propertyName + "=" + propertyValue); } diff --git a/storm-agent/scripts/install.sh b/storm-agent/scripts/install.sh index 5b7674a3bf5..ab57bb996ee 100644 --- a/storm-agent/scripts/install.sh +++ b/storm-agent/scripts/install.sh @@ -258,7 +258,7 @@ then newPropertyValue="com.microsoft.sqlserver.jdbc.SQLServerDriver" updatePropertyToFile $propertyName $newPropertyValue $to_file fi -if [ "${DB_FLAVOR}" == "SQLANYWHERE" ] +if [ "${DB_FLAVOR}" == "SQLA" ] then audit_db_hostname=`grep '^XAAUDIT.DB.HOSTNAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` audit_db_name=`grep '^XAAUDIT.DB.DATABASE_NAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` From c2a6eb62f1b4a18852a5dc51804bce20b4e11d17 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Thu, 30 Jul 2015 10:57:04 +0530 Subject: [PATCH 030/202] RANGER-587 : fixed issue: ranger-admin-site.xml not getting updated when ranger.authentication.method is changed Signed-off-by: Velmurugan Periasamy --- security-admin/scripts/setup.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index 4fc1cef5428..e0b14c5ae23 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -1254,6 +1254,11 @@ do_unixauth_setup() { ldap_file=$app_home/WEB-INF/classes/conf/ranger-admin-site.xml if test -f $ldap_file; then log "[I] $ldap_file file found" + + propertyName=ranger.authentication.method + newPropertyValue="${authentication_method}" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + propertyName=ranger.unixauth.remote.login.enabled newPropertyValue="${remoteLoginEnabled}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file @@ -1454,6 +1459,17 @@ do_authentication_setup(){ if [ $authentication_method = "UNIX" ] ; then do_unixauth_setup fi + + if [ $authentication_method = "NONE" ] ; then + newPropertyValue='NONE' + ldap_file=$app_home/WEB-INF/classes/conf/ranger-admin-site.xml + if test -f $ldap_file; then + propertyName=ranger.authentication.method + newPropertyValue="${authentication_method}" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + fi + fi + log "[I] Finished setup based on user authentication method=$authentication_method"; } From 5ed0e6ef75748aba6f8b95d030179b90bff692fe Mon Sep 17 00:00:00 2001 From: Velmurugan Periasamy Date: Fri, 7 Aug 2015 14:09:21 -0400 Subject: [PATCH 031/202] RANGER-598: Update Ranger config migration script to work with Ranger 0.5 --- .../bin/import_ranger_to_ambari.py | 0 .../bin/ranger_admin_install.properties | 0 .../doc/README.TXT | 0 .../bin/import_ranger_to_ambari.py | 2253 +++++++++++++++++ .../bin/ranger_admin_install.properties | 33 + .../doc/README.TXT | 78 + 6 files changed, 2364 insertions(+) rename migration-util/{ => ambari2.0-hdp2.2-ranger0.40}/bin/import_ranger_to_ambari.py (100%) mode change 100644 => 100755 rename migration-util/{ => ambari2.0-hdp2.2-ranger0.40}/bin/ranger_admin_install.properties (100%) rename migration-util/{ => ambari2.0-hdp2.2-ranger0.40}/doc/README.TXT (100%) mode change 100644 => 100755 create mode 100755 migration-util/ambari2.1-hdp2.3-ranger0.50/bin/import_ranger_to_ambari.py create mode 100755 migration-util/ambari2.1-hdp2.3-ranger0.50/bin/ranger_admin_install.properties create mode 100755 migration-util/ambari2.1-hdp2.3-ranger0.50/doc/README.TXT diff --git a/migration-util/bin/import_ranger_to_ambari.py b/migration-util/ambari2.0-hdp2.2-ranger0.40/bin/import_ranger_to_ambari.py old mode 100644 new mode 100755 similarity index 100% rename from migration-util/bin/import_ranger_to_ambari.py rename to migration-util/ambari2.0-hdp2.2-ranger0.40/bin/import_ranger_to_ambari.py diff --git a/migration-util/bin/ranger_admin_install.properties b/migration-util/ambari2.0-hdp2.2-ranger0.40/bin/ranger_admin_install.properties similarity index 100% rename from migration-util/bin/ranger_admin_install.properties rename to migration-util/ambari2.0-hdp2.2-ranger0.40/bin/ranger_admin_install.properties diff --git a/migration-util/doc/README.TXT b/migration-util/ambari2.0-hdp2.2-ranger0.40/doc/README.TXT old mode 100644 new mode 100755 similarity index 100% rename from migration-util/doc/README.TXT rename to migration-util/ambari2.0-hdp2.2-ranger0.40/doc/README.TXT diff --git a/migration-util/ambari2.1-hdp2.3-ranger0.50/bin/import_ranger_to_ambari.py b/migration-util/ambari2.1-hdp2.3-ranger0.50/bin/import_ranger_to_ambari.py new file mode 100755 index 00000000000..bc06a65a50f --- /dev/null +++ b/migration-util/ambari2.1-hdp2.3-ranger0.50/bin/import_ranger_to_ambari.py @@ -0,0 +1,2253 @@ +import os +import sys +import urllib2 +import base64 +import httplib +import json +import time +from xml.etree import ElementTree as ET +import datetime +from subprocess import Popen, PIPE +import re + + +def port_ranger_admin_installation_to_ambari(): + print('preparing advanged configurations for ranger') + flag_ranger_admin_present, ranger_admin_properties_from_file = get_ranger_admin_install_properties() + if flag_ranger_admin_present: + print('ranger admin service is installed, making configurations as required by ambari.') + if create_ranger_service_in_ambari(): + print('ranger service is added sucessfully in ambari') + if create_ranger_service_components_in_ambari('RANGER_ADMIN'): + print('ranger service component is added successfully in ambari') + if register_ranger_admin_host_in_ambari(): + print('ranger admin host is registered successfully in ambari') + if add_advanced_ranger_configurations(1, ranger_admin_properties_from_file): + print('ranger-admin advanced configurations added successfully in ambari, kindly run ranger-usersync to complete ranger service install') + else: + print('ranger advanced configurations added failed in ambari') + else: + print('ranger admin host registration failed in ambari') + else: + print('ranger service component add failed in ambari') + else: + print('ranger service add failed in ambari') + else: + print('ranger admin and usersync services are not installed, not importing configurations to ambari.') + + +def port_ranger_usersync_installation_to_ambari(): + print ('preparing configurations for ranger user-sync') + flag_ranger_usersync_present, ranger_usersync_properties_from_file = get_ranger_usersync_install_properties() + if flag_ranger_usersync_present: + print('ranger usersync service is installed, making configurations as required by ambari.') + if create_ranger_service_components_in_ambari('RANGER_USERSYNC'): + print('ranger service component is added successfully in ambari') + if register_ranger_usersync_host_in_ambari(): + print('ranger usersync host is registered successfully in ambari') + if add_advanced_ranger_configurations(2, ranger_usersync_properties_from_file): + print('ranger advanced configurations added successfully in ambari') + if call_ranger_installed(): + print('ranger service installed successfully in ambari.') + else: + print('ranger service install failed in ambari') + else: + print('ranger advanced configurations added failed in ambari') + else: + print('ranger usersync host registration failed in ambari') + else: + print('ranger service add failed in ambari') + else: + print('ranger admin and usersync services are not installed, not importing configurations to ambari.') + + +def port_ranger_kms_installation_to_ambari(): + print('preparing advanged configurations for ranger-kms') + flag_ranger_kms_present, ranger_kms_properties_from_file = get_ranger_kms_install_properties() + if flag_ranger_kms_present: + print('ranger kms service is installed, making configurations as required by ambari.') + if create_ranger_kms_service_in_ambari(): + print('ranger kms service is added sucessfully in ambari') + if create_kms_service_components_in_ambari('RANGER_KMS_SERVER'): + print('ranger kms service component is added successfully in ambari') + if register_ranger_kms_host_in_ambari(): + print('ranger kms host is registered successfully in ambari') + if add_advanced_ranger_kms_configurations(ranger_kms_properties_from_file): + print('ranger kms advanced configurations added successfully in ambari') + if call_ranger_kms_installed(): + print('ranger kms service installed successfully in ambari.') + else: + print('ranger kms service install failed in ambari') + else: + print('ranger kms advanced configurations added failed in ambari') + else: + print('ranger kms host registration failed in ambari') + else: + print('ranger kms service component add failed in ambari') + else: + print('ranger kms service add failed in ambari') + else: + print('ranger kms service is not installed, not importing configurations to ambari.') + + +def create_ranger_service_in_ambari(): + print('creating ranger admin service in ambari') + ranger_create_url = ambari_service_url + '/' + ranger_service_name + request_result = call_ambari_api(ranger_create_url, 'POST', ambari_username_password, '') + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + if (response_code == 201 and response is not None): + print('ranger service created successfully in ambari.') + return True + elif (response_code == 409 and response is not None): + print('ranger service is already created in ambari.') + return True + else: + print('ranger service creation failed in ambari.') + return False + + +def create_ranger_kms_service_in_ambari(): + print('creating ranger kms service in ambari') + ranger_create_url = ambari_service_url + '/RANGER_KMS' + request_result = call_ambari_api(ranger_create_url, 'POST', ambari_username_password, '') + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + if (response_code == 201 and response is not None): + print('ranger service created successfully in ambari.') + return True + elif (response_code == 409 and response is not None): + print('ranger service is already created in ambari.') + return True + else: + print('ranger service creation failed in ambari.') + return False + +def create_ranger_service_components_in_ambari(ranger_service_component_name): + print('adding ranger service components in ambari') + ranger_service_components = '{"components":[{"ServiceComponentInfo":{"component_name":"' + ranger_service_component_name + '"}}]}' + print('creating ranger service in ambari') + ranger_service_component_create_url = ambari_service_url + '?ServiceInfo/service_name=' + ranger_service_name + request_result = call_ambari_api(ranger_service_component_create_url, 'POST', ambari_username_password, ranger_service_components) + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + if (response_code == 201 and response is not None): + print('ranger service component : ' + ranger_service_component_name + ', created successfully in ambari.') + return True + elif (response_code == 409 and response is not None): + print('ranger service component : ' + ranger_service_component_name + ', is already present in ambari.') + return True + else: + print('ranger service component creation for : ' + ranger_service_component_name + ', failed in ambari.') + return False + +def create_kms_service_components_in_ambari(ranger_service_component_name): + print('adding ranger service components in ambari') + ranger_service_components = '{"components":[{"ServiceComponentInfo":{"component_name":"' + ranger_service_component_name + '"}}]}' + print('creating ranger kms service in ambari -> ' + str(ranger_service_components)) + ranger_service_component_create_url = ambari_service_url + '?ServiceInfo/service_name=RANGER_KMS' + print('ranger_service_component_create_url -> ' + str(ranger_service_component_create_url)) + request_result = call_ambari_api(ranger_service_component_create_url, 'POST', ambari_username_password, ranger_service_components) + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + if (response_code == 201 and response is not None): + print('ranger service component : ' + ranger_service_component_name + ', created successfully in ambari.') + return True + elif (response_code == 409 and response is not None): + print('ranger service component : ' + ranger_service_component_name + ', is already present in ambari.') + return True + else: + print('ranger service component creation for : ' + ranger_service_component_name + ', failed in ambari.') + return False + +def register_ranger_admin_host_in_ambari(): + print('adding ranger servcie components in ambari') + print('creating ranger admin service in ambari') + ranger_service_component_create_url = ambari_cluster_url + '/hosts/' + ranger_admin_fqdn + '/host_components/' + admin_component_name + request_result = call_ambari_api(ranger_service_component_create_url, 'POST', ambari_username_password, '') + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + if response_code == 201 and response is not None: + print('ranger admin host registered successfully in ambari.') + return True + elif (response_code == 409 and response is not None): + print('ranger admin host is already registered ambari.') + return True + else: + print('ranger admin host registration failed in ambari.') + return False + + +def register_ranger_usersync_host_in_ambari(): + print('adding ranger servcie components in ambari') + print('creating ranger admin service in ambari') + ranger_host_register_url = ambari_cluster_url + '/hosts/' + ranger_admin_fqdn + '/host_components/' + usersync_component_name + request_result = call_ambari_api(ranger_host_register_url, 'POST', ambari_username_password, '') + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + if (response_code == 201 and response is not None): + print('ranger usersync host registered successfully in ambari.') + return True + elif (response_code == 409 and response is not None): + print('ranger usersync host is already registered ambari.') + return True + else: + print('ranger usersync host registration failed in ambari.') + return False + +def register_ranger_kms_host_in_ambari(): + print('adding ranger kms host in ambari') + print('creating ranger kms service in ambari') + ranger_service_component_create_url = ambari_cluster_url + '/hosts/' + ranger_admin_fqdn + '/host_components/' + "RANGER_KMS_SERVER" + request_result = call_ambari_api(ranger_service_component_create_url, 'POST', ambari_username_password, '') + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + if response_code == 201 and response is not None: + print('ranger kms host registered successfully in ambari.') + return True + elif (response_code == 409 and response is not None): + print('ranger kms host is already registered ambari.') + return True + else: + print('ranger kms host registration failed in ambari.') + return False + + +def add_advanced_ranger_configurations(add_admin_or_usersync, ranger_service_properties_from_file): + print('creating advanced configurations to be added to ambari.') + ranger_config_data = '' + advanced_admin_properties = dict() + advanced_ranger_site_properties = dict() + advanced_ranger_env_properties = dict() + advanced_user_sync_properties = dict() + advanced_ranger_admin_site_properties = dict() + date_time_stamp = getDateTimeNow() + + if (add_admin_or_usersync == 1): + if not ((str(ranger_service_properties_from_file['db_root_password']).strip() == '') or + (str(ranger_service_properties_from_file['db_root_user']).strip() == '' )) : + advanced_admin_properties['DB_FLAVOR'] = ranger_service_properties_from_file['DB_FLAVOR'] + advanced_admin_properties['SQL_CONNECTOR_JAR'] = ranger_service_properties_from_file['SQL_CONNECTOR_JAR'] + advanced_admin_properties['db_root_user'] = ranger_service_properties_from_file['db_root_user'] + advanced_admin_properties['db_root_password'] = ranger_service_properties_from_file['db_root_password'] + advanced_admin_properties['db_host'] = ranger_service_properties_from_file['db_host'] + advanced_admin_properties['db_name'] = ranger_service_properties_from_file['db_name'] + advanced_admin_properties['db_user'] = ranger_service_properties_from_file['ranger.jpa.jdbc.user'] + advanced_admin_properties['db_password'] = ranger_service_properties_from_file['ranger.jpa.jdbc.password'] + advanced_admin_properties['audit_db_name'] = ranger_service_properties_from_file['audit_db_name'] + advanced_admin_properties['audit_db_user'] = ranger_service_properties_from_file['ranger.jpa.audit.jdbc.user'] + advanced_admin_properties['audit_db_password'] = ranger_service_properties_from_file['ranger.jpa.audit.jdbc.password'] + advanced_admin_properties['policymgr_external_url'] = ranger_service_properties_from_file['ranger.externalurl'] + + advanced_ranger_env_properties['ranger_user'] = 'ranger' + advanced_ranger_env_properties['ranger_group'] = 'ranger' + advanced_ranger_env_properties['ranger_admin_log_dir'] = '/var/log/ranger/admin' + advanced_ranger_env_properties['ranger_usersync_log_dir'] = '/var/log/ranger/usersync' + advanced_ranger_env_properties['ranger_admin_username'] = 'amb_ranger_admin' + advanced_ranger_env_properties['ranger_admin_password'] = 'ambari123' + advanced_ranger_env_properties['admin_username'] = 'admin' + advanced_ranger_env_properties['admin_password'] = 'admin' + advanced_ranger_env_properties['ranger_pid_dir'] = '/var/run/ranger' + advanced_ranger_env_properties['create_db_dbuser'] = 'true' + advanced_ranger_env_properties['xml_configurations_supported'] = 'true' + + advanced_ranger_admin_site_properties['ranger.service.host'] = ranger_service_properties_from_file['ranger.service.host'] + advanced_ranger_admin_site_properties['ranger.service.http.enabled'] = ranger_service_properties_from_file.get('ranger.service.http.enabled','true') + advanced_ranger_admin_site_properties['ranger.service.http.port'] = ranger_service_properties_from_file.get('ranger.service.http.port','6080') + advanced_ranger_admin_site_properties['ranger.service.https.port'] = ranger_service_properties_from_file.get('ranger.service.https.port','6182') + advanced_ranger_admin_site_properties['ranger.service.https.attrib.ssl.enabled'] = ranger_service_properties_from_file.get('ranger.service.https.attrib.ssl.enabled','false') + advanced_ranger_admin_site_properties['ranger.service.https.attrib.clientAuth'] = ranger_service_properties_from_file.get('ranger.service.https.attrib.clientAuth','want') + advanced_ranger_admin_site_properties['ranger.service.https.attrib.keystore.keyalias'] = ranger_service_properties_from_file.get('ranger.service.https.attrib.keystore.keyalias','rangeradmin') + advanced_ranger_admin_site_properties['ranger.service.https.attrib.keystore.pass'] = ranger_service_properties_from_file.get('ranger.service.https.attrib.keystore.pass','xasecure') + advanced_ranger_admin_site_properties['ranger.https.attrib.keystore.file'] = ranger_service_properties_from_file.get('ranger.https.attrib.keystore.file','/etc/ranger/admin/conf/ranger-admin-keystore.jks') + advanced_ranger_admin_site_properties['ranger.externalurl'] = ranger_service_properties_from_file.get('ranger.externalurl','http://localhost:6080') + advanced_ranger_admin_site_properties['ranger.jpa.jdbc.driver'] = ranger_service_properties_from_file.get('ranger.jpa.jdbc.driver','com.mysql.jdbc.Driver') + advanced_ranger_admin_site_properties['ranger.jpa.jdbc.url'] = ranger_service_properties_from_file.get('ranger.jpa.jdbc.url','jdbc:mysql://localhost') + advanced_ranger_admin_site_properties['ranger.jpa.jdbc.user'] = ranger_service_properties_from_file['ranger.jpa.jdbc.user'] + advanced_ranger_admin_site_properties['ranger.jpa.jdbc.password'] = ranger_service_properties_from_file['ranger.jpa.jdbc.password'] + advanced_ranger_admin_site_properties['ranger.jpa.jdbc.credential.alias'] = ranger_service_properties_from_file.get('ranger.jpa.jdbc.credential.alias','rangeradmin') + advanced_ranger_admin_site_properties['ranger.credential.provider.path'] = ranger_service_properties_from_file.get('ranger.credential.provider.path','/etc/ranger/admin/rangeradmin.jceks') + advanced_ranger_admin_site_properties['ranger.audit.source.type'] = ranger_service_properties_from_file.get('ranger.audit.source.type','db') + advanced_ranger_admin_site_properties['ranger.audit.solr.urls'] = ranger_service_properties_from_file.get('ranger.audit.solr.urls','http://solr_host:6083/solr/ranger_audits') + advanced_ranger_admin_site_properties['ranger.authentication.method'] = ranger_service_properties_from_file.get('ranger.authentication.method','UNIX') + advanced_ranger_admin_site_properties['ranger.ldap.url'] = ranger_service_properties_from_file.get('ranger.ldap.url','ldap://71.127.43.33:389') + advanced_ranger_admin_site_properties['ranger.ldap.user.dnpattern'] = ranger_service_properties_from_file.get('ranger.ldap.user.dnpattern','uid={0},ou=users,dc=xasecure,dc=net') + advanced_ranger_admin_site_properties['ranger.ldap.group.searchbase'] = ranger_service_properties_from_file.get('ranger.ldap.group.searchbase','ou=groups,dc=xasecure,dc=net') + advanced_ranger_admin_site_properties['ranger.ldap.group.searchfilter'] = ranger_service_properties_from_file.get('ranger.ldap.group.searchfilter','(member=uid={0},ou=users,dc=xasecure,dc=net)') + advanced_ranger_admin_site_properties['ranger.ldap.group.roleattribute'] = ranger_service_properties_from_file.get('ranger.ldap.group.roleattribute','cn') + advanced_ranger_admin_site_properties['ranger.ldap.ad.domain'] = ranger_service_properties_from_file.get('ranger.ldap.ad.domain','localhost') + advanced_ranger_admin_site_properties['ranger.ldap.ad.url'] = ranger_service_properties_from_file.get('ranger.ldap.ad.url','ldap://ad.xasecure.net:389') + advanced_ranger_admin_site_properties['ranger.jpa.audit.jdbc.driver'] = ranger_service_properties_from_file.get('ranger.jpa.audit.jdbc.driver','{{ranger_jdbc_driver}}') + advanced_ranger_admin_site_properties['ranger.jpa.audit.jdbc.url'] = ranger_service_properties_from_file.get('ranger.jpa.audit.jdbc.url','{{audit_jdbc_url}}') + advanced_ranger_admin_site_properties['ranger.jpa.audit.jdbc.user'] = ranger_service_properties_from_file.get('ranger.jpa.audit.jdbc.user','{{ranger_audit_db_user}}') + advanced_ranger_admin_site_properties['ranger.jpa.audit.jdbc.password'] = ranger_service_properties_from_file.get('ranger.jpa.audit.jdbc.password','_') + advanced_ranger_admin_site_properties['ranger.jpa.audit.jdbc.credential.alias'] = ranger_service_properties_from_file.get('ranger.jpa.audit.jdbc.credential.alias','rangeraudit') + advanced_ranger_admin_site_properties['ranger.unixauth.remote.login.enabled'] = ranger_service_properties_from_file.get('ranger.unixauth.remote.login.enabled','true') + advanced_ranger_admin_site_properties['ranger.unixauth.service.hostname'] = ranger_service_properties_from_file.get('ranger.unixauth.service.hostname','localhost') + advanced_ranger_admin_site_properties['ranger.unixauth.service.port'] = ranger_service_properties_from_file.get('ranger.unixauth.service.port','5151') + advanced_ranger_admin_site_properties['ranger.jpa.jdbc.dialect'] = ranger_service_properties_from_file.get('ranger.jpa.jdbc.dialect','{{jdbc_dialect}}') + advanced_ranger_admin_site_properties['ranger.jpa.audit.jdbc.dialect'] = ranger_service_properties_from_file.get('ranger.jpa.audit.jdbc.dialect','{{jdbc_dialect}') + advanced_ranger_admin_site_properties['ranger.audit.solr.zookeepers'] = ranger_service_properties_from_file.get('ranger.audit.solr.zookeepers','NONE') + advanced_ranger_admin_site_properties['ranger.audit.solr.username'] = ranger_service_properties_from_file.get('ranger.audit.solr.username','ranger_solr') + advanced_ranger_admin_site_properties['ranger.audit.solr.password'] = ranger_service_properties_from_file.get('ranger.audit.solr.password','NONE') + + ranger_config_data = '[{"Clusters":{"desired_config":[{"type":"admin-properties", "service_config_version_note": "Initial configuration for Ranger Admin service" ,"tag":"' + str( + date_time_stamp) + '","properties":' + json.dumps( + advanced_admin_properties) + ', "properties_attributes": {"final": "true"}},{"type":"ranger-site", "service_config_version_note": "Initial configuration for Ranger Admin service" ,"tag":"' + str( + date_time_stamp) + '","properties":' + json.dumps( + advanced_ranger_site_properties) + ', "properties_attributes": {"final": "false"}},{"type":"ranger-env", "service_config_version_note": "Initial configuration for Ranger Admin service" ,"tag":"' + str( + date_time_stamp) + '","properties":' + json.dumps(advanced_ranger_env_properties) + ', "properties_attributes": {"final": "false"}},{"type":"ranger-admin-site", "service_config_version_note": "Initial configuration for Ranger Admin service" ,"tag":"' + str( + date_time_stamp) + '","properties":' + json.dumps( + advanced_ranger_admin_site_properties) + ', "properties_attributes": {"final": "false"}}]}}]' + + + print ('####################### admin_properties configuration :') + for each_key in advanced_admin_properties: + print str(each_key) + ' = ' + str(advanced_admin_properties[each_key]) + + print ('####################### ranger_site_properties configuration :') + for each_key in advanced_ranger_site_properties: + print str(each_key) + ' = ' + str(advanced_ranger_site_properties[each_key]) + + print ('####################### ranger_env_properties configuration :') + for each_key in advanced_ranger_env_properties: + print str(each_key) + ' = ' + str(advanced_ranger_env_properties[each_key]) + + print ('####################### ranger_admin_site_properties configuration :') + for each_key in advanced_ranger_env_properties: + print str(each_key) + ' = ' + str(advanced_ranger_env_properties[each_key]) + + + else: + print('either db_root_user or db_root_password value is missing from ranger_admin_install.properties file, please set appropriate value and run the script again.') + sys.exit(1) + + elif (add_admin_or_usersync == 2): + advanced_user_sync_properties['ranger.usersync.port'] = ranger_service_properties_from_file['ranger.usersync.port'] + advanced_user_sync_properties['ranger.usersync.ssl'] = ranger_service_properties_from_file['ranger.usersync.ssl'] + advanced_user_sync_properties['ranger.usersync.keystore.file'] = ranger_service_properties_from_file['ranger.usersync.keystore.file'] + advanced_user_sync_properties['ranger.usersync.keystore.password'] = ranger_service_properties_from_file.get('ranger.usersync.keystore.password','UnIx529p') + advanced_user_sync_properties['ranger.usersync.truststore.file'] = ranger_service_properties_from_file.get('ranger.usersync.truststore.file','/usr/hdp/current/ranger-usersync/conf/mytruststore.jks') + advanced_user_sync_properties['ranger.usersync.truststore.password'] = ranger_service_properties_from_file.get('ranger.usersync.truststore.password','changeit') + advanced_user_sync_properties['ranger.usersync.passwordvalidator.path'] = ranger_service_properties_from_file['ranger.usersync.passwordvalidator.path'] + advanced_user_sync_properties['ranger.usersync.sink.impl.class'] = ranger_service_properties_from_file['ranger.usersync.sink.impl.class'] + advanced_user_sync_properties['ranger.usersync.policymanager.baseURL'] = ranger_service_properties_from_file['ranger.usersync.policymanager.baseURL'] + advanced_user_sync_properties['ranger.usersync.policymanager.maxrecordsperapicall'] = ranger_service_properties_from_file['ranger.usersync.policymanager.maxrecordsperapicall'] + advanced_user_sync_properties['ranger.usersync.policymanager.mockrun'] = ranger_service_properties_from_file['ranger.usersync.policymanager.mockrun'] + advanced_user_sync_properties['ranger.usersync.unix.minUserId'] = ranger_service_properties_from_file['ranger.usersync.unix.minUserId'] + advanced_user_sync_properties['ranger.usersync.sleeptimeinmillisbetweensynccycle'] = ranger_service_properties_from_file['ranger.usersync.sleeptimeinmillisbetweensynccycle'] + advanced_user_sync_properties['ranger.usersync.source.impl.class'] = ranger_service_properties_from_file['ranger.usersync.source.impl.class'] + advanced_user_sync_properties['ranger.usersync.filesource.file'] = ranger_service_properties_from_file.get('ranger.usersync.filesource.file','/tmp/usergroup.txt') + advanced_user_sync_properties['ranger.usersync.filesource.text.delimiter'] = ranger_service_properties_from_file.get('ranger.usersync.filesource.text.delimiter',',') + advanced_user_sync_properties['ranger.usersync.ldap.url'] = ranger_service_properties_from_file.get('ranger.usersync.ldap.url','ldap://localhost:389') + advanced_user_sync_properties['ranger.usersync.ldap.binddn'] = ranger_service_properties_from_file.get('ranger.usersync.ldap.binddn','cn=admin,dc=xasecure,dc=net') + advanced_user_sync_properties['ranger.usersync.ldap.ldapbindpassword'] = ranger_service_properties_from_file['ranger.usersync.ldap.ldapbindpassword'] + advanced_user_sync_properties['ranger.usersync.ldap.bindalias'] = ranger_service_properties_from_file.get('ranger.usersync.ldap.bindalias','testldapalias') + advanced_user_sync_properties['ranger.usersync.ldap.bindkeystore'] = ranger_service_properties_from_file.get('ranger.usersync.ldap.bindkeystore','') + advanced_user_sync_properties['ranger.usersync.ldap.searchBase'] = ranger_service_properties_from_file.get('ranger.usersync.ldap.searchBase','dc=hadoop,dc=apache,dc=org') + advanced_user_sync_properties['ranger.usersync.ldap.user.searchbase'] = ranger_service_properties_from_file.get('ranger.usersync.ldap.user.searchbase','ou=users,dc=xasecure,dc=net') + advanced_user_sync_properties['ranger.usersync.ldap.user.searchscope'] = ranger_service_properties_from_file.get('ranger.usersync.ldap.user.searchscope','sub') + advanced_user_sync_properties['ranger.usersync.ldap.user.objectclass'] = ranger_service_properties_from_file.get('ranger.usersync.ldap.user.objectclass','person') + advanced_user_sync_properties['ranger.usersync.ldap.user.searchfilter'] = ranger_service_properties_from_file.get('ranger.usersync.ldap.user.searchfilter','empty') + advanced_user_sync_properties['ranger.usersync.ldap.user.nameattribute'] = ranger_service_properties_from_file.get('ranger.usersync.ldap.user.nameattribute','cn') + advanced_user_sync_properties['ranger.usersync.ldap.user.groupnameattribute'] = ranger_service_properties_from_file.get('ranger.usersync.ldap.user.groupnameattribute','memberof, ismemberof') + advanced_user_sync_properties['ranger.usersync.ldap.username.caseconversion'] = ranger_service_properties_from_file.get('ranger.usersync.ldap.username.caseconversion','lower') + advanced_user_sync_properties['ranger.usersync.ldap.groupname.caseconversion'] = ranger_service_properties_from_file.get('ranger.usersync.ldap.groupname.caseconversion','lower') + advanced_user_sync_properties['ranger.usersync.logdir'] = ranger_service_properties_from_file.get('ranger.usersync.logdir','/var/log/ranger/usersync') + advanced_user_sync_properties['ranger.usersync.group.searchenabled'] = ranger_service_properties_from_file.get('ranger.usersync.group.searchenabled','false') + advanced_user_sync_properties['ranger.usersync.group.usermapsyncenabled'] = ranger_service_properties_from_file.get('ranger.usersync.group.usermapsyncenabled','false') + advanced_user_sync_properties['ranger.usersync.group.searchbase'] = ranger_service_properties_from_file.get('ranger.usersync.group.searchbase',' ') + advanced_user_sync_properties['ranger.usersync.group.searchscope'] = ranger_service_properties_from_file.get('ranger.usersync.group.searchscope',' ') + advanced_user_sync_properties['ranger.usersync.group.objectclass'] = ranger_service_properties_from_file.get('ranger.usersync.group.objectclass',' ') + advanced_user_sync_properties['ranger.usersync.group.searchfilter'] = ranger_service_properties_from_file.get('ranger.usersync.group.searchfilter',' ') + advanced_user_sync_properties['ranger.usersync.group.nameattribute'] = ranger_service_properties_from_file.get('ranger.usersync.group.nameattribute',' ') + advanced_user_sync_properties['ranger.usersync.group.memberattributename'] = ranger_service_properties_from_file.get('ranger.usersync.group.memberattributename',' ') + advanced_user_sync_properties['ranger.usersync.pagedresultsenabled'] = ranger_service_properties_from_file.get('ranger.usersync.pagedresultsenabled','true') + advanced_user_sync_properties['ranger.usersync.pagedresultssize'] = ranger_service_properties_from_file.get('ranger.usersync.pagedresultssize','500') + advanced_user_sync_properties['ranger.usersync.credstore.filename'] = ranger_service_properties_from_file.get('ranger.usersync.credstore.filename','/usr/hdp/current/ranger-usersync/conf/ugsync.jceks') + + ranger_config_data = '[{"Clusters":{"desired_config":[{"type":"ranger-ugsync-site", "service_config_version_note": "Initial configuration for Ranger Usersync service" ,"tag":"' + str( + date_time_stamp) + '","properties":' + json.dumps(advanced_user_sync_properties) + ', "properties_attributes": {"final": "false"}}]}}]' + + + print ('####################### user_sync_properties configuration :') + for each_key in advanced_user_sync_properties: + print str(each_key) + ' = ' + str(advanced_user_sync_properties[each_key]) + + else: + print ('invalid option for to add configuration to ranger.') + sys.exit(1) + + + confirm_configurations = raw_input('please confirm the above configuration values y/n (n) : ') + if(confirm_configurations == ''): + confirm_configurations = 'n' + print ('input registered as ' + str(confirm_configurations)) + + if(confirm_configurations.lower() == 'y'): + ranger_config_request_url = ambari_cluster_url + request_result = call_ambari_api(ranger_config_request_url, 'PUT', ambari_username_password, str(ranger_config_data)) + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + if response_code == 200 and response is not None: + print('ranger advanced configuration added successfully in ambari.') + return True + else: + print('ranger advanced configuration add failed in ambari.') + return False + else: + print('ranger advanced configuration add failed in ambari.') + return False + else: + print ('exiting installation without configuration !') + sys.exit(0) + + +def add_advanced_ranger_kms_configurations(ranger_kms_properties_from_file): + print('creating advanced configurations to be added to ') + advanced_kms_env_properties = dict() + advanced_kms_properties = dict() + advanced_dbks_site_properties = dict() + advanced_kms_site_properties = dict() + advanced_ranger_kms_site_properties = dict() + advanced_ranger_kms_audit_properties = dict() + advanced_ranger_kms_policymgr_ssl_properties = dict() + advanced_ranger_kms_security_properties = dict() + advanced_kms_log4j_properties = dict() + date_time_stamp = getDateTimeNow() + + advanced_kms_env_properties['kms_user'] = 'kms' + advanced_kms_env_properties['kms_group'] = 'kms' + advanced_kms_env_properties['kms_log_dir'] = '/var/log/ranger/kms' + advanced_kms_env_properties['kms_port'] = '9292' + + advanced_kms_properties['REPOSITORY_CONFIG_USERNAME'] = 'keyadmin' + advanced_kms_properties['REPOSITORY_CONFIG_PASSWORD'] = 'keyadmin' + advanced_kms_properties['DB_FLAVOR'] = ranger_kms_properties_from_file.get('DB_FLAVOR','MYSQL') + advanced_kms_properties['SQL_CONNECTOR_JAR'] = ranger_kms_properties_from_file.get('SQL_CONNECTOR_JAR','/usr/share/java/mysql-connector-java.jar') + advanced_kms_properties['db_root_user'] = ranger_kms_properties_from_file.get('db_root_user','root') + advanced_kms_properties['db_root_password'] = ranger_kms_properties_from_file.get('db_root_password','') + advanced_kms_properties['db_host'] = ranger_kms_properties_from_file.get('db_host','localhost') + advanced_kms_properties['db_name'] = ranger_kms_properties_from_file.get('db_name','rangerkms') + advanced_kms_properties['db_user'] = ranger_kms_properties_from_file.get('ranger.ks.jpa.jdbc.user','rangerkms') + advanced_kms_properties['db_password'] = ranger_kms_properties_from_file.get('ranger.ks.jpa.jdbc.password','') + advanced_kms_properties['KMS_MASTER_KEY_PASSWD'] = ranger_kms_properties_from_file.get('KMS_MASTER_KEY_PASSWD','') + + + advanced_dbks_site_properties['hadoop.kms.blacklist.DECRYPT_EEK'] = ranger_kms_properties_from_file.get('hadoop.kms.blacklist.DECRYPT_EEK','hdfs') + advanced_dbks_site_properties['ranger.db.encrypt.key.password'] = ranger_kms_properties_from_file.get('ranger.db.encrypt.key.password','_') + advanced_dbks_site_properties['ranger.ks.jpa.jdbc.url'] = ranger_kms_properties_from_file.get('ranger.ks.jpa.jdbc.url','{{db_jdbc_url}}') + advanced_dbks_site_properties['ranger.ks.jpa.jdbc.user'] = ranger_kms_properties_from_file.get('ranger.ks.jpa.jdbc.user','{{db_user}}') + advanced_dbks_site_properties['ranger.ks.jpa.jdbc.password'] = ranger_kms_properties_from_file.get('ranger.ks.jpa.jdbc.password','_') + advanced_dbks_site_properties['ranger.ks.jpa.jdbc.credential.provider.path'] = ranger_kms_properties_from_file.get('ranger.ks.jpa.jdbc.credential.provider.path','/etc/ranger/kms/rangerkms.jceks') + advanced_dbks_site_properties['ranger.ks.jpa.jdbc.credential.alias'] = ranger_kms_properties_from_file.get('ranger.ks.jpa.jdbc.credential.alias','ranger.ks.jdbc.password') + advanced_dbks_site_properties['ranger.ks.masterkey.credential.alias'] = ranger_kms_properties_from_file.get('ranger.ks.masterkey.credential.alias','ranger.ks.masterkey.password') + advanced_dbks_site_properties['ranger.ks.jpa.jdbc.dialect'] = ranger_kms_properties_from_file.get('ranger.ks.jpa.jdbc.dialect','{{jdbc_dialect}}') + advanced_dbks_site_properties['ranger.ks.jpa.jdbc.driver'] = ranger_kms_properties_from_file.get('ranger.ks.jpa.jdbc.driver','{{db_jdbc_driver}}') + advanced_dbks_site_properties['ranger.ks.jdbc.sqlconnectorjar'] = ranger_kms_properties_from_file.get('ranger.ks.jdbc.sqlconnectorjar','{{driver_curl_target}}') + + + advanced_kms_site_properties['hadoop.kms.key.provider.uri'] = ranger_kms_properties_from_file.get('hadoop.kms.key.provider.uri','dbks://http@localhost:9292/kms') + advanced_kms_site_properties['hadoop.security.keystore.JavaKeyStoreProvider.password'] = ranger_kms_properties_from_file.get('hadoop.security.keystore.JavaKeyStoreProvider.password','none') + advanced_kms_site_properties['hadoop.kms.cache.enable'] = ranger_kms_properties_from_file.get('hadoop.kms.cache.enable','true') + advanced_kms_site_properties['hadoop.kms.cache.timeout.ms'] = ranger_kms_properties_from_file.get('hadoop.kms.cache.timeout.ms','600000') + advanced_kms_site_properties['hadoop.kms.current.key.cache.timeout.ms'] = ranger_kms_properties_from_file.get('hadoop.kms.current.key.cache.timeout.ms','30000') + advanced_kms_site_properties['hadoop.kms.audit.aggregation.window.ms'] = ranger_kms_properties_from_file.get('hadoop.kms.audit.aggregation.window.ms','10000') + advanced_kms_site_properties['hadoop.kms.authentication.type'] = ranger_kms_properties_from_file.get('hadoop.kms.authentication.type','simple') + advanced_kms_site_properties['hadoop.kms.authentication.kerberos.keytab'] = ranger_kms_properties_from_file.get('hadoop.kms.authentication.kerberos.keytab','${user.home}/kms.keytab') + advanced_kms_site_properties['hadoop.kms.authentication.kerberos.principal'] = ranger_kms_properties_from_file.get('hadoop.kms.authentication.kerberos.principal','HTTP/localhost') + advanced_kms_site_properties['hadoop.kms.authentication.kerberos.name.rules'] = ranger_kms_properties_from_file.get('hadoop.kms.authentication.kerberos.name.rules','DEFAULT') + advanced_kms_site_properties['hadoop.kms.authentication.signer.secret.provider'] = ranger_kms_properties_from_file.get('hadoop.kms.authentication.signer.secret.provider','random') + advanced_kms_site_properties['hadoop.kms.authentication.signer.secret.provider.zookeeper.path'] = ranger_kms_properties_from_file.get('hadoop.kms.authentication.signer.secret.provider.zookeeper.path','/hadoop-kms/hadoop-auth-signature-secret') + advanced_kms_site_properties['hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type'] = ranger_kms_properties_from_file.get('hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type','kerberos') + advanced_kms_site_properties['hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab'] = ranger_kms_properties_from_file.get('/etc/hadoop/conf/kms.keytab','/etc/hadoop/conf/kms.keytab') + advanced_kms_site_properties['hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal'] = ranger_kms_properties_from_file.get('hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal','kms/#HOSTNAME#') + advanced_kms_site_properties['hadoop.kms.security.authorization.manager'] = ranger_kms_properties_from_file.get('hadoop.kms.security.authorization.manager','org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer') + + + advanced_ranger_kms_site_properties['ranger.service.host'] = ranger_kms_properties_from_file.get('ranger.service.host','{{kms_host}}') + advanced_ranger_kms_site_properties['ranger.service.http.port'] = ranger_kms_properties_from_file.get('ranger.service.http.port','{{kms_port}}') + advanced_ranger_kms_site_properties['ranger.service.https.port'] = ranger_kms_properties_from_file.get('ranger.service.https.port','9393') + advanced_ranger_kms_site_properties['ranger.service.shutdown.port'] = ranger_kms_properties_from_file.get('ranger.service.shutdown.port','7085') + advanced_ranger_kms_site_properties['ranger.contextName'] = ranger_kms_properties_from_file.get('ranger.contextName','/kms') + advanced_ranger_kms_site_properties['xa.webapp.dir'] = ranger_kms_properties_from_file.get('xa.webapp.dir','./webapp') + advanced_ranger_kms_site_properties['ranger.service.https.attrib.ssl.enabled'] = ranger_kms_properties_from_file.get('ranger.service.https.attrib.ssl.enabled','false') + + + advanced_ranger_kms_audit_properties['xasecure.audit.is.enabled'] = ranger_kms_properties_from_file.get('xasecure.audit.is.enabled','true') + advanced_ranger_kms_audit_properties['xasecure.audit.destination.db'] = ranger_kms_properties_from_file.get('xasecure.audit.db.is.enabled','false') + advanced_ranger_kms_audit_properties['xasecure.audit.destination.db.jdbc.url'] = ranger_kms_properties_from_file.get('xasecure.audit.jpa.javax.persistence.jdbc.url','{{audit_jdbc_url}}') + advanced_ranger_kms_audit_properties['xasecure.audit.destination.db.user'] = ranger_kms_properties_from_file.get('xasecure.audit.jpa.javax.persistence.jdbc.user','{{xa_audit_db_user}}') + advanced_ranger_kms_audit_properties['xasecure.audit.destination.db.password'] = ranger_kms_properties_from_file.get('xasecure.audit.jpa.javax.persistence.jdbc.password','crypted') + advanced_ranger_kms_audit_properties['xasecure.audit.destination.db.jdbc.driver'] = ranger_kms_properties_from_file.get('xasecure.audit.jpa.javax.persistence.jdbc.driver','{{jdbc_driver}}') + advanced_ranger_kms_audit_properties['xasecure.audit.credential.provider.file'] = ranger_kms_properties_from_file.get('xasecure.audit.credential.provider.file','jceks://file{{credential_file}}') + advanced_ranger_kms_audit_properties['xasecure.audit.destination.db.batch.filespool.dir'] = ranger_kms_properties_from_file.get('xasecure.audit.destination.db.batch.filespool.dir','/var/log/ranger/kms/audit/db/spool') + advanced_ranger_kms_audit_properties['xasecure.audit.destination.hdfs'] = ranger_kms_properties_from_file.get('xasecure.audit.destination.hdfs','true') + advanced_ranger_kms_audit_properties['xasecure.audit.destination.hdfs.dir'] = ranger_kms_properties_from_file.get('xasecure.audit.destination.hdfs.dir','hdfs://NAMENODE_HOSTNAME:8020/ranger/audit') + advanced_ranger_kms_audit_properties['xasecure.audit.destination.hdfs.batch.filespool.dir'] = ranger_kms_properties_from_file.get('xasecure.audit.destination.hdfs.batch.filespool.dir','/var/log/ranger/kms/audit/hdfs/spool') + advanced_ranger_kms_audit_properties['xasecure.audit.destination.solr'] = ranger_kms_properties_from_file.get('xasecure.audit.destination.solr','true') + advanced_ranger_kms_audit_properties['xasecure.audit.destination.solr.urls'] = ranger_kms_properties_from_file.get('xasecure.audit.destination.solr.urls','{{ranger_audit_solr_urls}}') + advanced_ranger_kms_audit_properties['xasecure.audit.destination.solr.zookeepers'] = ranger_kms_properties_from_file.get('xasecure.audit.destination.solr.zookeepers','none') + advanced_ranger_kms_audit_properties['xasecure.audit.destination.solr.batch.filespool.dir'] = ranger_kms_properties_from_file.get('xasecure.audit.destination.solr.batch.filespool.dir','/var/log/ranger/kms/audit/solr/spool') + advanced_ranger_kms_audit_properties['xasecure.audit.provider.summary.enabled'] = ranger_kms_properties_from_file.get('xasecure.audit.provider.summary.enabled','false') + + + advanced_ranger_kms_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore'] = ranger_kms_properties_from_file.get('xasecure.policymgr.clientssl.keystore','/usr/hdp/current/ranger-kms/conf/ranger-plugin-keystore.jks') + advanced_ranger_kms_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore.password'] = ranger_kms_properties_from_file.get('xasecure.policymgr.clientssl.keystore.password','myKeyFilePassword') + advanced_ranger_kms_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore'] = ranger_kms_properties_from_file.get('xasecure.policymgr.clientssl.truststore','/usr/hdp/current/ranger-kms/conf/ranger-plugin-truststore.jks') + advanced_ranger_kms_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore.password'] = ranger_kms_properties_from_file.get('xasecure.policymgr.clientssl.truststore.password','changeit') + advanced_ranger_kms_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore.credential.file'] = ranger_kms_properties_from_file.get('xasecure.policymgr.clientssl.keystore.credential.file','jceks://file{{credential_file}}') + advanced_ranger_kms_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore.credential.file'] = ranger_kms_properties_from_file.get('xasecure.policymgr.clientssl.truststore.credential.file','jceks://file{{credential_file}}') + + + advanced_ranger_kms_security_properties['ranger.plugin.kms.service.name'] = ranger_kms_properties_from_file.get('ranger.plugin.kms.service.name','{{repo_name}}') + advanced_ranger_kms_security_properties['ranger.plugin.kms.policy.source.impl'] = ranger_kms_properties_from_file.get('ranger.plugin.kms.policy.source.impl','org.apache.ranger.admin.client.RangerAdminRESTClient') + advanced_ranger_kms_security_properties['ranger.plugin.kms.policy.rest.url'] = ranger_kms_properties_from_file.get('ranger.plugin.kms.policy.rest.url','{{policymgr_mgr_url}}') + advanced_ranger_kms_security_properties['ranger.plugin.kms.policy.rest.ssl.config.file'] = ranger_kms_properties_from_file.get('ranger.plugin.kms.policy.rest.ssl.config.file','/etc/ranger/kms/conf/ranger-policymgr-ssl.xml') + advanced_ranger_kms_security_properties['ranger.plugin.kms.policy.pollIntervalMs'] = ranger_kms_properties_from_file.get('ranger.plugin.kms.policy.pollIntervalMs','30000') + advanced_ranger_kms_security_properties['ranger.plugin.kms.policy.cache.dir'] = ranger_kms_properties_from_file.get('ranger.plugin.kms.policy.cache.dir','/etc/ranger/{{repo_name}}/policycache') + + advanced_kms_log4j_properties['content'] = ranger_kms_properties_from_file.get('kms.log4j.properties','') + + + kms_config_data = '[{"Clusters":{"desired_config":[{"type":"kms-properties", "service_config_version_note": "Initial configuration for Ranger KMS service" ,"tag":"' + str( + date_time_stamp) + '","properties":' + json.dumps( + advanced_kms_properties) + ', "properties_attributes": {"final": "true"}},{"type":"kms-site", "service_config_version_note": "Initial configuration for Ranger KMS service" ,"tag":"' + str( + date_time_stamp) + '","properties":' + json.dumps( + advanced_kms_site_properties) + ', "properties_attributes": {"final": "false"}},{"type":"kms-env", "service_config_version_note": "Initial configuration for Ranger KMS service" ,"tag":"' + str( + date_time_stamp) + '","properties":' + json.dumps(advanced_kms_env_properties) + ', "properties_attributes": {"final": "false"}},{"type":"dbks-site", "service_config_version_note": "Initial configuration for Ranger KMS service" ,"tag":"' + str( + date_time_stamp) + '","properties":' + json.dumps(advanced_dbks_site_properties) + ', "properties_attributes": {"final": "false"}},{"type":"ranger-kms-site", "service_config_version_note": "Initial configuration for Ranger KMS service" ,"tag":"' + str( + date_time_stamp) + '","properties":' + json.dumps(advanced_ranger_kms_site_properties) + ', "properties_attributes": {"final": "false"}},{"type":"ranger-kms-audit", "service_config_version_note": "Initial configuration for Ranger KMS service" ,"tag":"' + str( + date_time_stamp) + '","properties":' + json.dumps(advanced_ranger_kms_audit_properties) + ', "properties_attributes": {"final": "false"}},{"type":"ranger-kms-policymgr-ssl", "service_config_version_note": "Initial configuration for Ranger KMS service" ,"tag":"' + str( + date_time_stamp) + '","properties":' + json.dumps(advanced_ranger_kms_policymgr_ssl_properties) + ', "properties_attributes": {"final": "false"}},{"type":"kms-log4j", "service_config_version_note": "Initial configuration for Ranger KMS service" ,"tag":"' + str( + date_time_stamp) + '","properties":' + json.dumps(advanced_kms_log4j_properties) + ', "properties_attributes": {"final": "false"}},{"type":"ranger-kms-security", "service_config_version_note": "Initial configuration for Ranger KMS service" ,"tag":"' + str( + date_time_stamp) + '","properties":' + json.dumps(advanced_ranger_kms_security_properties) + ', "properties_attributes": {"final": "false"}}]}}]' + + + print ('####################### kms_properties configuration :') + for each_key in advanced_kms_properties: + print str(each_key) + ' = ' + str(advanced_kms_properties[each_key]) + + print ('####################### kms_site_properties configuration :') + for each_key in advanced_kms_site_properties: + print str(each_key) + ' = ' + str(advanced_kms_site_properties[each_key]) + + print ('####################### kms_env_properties configuration :') + for each_key in advanced_kms_env_properties: + print str(each_key) + ' = ' + str(advanced_kms_env_properties[each_key]) + + print ('####################### ranger_kms_site_properties configuration :') + for each_key in advanced_ranger_kms_site_properties: + print str(each_key) + ' = ' + str(advanced_ranger_kms_site_properties[each_key]) + + print ('####################### kms_dbks_site_properties configuration :') + for each_key in advanced_dbks_site_properties: + print str(each_key) + ' = ' + str(advanced_dbks_site_properties[each_key]) + + print ('####################### ranger_kms_audit_properties configuration :') + for each_key in advanced_ranger_kms_audit_properties: + print str(each_key) + ' = ' + str(advanced_ranger_kms_audit_properties[each_key]) + + print ('####################### ranger_kms_policymgr_ssl_properties configuration :') + for each_key in advanced_ranger_kms_policymgr_ssl_properties: + print str(each_key) + ' = ' + str(advanced_ranger_kms_policymgr_ssl_properties[each_key]) + + + print ('####################### ranger_kms_security_properties configuration :') + for each_key in advanced_ranger_kms_security_properties: + print str(each_key) + ' = ' + str(advanced_ranger_kms_security_properties[each_key]) + + print ('####################### ranger_kms_log4j_properties configuration :') + for each_key in advanced_kms_log4j_properties: + print str(each_key) + ' = ' + str(advanced_kms_log4j_properties[each_key]) + + + confirm_configurations = raw_input('please confirm the above configuration values y/n (n) : ') + if(confirm_configurations == ''): + confirm_configurations = 'n' + print ('input registered as ' + str(confirm_configurations)) + + if(confirm_configurations.lower() == 'y'): + ranger_config_request_url = ambari_cluster_url + request_result = call_ambari_api(ranger_config_request_url, 'PUT', ambari_username_password, str(kms_config_data)) + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + if response_code == 200 and response is not None: + print('ranger kms advanced configuration added successfully in ambari.') + return True + else: + print('ranger kms advanced configuration add failed in ambari.') + return False + else: + print('ranger kms advanced configuration add failed in ambari.') + return False + else: + print ('exiting installation without configuration !') + sys.exit(0) + + + +def call_ranger_installed(): + print('changing state of ranger services from init to installed.') + ranger_state_change_request = '{"RequestInfo":{"context":"Install Ranger Service","operation_level":{"level":"CLUSTER","cluster_name":"' + str( + cluster_name) + '"}},"Body":{"ServiceInfo":{"state":"INSTALLED"}}}' + ranger_state_change_url = ambari_service_url + '?ServiceInfo/state=INIT' + request_result = call_ambari_api(ranger_state_change_url, 'PUT', ambari_username_password, ranger_state_change_request) + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + if (response_code == 200 and response is not None): + print('ranger state changed to install successfully in ambari.') + return True + if (response_code == 409 and response is not None): + print('ranger is already installed in ambari.') + return True + if response_code == 202 and response is not None: + print('ranger state changed to install posted in ambari, checking for updated status waiting for 30 seconds') + parsed_response = json.loads(response) + response_href_url = parsed_response['href'] + response_request_id = parsed_response['Requests']['id'] + response_status = parsed_response['Requests']['status'] + if response_status != 'Installed': + print('Received response but status is not installed, verifying installation to be successful.') + flag_ranger_installed = True + time.sleep(30) + while flag_ranger_installed: + print('checking request status') + ambari_request_url = ambari_cluster_url + '/requests/' + str(response_request_id) + request_status_result = call_ambari_api(ambari_request_url, 'GET', ambari_username_password, '') + if request_status_result is not None: + response_code = request_status_result.getcode() + response_status = json.loads(json.JSONEncoder().encode(request_status_result.read())) + if (response_code == 200 and 'FAILED' in response_status): + print('ranger install failed in ambari.') + flag_ranger_installed = True + if (response_code == 200 ): + print('ranger install is pending in ambari.') + flag_ranger_installed = True + if (response_code == 200 and ('PENDING' in response_status or 'INTERNAL_REQUEST' in response_status)): + print('ranger install is pending in ambari.') + flag_ranger_installed = True + if (response_code == 200 and 'COMPLETED' in response_status): + print('ranger installed successfully in ambari.') + flag_ranger_installed = False + else: + flag_ranger_installed = True + return not flag_ranger_installed + else: + print('ranger state changed to install failed in ambari.') + return False + +def call_ranger_kms_installed(): + print('changing state of ranger services from init to installed.') + ranger_state_change_request = '{"RequestInfo":{"context":"Install Ranger KMS Service","operation_level":{"level":"CLUSTER","cluster_name":"' + str( + cluster_name) + '"}},"Body":{"ServiceInfo":{"state":"INSTALLED"}}}' + ranger_state_change_url = ambari_service_url + '?ServiceInfo/state=INIT' + request_result = call_ambari_api(ranger_state_change_url, 'PUT', ambari_username_password, ranger_state_change_request) + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + if (response_code == 200 and response is not None): + print('ranger state changed to install successfully in ambari.') + return True + if (response_code == 409 and response is not None): + print('ranger is already installed in ambari.') + return True + if response_code == 202 and response is not None: + print('ranger state changed to install posted in ambari, checking for updated status waiting for 30 seconds') + parsed_response = json.loads(response) + response_href_url = parsed_response['href'] + response_request_id = parsed_response['Requests']['id'] + response_status = parsed_response['Requests']['status'] + if response_status != 'Installed': + print('Received response but status is not installed, verifying installation to be successful.') + flag_ranger_installed = True + time.sleep(30) + while flag_ranger_installed: + print('checking request status') + ambari_request_url = ambari_cluster_url + '/requests/' + str(response_request_id) + request_status_result = call_ambari_api(ambari_request_url, 'GET', ambari_username_password, '') + if request_status_result is not None: + response_code = request_status_result.getcode() + response_status = json.loads(json.JSONEncoder().encode(request_status_result.read())) + if (response_code == 200 and 'FAILED' in response_status): + print('ranger install failed in ambari.') + flag_ranger_installed = True + if (response_code == 200 ): + print('ranger kms install is pending in ambari.') + flag_ranger_installed = True + if (response_code == 200 and ('PENDING' in response_status or 'INTERNAL_REQUEST' in response_status)): + print('ranger kms install is pending in ambari.') + flag_ranger_installed = True + if (response_code == 200 and 'COMPLETED' in response_status): + print('ranger kms installed successfully in ambari.') + flag_ranger_installed = False + else: + flag_ranger_installed = True + return not flag_ranger_installed + else: + print('ranger kms state changed to install failed in ambari.') + return False + + +def get_ranger_usersync_install_properties(): + print('preparing advanced configurations for ranger User-sync') + flag_hadoop_present = check_hadoop_dir_present(hdp_current_dir) + flag_ranger_usersync_present = False + ranger_usersync_current_dir = os.path.join(hdp_current_dir, 'ranger-usersync') + ranger_usersync_properties_from_file = dict() + print('checking for ranger-usersync service to be present') + flag_ranger_usersync_present, ranger_usersync__installed_version = check_ranger_usersync_install(ranger_usersync_current_dir) + if flag_ranger_usersync_present: + print('ranger usersync is installed, getting existing properties for ambari import') + print('got ranger usersync values from install.properties file, need to configure ambari for ranger service.') + ranger_usersync_properties_from_file = get_additional_properties_for_usersync(ranger_usersync_properties_from_file) + return flag_ranger_usersync_present, ranger_usersync_properties_from_file + + +def get_ranger_admin_install_properties(): + ranger_admin_current_dir = os.path.join(hdp_current_dir, 'ranger-admin') + flag_hadoop_present = check_hadoop_dir_present(hdp_current_dir) + flag_ranger_admin_present = False + ranger_admin_properties_from_file = dict() + + if flag_hadoop_present: + print('hadoop directory is present, checking ranger admin installation.') + flag_ranger_admin_present, ranger_admin_installed_version = check_ranger_admin_install(ranger_admin_current_dir) + + if flag_ranger_admin_present: + print('ranger admin is present.getting existing configurations to port to ambari.') + if os.path.isfile("ranger_admin_install.properties"): + print('ranger_install_properties_path exists, getting existing properties for ambari port') + ranger_admin_properties_from_file = import_properties_from_file("ranger_admin_install.properties") + if not (ranger_admin_properties_from_file['db_root_user'] == '' or ranger_admin_properties_from_file['db_root_password'] == ''): + print 'db_root_username and db_root_password are not blank.' + print 'value for db_root_user = ' + str(ranger_admin_properties_from_file['db_root_user']) + print 'value for db_root_password = ' + str(ranger_admin_properties_from_file['db_root_password']) + else: + print 'db_root_username or db_root_password are blank, please provide proper values in ranger_admin_install.properties. exiting installation without any changes.' + sys.exit(1) + + print('got ranger admin values from ranger_admin_install.properties file, need to configure ambari for ranger service.') + print('getting additional properties required by ranger services') + ranger_admin_properties_from_file = get_additional_properties_for_admin(ranger_admin_properties_from_file) + + return flag_ranger_admin_present, ranger_admin_properties_from_file + +def get_ranger_kms_install_properties(): + ranger_kms_current_dir = os.path.join(hdp_current_dir, 'ranger-kms') + flag_hadoop_present = check_hadoop_dir_present(hdp_current_dir) + flag_ranger_kms_present = False + ranger_kms_properties_from_file = dict() + + if flag_hadoop_present: + print('hadoop directory is present, checking ranger kms installation.') + flag_ranger_kms_present, ranger_kms_installed_version = check_ranger_kms_install(ranger_kms_current_dir) + + if flag_ranger_kms_present: + print('ranger kms is present.getting existing configurations to port to ambari.') + if os.path.isfile("ranger_admin_install.properties"): + print('ranger_install_properties_path exists, getting existing properties for ambari port') + ranger_kms_properties_from_file = import_properties_from_file("ranger_admin_install.properties") + if not (ranger_kms_properties_from_file['db_root_user'] == '' or ranger_kms_properties_from_file['db_root_password'] == ''): + print 'db_root_username and db_root_password are not blank.' + print 'value for db_root_user = ' + str(ranger_kms_properties_from_file['db_root_user']) + print 'value for db_root_password = ' + str(ranger_kms_properties_from_file['db_root_password']) + else: + print 'db_root_username or db_root_password are blank, please provide proper values in ranger_admin_install.properties. exiting installation without any changes.' + sys.exit(1) + + print('got ranger admin values from ranger_admin_install.properties file, need to configure ambari for ranger service.') + print('getting additional properties required by ranger services') + ranger_kms_properties_from_file = get_additional_properties_for_kms(ranger_kms_properties_from_file) + + return flag_ranger_kms_present, ranger_kms_properties_from_file + + +def check_hadoop_dir_present(hdp_current_dir_path): + flag_hadoop_dir_present = False + if os.path.isdir(hdp_current_dir_path): + print('hadoop is installed.') + flag_hadoop_dir_present = True + return flag_hadoop_dir_present + + +def check_ranger_admin_install(ranger_admin_current_dir): + flag_ranger_dir_present = False + ranger_current_installed_version = '' + print('checking ranger service path folder') + if os.path.isdir(ranger_admin_current_dir): + print('ranger admin is installed.') + if os.path.islink(ranger_admin_current_dir): + flag_ranger_dir_present = True + print('ranger admin link found getting current version from link.') + ranger_home_path = os.path.realpath(ranger_admin_current_dir) + ranger_current_installed_version = ranger_home_path.split('/')[4] + return flag_ranger_dir_present, ranger_current_installed_version + + +def check_ranger_usersync_install(ranger_usersync_current_dir): + flag_ranger_dir_present = False + ranger_current_installed_version = '' + print('checking ranger service path folder') + if os.path.isdir(ranger_usersync_current_dir): + print('ranger user-sync is installed.') + if os.path.islink(ranger_usersync_current_dir): + flag_ranger_dir_present = True + print('ranger admin link found getting current version from link.') + ranger_home_path = os.path.realpath(ranger_usersync_current_dir) + ranger_current_installed_version = ranger_home_path.split('/')[4] + return flag_ranger_dir_present, ranger_current_installed_version + + +def check_ranger_kms_install(ranger_kms_current_dir): + flag_ranger_dir_present = False + ranger_current_installed_version = '' + print('checking ranger kms service path folder') + if os.path.isdir(ranger_kms_current_dir): + print('ranger kms is installed.') + if os.path.islink(ranger_kms_current_dir): + flag_ranger_dir_present = True + print('ranger kms link found getting current version from link.') + ranger_home_path = os.path.realpath(ranger_kms_current_dir) + ranger_current_installed_version = ranger_home_path.split('/')[4] + return flag_ranger_dir_present, ranger_current_installed_version + + +def get_additional_properties_for_admin(ranger_admin_properties_from_file): + ranger_conf_path = '/etc/ranger/admin/conf' + ranger_admin_default_site_xml_properties = os.path.join(ranger_conf_path,'ranger-admin-default-site.xml') + ranger_admin_site_xml_properties = os.path.join(ranger_conf_path,'ranger-admin-site.xml') + try: + + ranger_admin_properties_from_file = import_properties_from_xml(ranger_admin_default_site_xml_properties, ranger_admin_properties_from_file) + ranger_admin_properties_from_file = import_properties_from_xml(ranger_admin_site_xml_properties, ranger_admin_properties_from_file) + except Exception, e: + print "Error loading ranger-admin properties from xml files : ", str(e) + + print('getting db flavor, library and command invoker') + ranger_jpa_jdbc_dialect = ranger_admin_properties_from_file['ranger.jpa.jdbc.dialect'] + print('ranger_jpa_jdbc_dialect = ' + ranger_jpa_jdbc_dialect) + ranger_jpa_jdbc_url = ranger_admin_properties_from_file['ranger.jpa.jdbc.url'] + print('ranger_jpa_jdbc_url = ' + ranger_jpa_jdbc_url) + if ('mysql'.lower() in ranger_jpa_jdbc_dialect.lower() and 'mysql'.lower() in ranger_jpa_jdbc_url.lower()): + print('db dialect and jdbc url are set as MYSQL setting db_flavour and sql command invoker as mysql') + ranger_admin_properties_from_file['DB_FLAVOR'] = 'MYSQL' + ranger_admin_properties_from_file['SQL_CONNECTOR_JAR'] = '/usr/share/java/mysql-connector-java.jar' + elif ('oracle'.lower() in ranger_jpa_jdbc_dialect and 'oracle'.lower() in ranger_jpa_jdbc_url.lower()): + print('db dialect and jdbc url are set as Oracle setting db_flavour and sql command invoker as oracle') + ranger_admin_properties_from_file['DB_FLAVOR'] = 'ORACLE' + ranger_admin_properties_from_file['SQL_CONNECTOR_JAR'] = '/usr/share/java/ojdbc6.jar' + elif ('postgres'.lower() in ranger_jpa_jdbc_dialect and 'postgres'.lower() in ranger_jpa_jdbc_url.lower()): + print('db dialect and jdbc url are set as postgres setting db_flavour and sql command invoker as postgres') + ranger_admin_properties_from_file['DB_FLAVOR'] = 'POSTGRES' + ranger_admin_properties_from_file['SQL_CONNECTOR_JAR'] = '/usr/share/java/postgresql.jar' + else: + print('found unsupported DB_FLAVOUR, please configure as MYSQL, ORACLE or Postgres which are supported for now.exitting for now') + sys.exit(1) + + ranger_jpa_jdbc_url = ranger_admin_properties_from_file['ranger.jpa.jdbc.url'] + print('found jdbc url configured as : ' + str(ranger_jpa_jdbc_url) + ' , getting db host from configured jdbc url') + ranger_database_host_name = ranger_jpa_jdbc_url.split(':') + ranger_database_host = ranger_database_host_name[3].split('/')[2] + ranger_database_name = ranger_database_host_name[3].split('/')[3] + print('found db host as : ' + str(ranger_database_host)) + print('found db name as : ' + str(ranger_database_name)) + ranger_admin_properties_from_file['db_host'] = ranger_database_host + ranger_admin_properties_from_file['db_name'] = ranger_database_name + + ranger_audit_jdbc_url = ranger_admin_properties_from_file['ranger.jpa.audit.jdbc.url'] + print('found audit jdbc url configured as : ' + str(ranger_audit_jdbc_url) + ' , getting db host from configured jdbc url') + ranger_audit_database_host_name = ranger_audit_jdbc_url.split(':') + + ranger_audit_database_host = ranger_audit_database_host_name[3].split('/')[2] + ranger_audit_database_name = ranger_audit_database_host_name[3].split('/')[3] + print('found ranger_audit_database_name as : ' + str(ranger_audit_database_name)) + ranger_admin_properties_from_file['audit_db_host'] = ranger_audit_database_host + ranger_admin_properties_from_file['audit_db_name'] = ranger_audit_database_name + + ranger_db_password = '' + ranger_audit_db_password = '' + + libpath = os.path.join(hdp_version_dir, 'ranger-admin', 'cred', 'lib', '*') + aliasKey = 'ranger.db.password' + aliasValue = '' + filepath = ranger_admin_properties_from_file['ranger.credential.provider.path'] + if (filepath is None or len(filepath) == 0): + filepath = os.path.join(hdp_version_dir, 'ranger-admin', 'ews', 'webapp', 'WEB-INF', 'classes', 'conf', '.jceks', 'rangeradmin.jceks') + + getorcreateorlist = 'get' + + statuscode, value = call_keystore(libpath, aliasKey, aliasValue, filepath, getorcreateorlist) + if statuscode == 0: + ranger_db_password = value.strip() + + aliasKey = 'ranger.auditdb.password' + statuscode, value = call_keystore(libpath, aliasKey, aliasValue, filepath, getorcreateorlist) + if statuscode == 0: + ranger_audit_db_password = value.strip() + + if str(ranger_admin_properties_from_file['ranger.jpa.jdbc.password']) == '_' or str(ranger_admin_properties_from_file['ranger.jpa.jdbc.password']).lower() == 'crypted': + ranger_admin_properties_from_file['ranger.jpa.jdbc.password'] = ranger_db_password + if str(ranger_admin_properties_from_file['ranger.jpa.audit.jdbc.password']) == '_' or str(ranger_admin_properties_from_file['ranger.jpa.audit.jdbc.password']).lower() == 'crypted': + ranger_admin_properties_from_file['ranger.jpa.audit.jdbc.password'] = ranger_audit_db_password + + return ranger_admin_properties_from_file + + +def get_additional_properties_for_kms(ranger_kms_properties_from_file): + ranger_conf_path = '/etc/ranger/kms/conf' + kms_dbks_site_properties = os.path.join(ranger_conf_path,'dbks-site.xml') + ranger_kms_properties_from_file = import_properties_from_xml(kms_dbks_site_properties, ranger_kms_properties_from_file) + kms_site_properties = os.path.join(ranger_conf_path,'kms-site.xml') + ranger_kms_properties_from_file = import_properties_from_xml(kms_site_properties, ranger_kms_properties_from_file) + ranger_kms_site_properties = os.path.join(ranger_conf_path,'ranger-kms-site.xml') + ranger_kms_properties_from_file = import_properties_from_xml(ranger_kms_site_properties, ranger_kms_properties_from_file) + ranger_kms_audit_properties = os.path.join(ranger_conf_path,'ranger-kms-audit.xml') + ranger_kms_properties_from_file = import_properties_from_xml(ranger_kms_audit_properties, ranger_kms_properties_from_file) + ranger_kms_security_properties = os.path.join(ranger_conf_path,'ranger-kms-security.xml') + ranger_kms_properties_from_file = import_properties_from_xml(ranger_kms_security_properties, ranger_kms_properties_from_file) + ranger_policy_mgr_ssl_properties = os.path.join(ranger_conf_path,'ranger-policymgr-ssl.xml') + ranger_kms_properties_from_file = import_properties_from_xml(ranger_policy_mgr_ssl_properties, ranger_kms_properties_from_file) + kms_log4j_properties = os.path.join(ranger_conf_path,'kms-log4j.properties') + ranger_kms_properties_from_file['kms.log4j.properties'] = read_properties_file(kms_log4j_properties) + + kms_jpa_jdbc_dialect = ranger_kms_properties_from_file['ranger.ks.jpa.jdbc.dialect'] + print('kms_jpa_jdbc_dialect = ' + str(kms_jpa_jdbc_dialect)) + kms_jpa_jdbc_url = ranger_kms_properties_from_file['ranger.ks.jpa.jdbc.url'] + if ('mysql'.lower() in kms_jpa_jdbc_dialect.lower() and 'mysql'.lower() in kms_jpa_jdbc_url.lower()): + print('db dialect and jdbc url are set as MYSQL setting db_flavour and sql command invoker as mysql') + ranger_kms_properties_from_file['DB_FLAVOR'] = 'MYSQL' + ranger_kms_properties_from_file['SQL_CONNECTOR_JAR'] = '/usr/share/java/mysql-connector-java.jar' + elif ('oracle'.lower() in kms_jpa_jdbc_dialect and 'oracle'.lower() in kms_jpa_jdbc_url.lower()): + print('db dialect and jdbc url are set as Oracle setting db_flavour and sql command invoker as oracle') + ranger_kms_properties_from_file['DB_FLAVOR'] = 'ORACLE' + ranger_kms_properties_from_file['SQL_CONNECTOR_JAR'] = '/usr/share/java/ojdbc6.jar' + elif ('postgres'.lower() in kms_jpa_jdbc_dialect and 'postgres'.lower() in kms_jpa_jdbc_url.lower()): + print('db dialect and jdbc url are set as postgres setting db_flavour and sql command invoker as postgres') + ranger_kms_properties_from_file['DB_FLAVOR'] = 'POSTGRES' + ranger_kms_properties_from_file['SQL_CONNECTOR_JAR'] = '/usr/share/java/postgresql.jar' + else: + print('found unsupported DB_FLAVOUR, please configure as MYSQL, ORACLE or Postgres which are supported for now.exitting for now') + sys.exit(1) + + kms_jpa_db_hostname = kms_jpa_jdbc_url.split(':') + + kms_jpa_jdbc_hostname = kms_jpa_db_hostname[3].split('/')[2] + kms_jpa_jdbc_db_name = kms_jpa_db_hostname[3].split('/')[3] + print('found db hostname = ' + kms_jpa_jdbc_hostname ) + print('found db name = ' + kms_jpa_jdbc_db_name ) + + ranger_kms_properties_from_file['db_host'] = kms_jpa_jdbc_hostname + ranger_kms_properties_from_file['db_name'] = kms_jpa_jdbc_db_name + + kms_database_password = '' + kms_keystore_masterkey_password = '' + + libpath = os.path.join(hdp_version_dir, 'ranger-kms', 'cred', 'lib', '*') + aliasKey = ranger_kms_properties_from_file['ranger.ks.jpa.jdbc.credential.alias'] + if(aliasKey is None or len(aliasKey) == 0): + aliasKey = 'ranger.ks.jdbc.password' + aliasValue = '' + filepath = ranger_kms_properties_from_file['ranger.ks.jpa.jdbc.credential.provider.path'] + if (filepath is None or len(filepath) == 0) : + filepath = os.path.join(hdp_version_dir, 'ranger-kms', 'ews', 'webapp', 'WEB-INF', 'classes', 'conf', '.jceks', 'rangerkms.jceks') + + getorcreateorlist = 'get' + + statuscode, value = call_keystore(libpath, aliasKey, aliasValue, filepath, getorcreateorlist) + if statuscode == 0: + kms_database_password = value.strip() + print('kms_database_password = ' + kms_database_password) + aliasKey = ranger_kms_properties_from_file['ranger.ks.masterkey.credential.alias'] + if(aliasKey is None or len(aliasKey) == 0): + aliasKey = 'ranger.ks.masterkey.password' + statuscode, value = call_keystore(libpath, aliasKey, aliasValue, filepath, getorcreateorlist) + + if statuscode == 0: + kms_keystore_masterkey_password = value.strip() + + print('kms_keystore_masterkey_password = ' + kms_keystore_masterkey_password) + + if str(ranger_kms_properties_from_file['ranger.ks.jpa.jdbc.password']) == '_' or str(ranger_kms_properties_from_file['ranger.ks.jpa.jdbc.password']).lower() == 'crypted': + ranger_kms_properties_from_file['ranger.ks.jpa.jdbc.password'] = kms_database_password + ranger_kms_properties_from_file['KMS_MASTER_KEY_PASSWD'] = kms_keystore_masterkey_password + ranger_kms_properties_from_file['ranger.db.encrypt.key.password'] = kms_keystore_masterkey_password + + return ranger_kms_properties_from_file + + +def get_additional_properties_for_usersync(ranger_usersync_properties_from_file): + ranger_conf_path = '/etc/ranger/usersync/conf' + ranger_ugsync_default_site_xml_properties = os.path.join(ranger_conf_path, 'ranger-ugsync-default.xml') + ranger_ugsync_site_xml_properties = os.path.join(ranger_conf_path, 'ranger-ugsync-site.xml') + ranger_usersync_properties_from_file = import_properties_from_xml(ranger_ugsync_default_site_xml_properties, ranger_usersync_properties_from_file) + ranger_usersync_properties_from_file = import_properties_from_xml(ranger_ugsync_site_xml_properties, ranger_usersync_properties_from_file) + if (('unix'.lower()) in str(ranger_usersync_properties_from_file['ranger.usersync.source.impl.class']).lower()): + print('sync_source is unix') + ranger_usersync_properties_from_file['SYNC_SOURCE'] = 'unix' + if (('ldap'.lower()) in str(ranger_usersync_properties_from_file['ranger.usersync.source.impl.class']).lower()): + print('sync source is ldap') + ranger_usersync_properties_from_file['SYNC_SOURCE'] = 'ldap' + return ranger_usersync_properties_from_file + + +def port_ranger_hdfs_plugin_to_ambari(): + print('Trying to add ranger hdfs plugin.') + flag_hdfs_plugin_installed, hdfs_plugin_install_properties, hdfs_site_xml_properties = get_hdfs_plugin_configuration() + if flag_hdfs_plugin_installed and hdfs_plugin_install_properties is not None and hdfs_site_xml_properties is not None: + hdfs_site_xml_properties['dfs.permissions.enabled'] = 'true' + print('hdfs plugin is installed and enabled, adding to configurations') + advanced_ranger_hdfs_plugin_properties = dict() + advanced_ranger_hdfs_audit_properties = dict() + advanced_ranger_hdfs_policymgr_ssl_properties = dict() + advanced_ranger_hdfs_security_properties = dict() + + advanced_ranger_hdfs_plugin_properties['policy_user'] = 'ambari-qa' + advanced_ranger_hdfs_plugin_properties['hadoop.rpc.protection'] = '' + advanced_ranger_hdfs_plugin_properties['common.name.for.certificate'] = '' + advanced_ranger_hdfs_plugin_properties['ranger-hdfs-plugin-enabled'] = 'Yes' + advanced_ranger_hdfs_plugin_properties['REPOSITORY_CONFIG_USERNAME'] = 'hadoop' + advanced_ranger_hdfs_plugin_properties['REPOSITORY_CONFIG_PASSWORD'] = 'hadoop' + + advanced_ranger_hdfs_audit_properties['xasecure.audit.is.enabled'] = hdfs_plugin_install_properties.get('xasecure.audit.is.enabled','true') + advanced_ranger_hdfs_audit_properties['xasecure.audit.destination.db'] = hdfs_plugin_install_properties.get('xasecure.audit.db.is.enabled','false') + advanced_ranger_hdfs_audit_properties['xasecure.audit.destination.db.jdbc.url'] = hdfs_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.url','{{audit_jdbc_url}}') + advanced_ranger_hdfs_audit_properties['xasecure.audit.destination.db.user'] = hdfs_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.user','{{xa_audit_db_user}}') + advanced_ranger_hdfs_audit_properties['xasecure.audit.destination.db.password'] = hdfs_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.password','crypted') + advanced_ranger_hdfs_audit_properties['xasecure.audit.destination.db.jdbc.driver'] = hdfs_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.driver','{{jdbc_driver}}') + advanced_ranger_hdfs_audit_properties['xasecure.audit.credential.provider.file'] = hdfs_plugin_install_properties.get('xasecure.audit.credential.provider.file','jceks://file{{credential_file}}') + advanced_ranger_hdfs_audit_properties['xasecure.audit.destination.db.batch.filespool.dir'] = hdfs_plugin_install_properties.get('xasecure.audit.destination.db.batch.filespool.dir','/var/log/hadoop/hdfs/audit/db/spool') + advanced_ranger_hdfs_audit_properties['xasecure.audit.destination.hdfs'] = hdfs_plugin_install_properties.get('xasecure.audit.destination.hdfs','true') + advanced_ranger_hdfs_audit_properties['xasecure.audit.destination.hdfs.dir'] = hdfs_plugin_install_properties.get('xasecure.audit.destination.hdfs.dir','hdfs://NAMENODE_HOSTNAME:8020/ranger/audit') + advanced_ranger_hdfs_audit_properties['xasecure.audit.destination.hdfs.batch.filespool.dir'] = hdfs_plugin_install_properties.get('xasecure.audit.destination.hdfs.batch.filespool.dir','/var/log/hadoop/hdfs/audit/hdfs/spool') + advanced_ranger_hdfs_audit_properties['xasecure.audit.destination.solr'] = hdfs_plugin_install_properties.get('xasecure.audit.destination.solr','false') + advanced_ranger_hdfs_audit_properties['xasecure.audit.destination.solr.urls'] = hdfs_plugin_install_properties.get('xasecure.audit.destination.solr.urls','{{ranger_audit_solr_urls}}') + advanced_ranger_hdfs_audit_properties['xasecure.audit.destination.solr.zookeepers'] = hdfs_plugin_install_properties.get('xasecure.audit.is.enabled','none') + advanced_ranger_hdfs_audit_properties['xasecure.audit.destination.solr.batch.filespool.dir'] = hdfs_plugin_install_properties.get('xasecure.audit.destination.solr.batch.filespool.dir','/var/log/hadoop/hdfs/audit/solr/spool') + advanced_ranger_hdfs_audit_properties['xasecure.audit.provider.summary.enabled'] = hdfs_plugin_install_properties.get('xasecure.audit.provider.summary.enabled','false') + + + advanced_ranger_hdfs_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore'] = hdfs_plugin_install_properties.get('xasecure.policymgr.clientssl.keystore','/usr/hdp/current/hadoop-client/conf/ranger-plugin-keystore.jks') + advanced_ranger_hdfs_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore.password'] = hdfs_plugin_install_properties.get('xasecure.policymgr.clientssl.keystore.password','myKeyFilePassword') + advanced_ranger_hdfs_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore'] = hdfs_plugin_install_properties.get('xasecure.policymgr.clientssl.truststore','/usr/hdp/current/hadoop-client/conf/ranger-plugin-truststore.jks') + advanced_ranger_hdfs_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore.password'] = hdfs_plugin_install_properties.get('xasecure.policymgr.clientssl.truststore.password','changeit') + advanced_ranger_hdfs_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore.credential.file'] = hdfs_plugin_install_properties.get('xasecure.policymgr.clientssl.keystore.credential.file','jceks://file{{credential_file}}') + advanced_ranger_hdfs_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore.credential.file'] = hdfs_plugin_install_properties.get('xasecure.policymgr.clientssl.truststore.credential.file','jceks://file{{credential_file}}') + + + + advanced_ranger_hdfs_security_properties['ranger.plugin.hdfs.service.name'] = hdfs_plugin_install_properties.get('ranger.plugin.hdfs.service.name','{{repo_name}}') + advanced_ranger_hdfs_security_properties['ranger.plugin.hdfs.policy.source.impl'] = hdfs_plugin_install_properties.get('ranger.plugin.hdfs.policy.source.impl','org.apache.ranger.admin.client.RangerAdminRESTClient') + advanced_ranger_hdfs_security_properties['ranger.plugin.hdfs.policy.rest.url'] = hdfs_plugin_install_properties.get('ranger.plugin.hdfs.policy.rest.url','{{policymgr_mgr_url}}') + advanced_ranger_hdfs_security_properties['ranger.plugin.hdfs.policy.rest.ssl.config.file'] = hdfs_plugin_install_properties.get('ranger.plugin.hdfs.policy.rest.ssl.config.file','/etc/hadoop/conf/ranger-policymgr-ssl.xml') + advanced_ranger_hdfs_security_properties['ranger.plugin.hdfs.policy.pollIntervalMs'] = hdfs_plugin_install_properties.get('ranger.plugin.hdfs.policy.pollIntervalMs','30000') + advanced_ranger_hdfs_security_properties['ranger.plugin.hdfs.policy.cache.dir'] = hdfs_plugin_install_properties.get('ranger.plugin.hdfs.policy.cache.dir','/etc/ranger/{{repo_name}}/policycache') + advanced_ranger_hdfs_security_properties['xasecure.add-hadoop-authorization'] = hdfs_plugin_install_properties.get('xasecure.add-hadoop-authorization','true') + + + date_time_stamp = getDateTimeNow() + + plugin_configuration_data = '[{"Clusters":{"desired_config":[{"type":"hdfs-site", "service_config_version_note": "Initial configuration for Ranger HDFS plugin" ,"tag":"' + str(date_time_stamp) + '","properties":' + str( + json.dumps(hdfs_site_xml_properties)) + ', "properties_attributes": {"final": "false"}},{"type": "ranger-hdfs-plugin-properties", "service_config_version_note": "Initial configuration for Ranger HDFS plugin" , "tag": "' + str( + date_time_stamp) + '", "properties":' + json.dumps(advanced_ranger_hdfs_plugin_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-hdfs-audit", "service_config_version_note": "Initial configuration for Ranger HDFS plugin" , "tag": "' + str( + date_time_stamp) + '", "properties":' + json.dumps(advanced_ranger_hdfs_audit_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-hdfs-policymgr-ssl", "service_config_version_note": "Initial configuration for Ranger HDFS plugin" , "tag": "' + str( + date_time_stamp) + '", "properties":' + json.dumps(advanced_ranger_hdfs_policymgr_ssl_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-hdfs-security", "service_config_version_note": "Initial configuration for Ranger HDFS plugin" , "tag": "' + str( + date_time_stamp) + '", "properties":' + json.dumps(advanced_ranger_hdfs_security_properties) + ',"properties_attributes": {"final": "false"}}]}}]' + + print ('####################### hdfs_site_xml configuration :') + for each_key in hdfs_site_xml_properties: + print str(each_key) + ' = ' + str(hdfs_site_xml_properties[each_key]) + + print ('####################### ranger_hdfs_plugin_properties configuration :') + for each_key in advanced_ranger_hdfs_plugin_properties: + print str(each_key) + ' = ' + str(advanced_ranger_hdfs_plugin_properties[each_key]) + + print ('####################### ranger_hdfs_audit_properties configuration :') + for each_key in advanced_ranger_hdfs_audit_properties: + print str(each_key) + ' = ' + str(advanced_ranger_hdfs_audit_properties[each_key]) + + print ('####################### ranger_hdfs_policymgr_ssl_properties configuration :') + for each_key in advanced_ranger_hdfs_policymgr_ssl_properties: + print str(each_key) + ' = ' + str(advanced_ranger_hdfs_policymgr_ssl_properties[each_key]) + + print ('####################### ranger_hdfs_security_properties configuration :') + for each_key in advanced_ranger_hdfs_security_properties: + print str(each_key) + ' = ' + str(advanced_ranger_hdfs_security_properties[each_key]) + + confirm_configurations = raw_input('please confirm the above configuration values y/n (n) : ') + if(confirm_configurations == ''): + confirm_configurations = 'n' + print ('Input registered as ' + str(confirm_configurations)) + + + if(confirm_configurations.lower() == 'y'): + ranger_config_request_url = ambari_cluster_url + request_result = call_ambari_api(ranger_config_request_url, 'PUT', ambari_username_password, str(plugin_configuration_data)) + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + if response_code == 200 and response is not None: + print('ranger hdfs plugin configuration added successfully in ambari.') + return True + else: + print('ranger hdfs plugin configuration add failed in ambari.') + return False + else: + print('ranger hdfs plugin configuration add failed in ambari.') + return False + else: + print ('exiting installation without configuration !') + sys.exit(0) + else: + print('ranger hdfs plugin configuration add failed in ambari.') + return False + +def port_ranger_yarn_plugin_to_ambari(): + print('Trying to add ranger yarn plugin.') + flag_yarn_plugin_installed,yarn_plugin_installed_properties,yarn_site_xml_properties = get_yarn_plugin_configuration() + if( flag_yarn_plugin_installed and yarn_plugin_installed_properties is not None and yarn_site_xml_properties is not None): + print('yarn plugin is installed and enabled, adding to configurations') + advanced_ranger_yarn_plugin_properties = dict() + advanced_ranger_yarn_audit_properties = dict() + advanced_ranger_yarn_policymgr_ssl_properties = dict() + advanced_ranger_yarn_security_properties = dict() + + advanced_ranger_yarn_plugin_properties['policy_user'] = 'ambari-qa' + advanced_ranger_yarn_plugin_properties['hadoop.rpc.protection'] = '' + advanced_ranger_yarn_plugin_properties['common.name.for.certificate'] = '' + advanced_ranger_yarn_plugin_properties['ranger-yarn-plugin-enabled'] = 'Yes' + advanced_ranger_yarn_plugin_properties['REPOSITORY_CONFIG_USERNAME'] = 'yarn' + advanced_ranger_yarn_plugin_properties['REPOSITORY_CONFIG_PASSWORD'] = 'yarn' + + + advanced_ranger_yarn_audit_properties['xasecure.audit.is.enabled'] = yarn_plugin_installed_properties.get('xasecure.audit.is.enabled','true') + advanced_ranger_yarn_audit_properties['xasecure.audit.destination.db'] = yarn_plugin_installed_properties.get('xasecure.audit.db.is.enabled','false') + advanced_ranger_yarn_audit_properties['xasecure.audit.destination.db.jdbc.url'] = yarn_plugin_installed_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.url','{{audit_jdbc_url}}') + advanced_ranger_yarn_audit_properties['xasecure.audit.destination.db.user'] = yarn_plugin_installed_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.user','{{xa_audit_db_user}}') + advanced_ranger_yarn_audit_properties['xasecure.audit.destination.db.password'] = yarn_plugin_installed_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.password','crypted') + advanced_ranger_yarn_audit_properties['xasecure.audit.destination.db.jdbc.driver'] = yarn_plugin_installed_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.driver','{{jdbc_driver}}') + advanced_ranger_yarn_audit_properties['xasecure.audit.credential.provider.file'] = yarn_plugin_installed_properties.get('xasecure.audit.credential.provider.file','jceks://file{{credential_file}}') + advanced_ranger_yarn_audit_properties['xasecure.audit.destination.db.batch.filespool.dir'] = yarn_plugin_installed_properties.get('xasecure.audit.destination.db.batch.filespool.dir','/var/log/hadoop/yarn/audit/db/spool') + advanced_ranger_yarn_audit_properties['xasecure.audit.destination.hdfs'] = yarn_plugin_installed_properties.get('xasecure.audit.destination.hdfs','true') + advanced_ranger_yarn_audit_properties['xasecure.audit.destination.hdfs.dir'] = yarn_plugin_installed_properties.get('xasecure.audit.destination.hdfs.dir','hdfs://NAMENODE_HOSTNAME:8020/ranger/audit') + advanced_ranger_yarn_audit_properties['xasecure.audit.destination.hdfs.batch.filespool.dir'] = yarn_plugin_installed_properties.get('xasecure.audit.destination.hdfs.batch.filespool.dir','/var/log/hadoop/yarn/audit/hdfs/spool') + advanced_ranger_yarn_audit_properties['xasecure.audit.destination.solr'] = yarn_plugin_installed_properties.get('xasecure.audit.destination.solr','false') + advanced_ranger_yarn_audit_properties['xasecure.audit.destination.solr.urls'] = yarn_plugin_installed_properties.get('xasecure.audit.destination.solr.urls','{{ranger_audit_solr_urls}}') + advanced_ranger_yarn_audit_properties['xasecure.audit.destination.solr.zookeepers'] = yarn_plugin_installed_properties.get('xasecure.audit.destination.solr.zookeepers','none') + advanced_ranger_yarn_audit_properties['xasecure.audit.destination.solr.batch.filespool.dir'] = yarn_plugin_installed_properties.get('xasecure.audit.destination.solr.batch.filespool.dir','/var/log/hadoop/yarn/audit/solr/spool') + advanced_ranger_yarn_audit_properties['xasecure.audit.provider.summary.enabled'] = yarn_plugin_installed_properties.get('xasecure.audit.provider.summary.enabled','false') + + advanced_ranger_yarn_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore'] = yarn_plugin_installed_properties.get('xasecure.policymgr.clientssl.keystore','/usr/hdp/current/hadoop-client/conf/ranger-yarn-plugin-keystore.jks') + advanced_ranger_yarn_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore.password'] = yarn_plugin_installed_properties.get('xasecure.policymgr.clientssl.keystore.password','myKeyFilePassword') + advanced_ranger_yarn_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore'] = yarn_plugin_installed_properties.get('xasecure.policymgr.clientssl.truststore','/usr/hdp/current/hadoop-client/conf/ranger-yarn-plugin-truststore.jks') + advanced_ranger_yarn_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore.password'] = yarn_plugin_installed_properties.get('xasecure.policymgr.clientssl.truststore.password','changeit') + advanced_ranger_yarn_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore.credential.file'] = yarn_plugin_installed_properties.get('xasecure.policymgr.clientssl.keystore.credential.file','jceks://file{{credential_file}}') + advanced_ranger_yarn_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore.credential.file'] = yarn_plugin_installed_properties.get('xasecure.policymgr.clientssl.truststore.credential.file','jceks://file{{credential_file}}') + + + advanced_ranger_yarn_security_properties['ranger.plugin.yarn.service.name'] = yarn_plugin_installed_properties.get('ranger.plugin.yarn.service.name','{{repo_name}}') + advanced_ranger_yarn_security_properties['ranger.plugin.yarn.policy.source.impl'] = yarn_plugin_installed_properties.get('ranger.plugin.yarn.policy.source.impl','org.apache.ranger.admin.client.RangerAdminRESTClient') + advanced_ranger_yarn_security_properties['ranger.plugin.yarn.policy.rest.url'] = yarn_plugin_installed_properties.get('ranger.plugin.yarn.policy.rest.url','{{policymgr_mgr_url}}') + advanced_ranger_yarn_security_properties['ranger.plugin.yarn.policy.rest.ssl.config.file'] = yarn_plugin_installed_properties.get('ranger.plugin.yarn.policy.rest.ssl.config.file','/etc/hadoop/conf/ranger-policymgr-ssl-yarn.xml') + advanced_ranger_yarn_security_properties['ranger.plugin.yarn.policy.pollIntervalMs'] = yarn_plugin_installed_properties.get('ranger.plugin.yarn.policy.pollIntervalMs','30000') + advanced_ranger_yarn_security_properties['ranger.plugin.yarn.policy.cache.dir'] = yarn_plugin_installed_properties.get('ranger.plugin.yarn.policy.cache.dir','/etc/ranger/{{repo_name}}/policycache') + + date_time_stamp = getDateTimeNow() + + plugin_configuration_data = '[{"Clusters":{"desired_config":[{"type":"yarn-site", "service_config_version_note": "Initial configuration for Ranger YARN plugin" ,"tag":"' + str(date_time_stamp) + '","properties":' + str( + json.dumps(yarn_site_xml_properties)) + ', "properties_attributes": {"final": "false"}},{"type": "ranger-yarn-plugin-properties", "service_config_version_note": "Initial configuration for Ranger YARN plugin" , "tag": "' + str( + date_time_stamp) + '", "properties":' + json.dumps(advanced_ranger_yarn_plugin_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-yarn-audit", "service_config_version_note": "Initial configuration for Ranger YARN plugin" , "tag": "' + str( + date_time_stamp) + '", "properties":' + json.dumps(advanced_ranger_yarn_audit_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-yarn-policymgr-ssl", "service_config_version_note": "Initial configuration for Ranger YARN plugin" , "tag": "' + str( + date_time_stamp) + '", "properties":' + json.dumps(advanced_ranger_yarn_policymgr_ssl_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-yarn-security", "service_config_version_note": "Initial configuration for Ranger YARN plugin" , "tag": "' + str( + date_time_stamp) + '", "properties":' + json.dumps(advanced_ranger_yarn_security_properties) + ',"properties_attributes": {"final": "false"}}]}}]' + + print ('####################### yarn_site_xml configuration :') + for each_key in yarn_site_xml_properties: + print str(each_key) + ' = ' + str(yarn_site_xml_properties[each_key]) + + print ('####################### ranger_yarn_plugin_properties configuration :') + for each_key in advanced_ranger_yarn_plugin_properties: + print str(each_key) + ' = ' + str(advanced_ranger_yarn_plugin_properties[each_key]) + + print ('####################### ranger_yarn_audit_properties configuration :') + for each_key in advanced_ranger_yarn_audit_properties: + print str(each_key) + ' = ' + str(advanced_ranger_yarn_audit_properties[each_key]) + + print ('####################### ranger_yarn_policymgr_ssl_properties configuration :') + for each_key in advanced_ranger_yarn_policymgr_ssl_properties: + print str(each_key) + ' = ' + str(advanced_ranger_yarn_policymgr_ssl_properties[each_key]) + + print ('####################### ranger_hdfs_security_properties configuration :') + for each_key in advanced_ranger_yarn_security_properties: + print str(each_key) + ' = ' + str(advanced_ranger_yarn_security_properties[each_key]) + + + confirm_configurations = raw_input('please confirm the above configuration values y/n (n) : ') + if(confirm_configurations == ''): + confirm_configurations = 'n' + print ('Input registered as ' + str(confirm_configurations)) + + if(confirm_configurations.lower() == 'y'): + ranger_config_request_url = ambari_cluster_url + request_result = call_ambari_api(ranger_config_request_url, 'PUT', ambari_username_password, str(plugin_configuration_data)) + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + if response_code == 200 and response is not None: + print('ranger yarn plugin configuration added successfully in ambari.') + return True + else: + print('ranger yarn plugin configuration add failed in ambari.') + return False + else: + print('ranger yarn plugin configuration add failed in ambari.') + return False + else: + print ('exiting installation without configuration !') + sys.exit(0) + else: + print('ranger yarn plugin configuration add failed in ambari.') + return False + + +def port_ranger_hive_plugin_to_ambari(): + print('Trying to add ranger hive plugin.') + flag_hive_plugin_installed, hive_plugin_install_properties, hive_server2_xml_properties = get_hive_plugin_configuration() + hive_env_properties, hive_site_properties = get_hive_configs_from_ambari() + if flag_hive_plugin_installed and hive_plugin_install_properties is not None and hive_server2_xml_properties is not None and hive_env_properties is not None and hive_site_properties is not None: + hive_server2_xml_properties['hive.security.authorization.enabled'] = 'true' + hive_server2_xml_properties['hive.security.authorization.manager'] = 'org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory' + hive_server2_xml_properties['hive.security.authenticator.manager'] = 'org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator' + hive_server2_xml_properties['hive.conf.restricted.list'] = 'hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager' + + print('hive plugin is installed and enabled, adding to configurations') + advanced_ranger_hive_plugin_properties = dict() + advanced_ranger_hive_audit_properties = dict() + advanced_ranger_hive_policymgr_ssl_properties = dict() + advanced_ranger_hive_security_properties = dict() + + advanced_ranger_hive_plugin_properties['policy_user'] = 'ambari-qa' + advanced_ranger_hive_plugin_properties['jdbc.driverClassName'] = 'org.apache.hive.jdbc.HiveDriver' + advanced_ranger_hive_plugin_properties['common.name.for.certificate'] = '' +# advanced_ranger_hive_plugin_properties['ranger-hive-plugin-enabled'] = 'Yes' + advanced_ranger_hive_plugin_properties['REPOSITORY_CONFIG_USERNAME'] = 'hive' + advanced_ranger_hive_plugin_properties['REPOSITORY_CONFIG_PASSWORD'] = 'hive' + + advanced_ranger_hive_audit_properties['xasecure.audit.is.enabled'] = hive_plugin_install_properties.get('xasecure.audit.is.enabled','true') + advanced_ranger_hive_audit_properties['xasecure.audit.destination.db'] = hive_plugin_install_properties.get('xasecure.audit.db.is.enabled','false') + advanced_ranger_hive_audit_properties['xasecure.audit.destination.db.jdbc.url'] = hive_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.url','{{audit_jdbc_url}}') + advanced_ranger_hive_audit_properties['xasecure.audit.destination.db.user'] = hive_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.user','{{xa_audit_db_user}}') + advanced_ranger_hive_audit_properties['xasecure.audit.destination.db.password'] = hive_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.password','crypted') + advanced_ranger_hive_audit_properties['xasecure.audit.destination.db.jdbc.driver'] = hive_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.driver','{{jdbc_driver}}') + advanced_ranger_hive_audit_properties['xasecure.audit.credential.provider.file'] = hive_plugin_install_properties.get('xasecure.audit.credential.provider.file','jceks://file{{credential_file}}') + advanced_ranger_hive_audit_properties['xasecure.audit.destination.db.batch.filespool.dir'] = hive_plugin_install_properties.get('xasecure.audit.destination.db.batch.filespool.dir','/var/log/hive/audit/db/spool') + advanced_ranger_hive_audit_properties['xasecure.audit.destination.hdfs'] = hive_plugin_install_properties.get('xasecure.audit.destination.hdfs','true') + advanced_ranger_hive_audit_properties['xasecure.audit.destination.hdfs.dir'] = hive_plugin_install_properties.get('xasecure.audit.destination.hdfs.dir','hdfs://NAMENODE_HOSTNAME:8020/ranger/audit') + advanced_ranger_hive_audit_properties['xasecure.audit.destination.hdfs.batch.filespool.dir'] = hive_plugin_install_properties.get('xasecure.audit.destination.hdfs.batch.filespool.dir','/var/log/hive/audit/hdfs/spool') + advanced_ranger_hive_audit_properties['xasecure.audit.destination.solr'] = hive_plugin_install_properties.get('xasecure.audit.destination.solr','false') + advanced_ranger_hive_audit_properties['xasecure.audit.destination.solr.urls'] = hive_plugin_install_properties.get('xasecure.audit.destination.solr.urls','{{ranger_audit_solr_urls}}') + advanced_ranger_hive_audit_properties['xasecure.audit.destination.solr.zookeepers'] = hive_plugin_install_properties.get('xasecure.audit.destination.solr.zookeepers','none') + advanced_ranger_hive_audit_properties['xasecure.audit.destination.solr.batch.filespool.dir'] = hive_plugin_install_properties.get('xasecure.audit.destination.solr.batch.filespool.dir','/var/log/hive/audit/solr/spool') + advanced_ranger_hive_audit_properties['xasecure.audit.provider.summary.enabled'] = hive_plugin_install_properties.get('xasecure.audit.provider.summary.enabled','false') + + + advanced_ranger_hive_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore'] = hive_plugin_install_properties.get('xasecure.policymgr.clientssl.keystore','/usr/hdp/current/hive-server2/conf/ranger-plugin-keystore.jks') + advanced_ranger_hive_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore.password'] = hive_plugin_install_properties.get('xasecure.policymgr.clientssl.keystore.password','myKeyFilePassword') + advanced_ranger_hive_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore'] = hive_plugin_install_properties.get('xasecure.policymgr.clientssl.truststore','/usr/hdp/current/hive-server2/conf/ranger-plugin-truststore.jks') + advanced_ranger_hive_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore.password'] = hive_plugin_install_properties.get('xasecure.policymgr.clientssl.truststore.password','changeit') + advanced_ranger_hive_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore.credential.file'] = hive_plugin_install_properties.get('xasecure.policymgr.clientssl.keystore.credential.file','jceks://file{{credential_file}}') + advanced_ranger_hive_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore.credential.file'] = hive_plugin_install_properties.get('xasecure.policymgr.clientssl.truststore.credential.file','jceks://file{{credential_file}}') + + + advanced_ranger_hive_security_properties['ranger.plugin.hive.service.name'] = hive_plugin_install_properties.get('ranger.plugin.hive.service.name','{{repo_name}}') + advanced_ranger_hive_security_properties['ranger.plugin.hive.policy.source.impl'] = hive_plugin_install_properties.get('ranger.plugin.hive.policy.source.impl','org.apache.ranger.admin.client.RangerAdminRESTClient') + advanced_ranger_hive_security_properties['ranger.plugin.hive.policy.rest.url'] = hive_plugin_install_properties.get('ranger.plugin.hive.policy.rest.url','{{policymgr_mgr_url}}') + advanced_ranger_hive_security_properties['ranger.plugin.hive.policy.rest.ssl.config.file'] = hive_plugin_install_properties.get('ranger.plugin.hive.policy.rest.ssl.config.file','/usr/hdp/current/hive-server2/conf/ranger-policymgr-ssl.xml') + advanced_ranger_hive_security_properties['ranger.plugin.hive.policy.pollIntervalMs'] = hive_plugin_install_properties.get('ranger.plugin.hive.policy.pollIntervalMs','30000') + advanced_ranger_hive_security_properties['ranger.plugin.hive.policy.cache.dir'] = hive_plugin_install_properties.get('ranger.plugin.hive.policy.cache.dir','/etc/ranger/{{repo_name}}/policycache') + advanced_ranger_hive_security_properties['xasecure.hive.update.xapolicies.on.grant.revoke'] = hive_plugin_install_properties.get('xasecure.hive.update.xapolicies.on.grant.revoke','true') + + hive_env_properties['hive_security_authorization'] = 'Ranger' + hive_site_properties['hive.server2.enable.doAs'] = 'false' + + + date_time_stamp = getDateTimeNow() + + plugin_configuration_data = '[{"Clusters":{"desired_config":[{"type":"hiveserver2-site", "service_config_version_note": "Initial configuration for Ranger HIVE plugin" ,"tag":"' + str(date_time_stamp) + '","properties":' + str( + json.dumps(hive_server2_xml_properties)) + ', "properties_attributes": {"final": "false"}},{"type":"hive-site", "service_config_version_note": "Initial configuration for Ranger HIVE plugin" ,"tag":"' + str(date_time_stamp) + '","properties":' + str( + json.dumps(hive_site_properties)) + ', "properties_attributes": {"final": "false"}},{"type":"hive-env", "service_config_version_note": "Initial configuration for Ranger HIVE plugin" ,"tag":"' + str(date_time_stamp) + '","properties":' + str( + json.dumps(hive_env_properties)) + ', "properties_attributes": {"final": "false"}},{"type": "ranger-hive-plugin-properties", "service_config_version_note": "Initial configuration for Ranger HIVE plugin" ,"tag":"' + str( + date_time_stamp) + '", "properties":' + json.dumps(advanced_ranger_hive_plugin_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-hive-audit", "service_config_version_note": "Initial configuration for Ranger HIVE plugin" ,"tag":"' + str( + date_time_stamp) + '", "properties":' + json.dumps(advanced_ranger_hive_audit_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-hive-policymgr-ssl", "service_config_version_note": "Initial configuration for Ranger HIVE plugin" ,"tag":"' + str( + date_time_stamp) + '", "properties":' + json.dumps(advanced_ranger_hive_policymgr_ssl_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-hive-security", "service_config_version_note": "Initial configuration for Ranger HIVE plugin" ,"tag":"' + str( + date_time_stamp) + '", "properties":' + json.dumps(advanced_ranger_hive_security_properties) + ',"properties_attributes": {"final": "false"}}]}}]' + + + print ('####################### hive_server2_xml configuration :') + for each_key in hive_server2_xml_properties: + print str(each_key) + ' = ' + str(hive_server2_xml_properties[each_key]) + + print ('####################### ranger_hive_plugin_properties configuration :') + for each_key in advanced_ranger_hive_plugin_properties: + print str(each_key) + ' = ' + str(advanced_ranger_hive_plugin_properties[each_key]) + + print ('####################### ranger_hive_audit_properties configuration :') + for each_key in advanced_ranger_hive_audit_properties: + print str(each_key) + ' = ' + str(advanced_ranger_hive_audit_properties[each_key]) + + print ('####################### ranger_hive_policymgr_ssl configuration :') + for each_key in advanced_ranger_hive_policymgr_ssl_properties: + print str(each_key) + ' = ' + str(advanced_ranger_hive_policymgr_ssl_properties[each_key]) + + print ('####################### ranger_hive_security_properties configuration :') + for each_key in advanced_ranger_hive_security_properties: + print str(each_key) + ' = ' + str(advanced_ranger_hive_security_properties[each_key]) + + print ('####################### ranger_hive_env_properties configuration :') + for each_key in hive_env_properties: + print str(each_key) + ' = ' + str(hive_env_properties[each_key]) + + print ('####################### ranger_hive_site_properties configuration :') + for each_key in hive_site_properties: + print str(each_key) + ' = ' + str(hive_site_properties[each_key]) + + + confirm_configurations = raw_input('please confirm the above configuration values y/n (n) : ') + if(confirm_configurations == ''): + confirm_configurations = 'n' + print ('Input registered as ' + str(confirm_configurations)) + + + if(confirm_configurations.lower() == 'y'): + ranger_config_request_url = ambari_cluster_url + request_result = call_ambari_api(ranger_config_request_url, 'PUT', ambari_username_password, str(plugin_configuration_data)) + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + if response_code == 200 and response is not None: + print('ranger hive plugin configuration added successfully in ambari.') + return True + else: + print('ranger hive plugin configuration add failed in ambari.') + return False + else: + print('ranger hive plugin configuration add failed in ambari.') + return False + else: + print ('exiting installation without configuration !') + sys.exit(0) + else: + print('ranger hive plugin configuration add failed in ambari.') + return False + + + +def port_ranger_hbase_plugin_to_ambari(): + print('Trying to add ranger Hbase plugin.') + flag_hbase_plugin_installed, hbase_plugin_install_properties, hbase_site_xml_properties = get_hbase_plugin_configuration() + if flag_hbase_plugin_installed and hbase_plugin_install_properties is not None and hbase_site_xml_properties is not None: + print('Hbase plugin is installed and enabled, adding to configurations') + advanced_ranger_hbase_plugin_properties = dict() + advanced_ranger_hbase_audit_properties = dict() + advanced_ranger_hbase_policymgr_ssl_properties = dict() + advanced_ranger_hbase_security_properties = dict() + + advanced_ranger_hbase_plugin_properties['policy_user'] = 'ambari-qa' + advanced_ranger_hbase_plugin_properties['common.name.for.certificate'] = '' + advanced_ranger_hbase_plugin_properties['ranger-hbase-plugin-enabled'] = 'Yes' + advanced_ranger_hbase_plugin_properties['REPOSITORY_CONFIG_USERNAME'] = 'hbase' + advanced_ranger_hbase_plugin_properties['REPOSITORY_CONFIG_PASSWORD'] = 'hbase' + + + advanced_ranger_hbase_audit_properties['xasecure.audit.is.enabled'] = hbase_plugin_install_properties.get('xasecure.audit.is.enabled','true') + advanced_ranger_hbase_audit_properties['xasecure.audit.destination.db'] = hbase_plugin_install_properties.get('xasecure.audit.db.is.enabled','false') + advanced_ranger_hbase_audit_properties['xasecure.audit.destination.db.jdbc.url'] = hbase_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.url','{{audit_jdbc_url}}') + advanced_ranger_hbase_audit_properties['xasecure.audit.destination.db.user'] = hbase_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.user','{{xa_audit_db_user}}') + advanced_ranger_hbase_audit_properties['xasecure.audit.destination.db.password'] = hbase_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.password','crypted') + advanced_ranger_hbase_audit_properties['xasecure.audit.destination.db.jdbc.driver'] = hbase_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.driver','{{jdbc_driver}}') + advanced_ranger_hbase_audit_properties['xasecure.audit.credential.provider.file'] = hbase_plugin_install_properties.get('xasecure.audit.credential.provider.file','jceks://file{{credential_file}}') + advanced_ranger_hbase_audit_properties['xasecure.audit.destination.db.batch.filespool.dir'] = hbase_plugin_install_properties.get('xasecure.audit.destination.db.batch.filespool.dir','/var/log/hbase/audit/db/spool') + advanced_ranger_hbase_audit_properties['xasecure.audit.destination.hdfs'] = hbase_plugin_install_properties.get('xasecure.audit.destination.hdfs','true') + advanced_ranger_hbase_audit_properties['xasecure.audit.destination.hdfs.dir'] = hbase_plugin_install_properties.get('xasecure.audit.destination.hdfs.dir','hdfs://NAMENODE_HOSTNAME:8020/ranger/audit') + advanced_ranger_hbase_audit_properties['xasecure.audit.destination.hdfs.batch.filespool.dir'] = hbase_plugin_install_properties.get('xasecure.audit.destination.hdfs.batch.filespool.dir','/var/log/hbase/audit/hdfs/spool') + advanced_ranger_hbase_audit_properties['xasecure.audit.destination.solr'] = hbase_plugin_install_properties.get('xasecure.audit.destination.solr','false') + advanced_ranger_hbase_audit_properties['xasecure.audit.destination.solr.urls'] = hbase_plugin_install_properties.get('xasecure.audit.destination.solr.urls','{{ranger_audit_solr_urls}}') + advanced_ranger_hbase_audit_properties['xasecure.audit.destination.solr.zookeepers'] = hbase_plugin_install_properties.get('xasecure.audit.destination.solr.zookeepers','none') + advanced_ranger_hbase_audit_properties['xasecure.audit.destination.solr.batch.filespool.dir'] = hbase_plugin_install_properties.get('xasecure.audit.destination.solr.batch.filespool.dir','/var/log/hbase/audit/solr/spool') + advanced_ranger_hbase_audit_properties['xasecure.audit.provider.summary.enabled'] = hbase_plugin_install_properties.get('xasecure.audit.provider.summary.enabled','true') + + advanced_ranger_hbase_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore'] = hbase_plugin_install_properties.get('xasecure.policymgr.clientssl.keystore','/usr/hdp/current/hbase-client/conf/ranger-plugin-keystore.jks') + advanced_ranger_hbase_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore.password'] = hbase_plugin_install_properties.get('xasecure.policymgr.clientssl.keystore.password','myKeyFilePassword') + advanced_ranger_hbase_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore'] = hbase_plugin_install_properties.get('xasecure.policymgr.clientssl.truststore','/usr/hdp/current/hbase-client/conf/ranger-plugin-truststore.jks') + advanced_ranger_hbase_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore.password'] = hbase_plugin_install_properties.get('xasecure.policymgr.clientssl.truststore.password','changeit') + advanced_ranger_hbase_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore.credential.file'] = hbase_plugin_install_properties.get('xasecure.policymgr.clientssl.keystore.credential.file','jceks://file{{credential_file}}') + advanced_ranger_hbase_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore.credential.file'] = hbase_plugin_install_properties.get('xasecure.policymgr.clientssl.truststore.credential.file','jceks://file{{credential_file}}') + + advanced_ranger_hbase_security_properties['ranger.plugin.hbase.service.name'] = hbase_plugin_install_properties.get('ranger.plugin.hbase.service.name','{{repo_name}}') + advanced_ranger_hbase_security_properties['ranger.plugin.hbase.policy.source.impl'] = hbase_plugin_install_properties.get('ranger.plugin.hbase.policy.source.impl','org.apache.ranger.admin.client.RangerAdminRESTClient') + advanced_ranger_hbase_security_properties['ranger.plugin.hbase.policy.rest.url'] = hbase_plugin_install_properties.get('ranger.plugin.hbase.policy.rest.url','{{policymgr_mgr_url}}') + advanced_ranger_hbase_security_properties['ranger.plugin.hbase.policy.rest.ssl.config.file'] = hbase_plugin_install_properties.get('ranger.plugin.hbase.policy.rest.ssl.config.file','/etc/hbase/conf/ranger-policymgr-ssl.xml') + advanced_ranger_hbase_security_properties['ranger.plugin.hbase.policy.pollIntervalMs'] = hbase_plugin_install_properties.get('ranger.plugin.hbase.policy.pollIntervalMs','30000') + advanced_ranger_hbase_security_properties['ranger.plugin.hbase.policy.cache.dir'] = hbase_plugin_install_properties.get('ranger.plugin.hbase.policy.cache.dir','/etc/ranger/{{repo_name}}/policycache') + advanced_ranger_hbase_security_properties['xasecure.hbase.update.xapolicies.on.grant.revoke'] = hbase_plugin_install_properties.get('xasecure.hbase.update.xapolicies.on.grant.revoke','true') + + + date_time_stamp = getDateTimeNow() + plugin_configuration_data = '[{"Clusters":{"desired_config":[{"type":"hbase-site", "service_config_version_note": "Initial configuration for Ranger HBASE plugin" ,"tag":"' + str(date_time_stamp) + '","properties":' + str( + json.dumps(hbase_site_xml_properties)) + ', "properties_attributes": {"final": "false"}},{"type": "ranger-hbase-plugin-properties","service_config_version_note": "Initial configuration for Ranger HBASE plugin" ,"tag":"' + str( + date_time_stamp) + '", "properties":' + json.dumps(advanced_ranger_hbase_plugin_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-hbase-audit","service_config_version_note": "Initial configuration for Ranger HBASE plugin" ,"tag":"' + str( + date_time_stamp) + '", "properties":' + json.dumps(advanced_ranger_hbase_audit_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-hbase-policymgr-ssl","service_config_version_note": "Initial configuration for Ranger HBASE plugin" ,"tag":"' + str( + date_time_stamp) + '", "properties":' + json.dumps(advanced_ranger_hbase_policymgr_ssl_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-hbase-security","service_config_version_note": "Initial configuration for Ranger HBASE plugin" ,"tag":"' + str( + date_time_stamp) + '", "properties":' + json.dumps(advanced_ranger_hbase_security_properties) + ',"properties_attributes": {"final": "false"}}]}}]' + + print ('####################### hbase_site_xml configuration :') + for each_key in hbase_site_xml_properties: + print str(each_key) + ' = ' + str(hbase_site_xml_properties[each_key]) + + print ('####################### ranger_hbase_plugin_properties configuration :') + for each_key in advanced_ranger_hbase_plugin_properties: + print str(each_key) + ' = ' + str(advanced_ranger_hbase_plugin_properties[each_key]) + + print ('####################### ranger_hbase_audit_properties configuration :') + for each_key in advanced_ranger_hbase_audit_properties: + print str(each_key) + ' = ' + str(advanced_ranger_hbase_audit_properties[each_key]) + + print ('####################### ranger_hbase_policymgr_ssl_properties configuration :') + for each_key in advanced_ranger_hbase_policymgr_ssl_properties: + print str(each_key) + ' = ' + str(advanced_ranger_hbase_policymgr_ssl_properties[each_key]) + + print ('####################### ranger_hbase_security_properties configuration :') + for each_key in advanced_ranger_hbase_security_properties: + print str(each_key) + ' = ' + str(advanced_ranger_hbase_security_properties[each_key]) + + confirm_configurations = raw_input('please confirm the above configuration values y/n (n) : ') + if(confirm_configurations == ''): + confirm_configurations = 'n' + print ('Input registered as ' + str(confirm_configurations)) + + + if(confirm_configurations.lower() == 'y'): + ranger_config_request_url = ambari_cluster_url + request_result = call_ambari_api(ranger_config_request_url, 'PUT', ambari_username_password, str(plugin_configuration_data)) + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + if response_code == 200 and response is not None: + print('ranger hbase plugin configuration added successfully in ambari.') + return True + else: + print('ranger hbase plugin configuration add failed in ambari.') + return False + else: + print ('ranger hbase plugin configuration add failed in ambari.') + return False + else: + print ('exiting installation without configuration !') + sys.exit(0) + else: + print ('ranger hbase plugin configuration add failed in ambari.') + return False + + + +def port_ranger_knox_plugin_to_ambari(): + print('trying to add ranger knox plugin.') + flag_knox_plugin_installed, knox_plugin_install_properties = get_knox_plugin_configuration() + if flag_knox_plugin_installed and knox_plugin_install_properties is not None: + print('Knox plugin is installed and enabled, adding to configurations') + advanced_ranger_knox_plugin_properties = dict() + advanced_ranger_knox_audit_properties = dict() + advanced_ranger_knox_policymgr_ssl_properties = dict() + advanced_ranger_knox_security_properties = dict() + + advanced_ranger_knox_plugin_properties['policy_user'] = 'ambari-qa' + advanced_ranger_knox_plugin_properties['common.name.for.certificate'] = '' + advanced_ranger_knox_plugin_properties['ranger-knox-plugin-enabled'] = 'Yes' + advanced_ranger_knox_plugin_properties['REPOSITORY_CONFIG_USERNAME'] = 'admin' + advanced_ranger_knox_plugin_properties['REPOSITORY_CONFIG_PASSWORD'] = 'admin-password' + advanced_ranger_knox_plugin_properties['KNOX_HOME'] = '/usr/hdp/current/knox-server' + + advanced_ranger_knox_audit_properties['xasecure.audit.is.enabled'] = knox_plugin_install_properties.get('xasecure.audit.is.enabled','true') + advanced_ranger_knox_audit_properties['xasecure.audit.destination.db'] = knox_plugin_install_properties.get('xasecure.audit.db.is.enabled','false') + advanced_ranger_knox_audit_properties['xasecure.audit.destination.db.jdbc.url'] = knox_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.url','{{audit_jdbc_url}}') + advanced_ranger_knox_audit_properties['xasecure.audit.destination.db.user'] = knox_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.user','{{xa_audit_db_user}}') + advanced_ranger_knox_audit_properties['xasecure.audit.destination.db.password'] = knox_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.password','crypted') + advanced_ranger_knox_audit_properties['xasecure.audit.destination.db.jdbc.driver'] = knox_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.driver','{{jdbc_driver}}') + advanced_ranger_knox_audit_properties['xasecure.audit.credential.provider.file'] = knox_plugin_install_properties.get('xasecure.audit.credential.provider.file','jceks://file{{credential_file}}') + advanced_ranger_knox_audit_properties['xasecure.audit.destination.db.batch.filespool.dir'] = knox_plugin_install_properties.get('xasecure.audit.destination.db.batch.filespool.dir','/var/log/knox/audit/db/spool') + advanced_ranger_knox_audit_properties['xasecure.audit.destination.hdfs'] = knox_plugin_install_properties.get('xasecure.audit.destination.hdfs','true') + advanced_ranger_knox_audit_properties['xasecure.audit.destination.hdfs.dir'] = knox_plugin_install_properties.get('xasecure.audit.destination.hdfs.dir','hdfs://NAMENODE_HOSTNAME:8020/ranger/audit') + advanced_ranger_knox_audit_properties['xasecure.audit.destination.hdfs.batch.filespool.dir'] = knox_plugin_install_properties.get('xasecure.audit.destination.hdfs.batch.filespool.dir','/var/log/knox/audit/hdfs/spool') + advanced_ranger_knox_audit_properties['xasecure.audit.destination.solr'] = knox_plugin_install_properties.get('xasecure.audit.destination.solr','false') + advanced_ranger_knox_audit_properties['xasecure.audit.destination.solr.urls'] = knox_plugin_install_properties.get('xasecure.audit.destination.solr.urls','{{ranger_audit_solr_urls}}') + advanced_ranger_knox_audit_properties['xasecure.audit.destination.solr.zookeepers'] = knox_plugin_install_properties.get('xasecure.audit.destination.solr.zookeepers','none') + advanced_ranger_knox_audit_properties['xasecure.audit.destination.solr.batch.filespool.dir'] = knox_plugin_install_properties.get('xasecure.audit.destination.solr.batch.filespool.dir','/var/log/knox/audit/solr/spool') + advanced_ranger_knox_audit_properties['xasecure.audit.provider.summary.enabled'] = knox_plugin_install_properties.get('xasecure.audit.provider.summary.enabled','false') + + advanced_ranger_knox_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore'] = knox_plugin_install_properties.get('xasecure.policymgr.clientssl.keystore','/usr/hdp/current/knox-server/conf/ranger-plugin-keystore.jks') + advanced_ranger_knox_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore.password'] = knox_plugin_install_properties.get('xasecure.policymgr.clientssl.keystore.password','myKeyFilePassword') + advanced_ranger_knox_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore'] = knox_plugin_install_properties.get('xasecure.policymgr.clientssl.truststore','/usr/hdp/current/knox-server/conf/ranger-plugin-truststore.jks') + advanced_ranger_knox_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore.password'] = knox_plugin_install_properties.get('xasecure.policymgr.clientssl.truststore.password','changeit') + advanced_ranger_knox_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore.credential.file'] = knox_plugin_install_properties.get('xasecure.policymgr.clientssl.keystore.credential.file','jceks://file{{credential_file}}') + advanced_ranger_knox_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore.credential.file'] = knox_plugin_install_properties.get('xasecure.policymgr.clientssl.truststore.credential.file','jceks://file{{credential_file}}') + + advanced_ranger_knox_security_properties['ranger.plugin.knox.service.name'] = knox_plugin_install_properties.get('ranger.plugin.knox.service.name','{{repo_name}}') + advanced_ranger_knox_security_properties['ranger.plugin.knox.policy.source.impl'] = knox_plugin_install_properties.get('ranger.plugin.knox.policy.source.impl','org.apache.ranger.admin.client.RangerAdminJersey2RESTClient') + advanced_ranger_knox_security_properties['ranger.plugin.knox.policy.rest.url'] = knox_plugin_install_properties.get('ranger.plugin.knox.policy.rest.url','{{policymgr_mgr_url}}') + advanced_ranger_knox_security_properties['ranger.plugin.knox.policy.rest.ssl.config.file'] = knox_plugin_install_properties.get('ranger.plugin.knox.policy.rest.ssl.config.file','/usr/hdp/current/knox-server/conf/ranger-policymgr-ssl.xml') + advanced_ranger_knox_security_properties['ranger.plugin.knox.policy.pollIntervalMs'] = knox_plugin_install_properties.get('ranger.plugin.knox.policy.pollIntervalMs','30000') + advanced_ranger_knox_security_properties['ranger.plugin.knox.policy.cache.dir'] = knox_plugin_install_properties.get('ranger.plugin.knox.policy.cache.dir','/etc/ranger/{{repo_name}}/policycache') + + + date_time_stamp = getDateTimeNow() + plugin_configuration_data = '[{"Clusters":{"desired_config":[{"type": "ranger-knox-plugin-properties", "service_config_version_note": "Initial configuration for Ranger KNOX plugin" ,"tag":"' + str(date_time_stamp) + '", "properties":' + json.dumps( + advanced_ranger_knox_plugin_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-knox-audit", "service_config_version_note": "Initial configuration for Ranger KNOX plugin" ,"tag":"' + str(date_time_stamp) + '", "properties":' + json.dumps( + advanced_ranger_knox_audit_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-knox-policymgr-ssl", "service_config_version_note": "Initial configuration for Ranger KNOX plugin" ,"tag":"' + str(date_time_stamp) + '", "properties":' + json.dumps( + advanced_ranger_knox_policymgr_ssl_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-knox-security", "service_config_version_note": "Initial configuration for Ranger KNOX plugin" ,"tag":"' + str(date_time_stamp) + '", "properties":' + json.dumps( + advanced_ranger_knox_security_properties) + ',"properties_attributes": {"final": "false"}}]}}]' + + print ('####################### ranger_knox_plugin_properties configuration :') + for each_key in advanced_ranger_knox_plugin_properties: + print str(each_key) + ' = ' + str(advanced_ranger_knox_plugin_properties[each_key]) + + print ('####################### ranger_knox_audit_properties configuration :') + for each_key in advanced_ranger_knox_audit_properties: + print str(each_key) + ' = ' + str(advanced_ranger_knox_audit_properties[each_key]) + + print ('####################### ranger_knox_policymgr_ssl_properties configuration :') + for each_key in advanced_ranger_knox_policymgr_ssl_properties: + print str(each_key) + ' = ' + str(advanced_ranger_knox_policymgr_ssl_properties[each_key]) + + print ('####################### ranger_knox_security_properties configuration :') + for each_key in advanced_ranger_knox_security_properties: + print str(each_key) + ' = ' + str(advanced_ranger_knox_security_properties[each_key]) + + confirm_configurations = raw_input('please confirm the above configuration values y/n (n) : ') + if(confirm_configurations == ''): + confirm_configurations = 'n' + print ('input registered as ' + str(confirm_configurations)) + + + if(confirm_configurations.lower() == 'y'): + ranger_config_request_url = ambari_cluster_url + request_result = call_ambari_api(ranger_config_request_url, 'PUT', ambari_username_password, str(plugin_configuration_data)) + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + if response_code == 200 and response is not None: + print('ranger knox plugin configuration added successfully in ambari.') + return True + else: + print('ranger knox plugin configuration add failed in ambari.') + return False + else: + print('ranger knox plugin configuration add failed in ambari.') + return False + else: + print ('exiting installation without configuration !') + sys.exit(0) + else: + print('ranger knox plugin configuration add failed in ambari.') + return False + + +def port_ranger_storm_plugin_to_ambari(): + print('Trying to add ranger storm plugin.') + flag_storm_plugin_installed, storm_plugin_install_properties = get_storm_plugin_configuration() + if flag_storm_plugin_installed and storm_plugin_install_properties is not None: + print('Storm plugin is installed and enabled, adding to configurations') + storm_site_properties = get_storm_configs_from_ambari() + storm_site_properties['nimbus.authorizer'] = 'org.apache.ranger.authorization.storm.authorizer.RangerStormAuthorizer' + + advanced_ranger_storm_plugin_properties = dict() + advanced_ranger_storm_audit_properties = dict() + advanced_ranger_storm_policymgr_ssl_properties = dict() + advanced_ranger_storm_security_properties = dict() + + advanced_ranger_storm_plugin_properties['policy_user'] = 'storm' + advanced_ranger_storm_plugin_properties['common.name.for.certificate'] = '' + advanced_ranger_storm_plugin_properties['ranger-storm-plugin-enabled'] = 'Yes' + advanced_ranger_storm_plugin_properties['REPOSITORY_CONFIG_USERNAME'] = 'stormtestuser@EXAMPLE.COM' + advanced_ranger_storm_plugin_properties['REPOSITORY_CONFIG_PASSWORD'] = 'stormtestuser' + + + advanced_ranger_storm_audit_properties['xasecure.audit.is.enabled'] = storm_plugin_install_properties.get('xasecure.audit.db.is.enabled','true') + advanced_ranger_storm_audit_properties['xasecure.audit.destination.db'] = storm_plugin_install_properties.get('xasecure.audit.db.is.enabled','false') + advanced_ranger_storm_audit_properties['xasecure.audit.destination.db.jdbc.url'] = storm_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.url','{{audit_jdbc_url}}') + advanced_ranger_storm_audit_properties['xasecure.audit.destination.db.user'] = storm_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.user','{{xa_audit_db_user}}') + advanced_ranger_storm_audit_properties['xasecure.audit.destination.db.password'] = storm_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.password','crypted') + advanced_ranger_storm_audit_properties['xasecure.audit.destination.db.jdbc.driver'] = storm_plugin_install_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.driver','{{jdbc_driver}}') + advanced_ranger_storm_audit_properties['xasecure.audit.credential.provider.file'] = storm_plugin_install_properties.get('xasecure.audit.credential.provider.file','jceks://file{{credential_file}}') + advanced_ranger_storm_audit_properties['xasecure.audit.destination.db.batch.filespool.dir'] = storm_plugin_install_properties.get('xasecure.audit.destination.db.batch.filespool.dir','/var/log/storm/audit/db/spool') + advanced_ranger_storm_audit_properties['xasecure.audit.destination.hdfs'] = storm_plugin_install_properties.get('xasecure.audit.destination.hdfs','true') + advanced_ranger_storm_audit_properties['xasecure.audit.destination.hdfs.dir'] = storm_plugin_install_properties.get('xasecure.audit.destination.hdfs.dir','hdfs://NAMENODE_HOSTNAME:8020/ranger/audit') + advanced_ranger_storm_audit_properties['xasecure.audit.destination.hdfs.batch.filespool.dir'] = storm_plugin_install_properties.get('xasecure.audit.destination.hdfs.batch.filespool.dir','/var/log/storm/audit/hdfs/spool') + advanced_ranger_storm_audit_properties['xasecure.audit.destination.solr'] = storm_plugin_install_properties.get('xasecure.audit.destination.solr','false') + advanced_ranger_storm_audit_properties['xasecure.audit.destination.solr.urls'] = storm_plugin_install_properties.get('xasecure.audit.destination.solr.urls','{{ranger_audit_solr_urls}}') + advanced_ranger_storm_audit_properties['xasecure.audit.destination.solr.zookeepers'] = storm_plugin_install_properties.get('xasecure.audit.destination.solr.zookeepers','none') + advanced_ranger_storm_audit_properties['xasecure.audit.destination.solr.batch.filespool.dir'] = storm_plugin_install_properties.get('xasecure.audit.destination.solr.batch.filespool.dir','/var/log/storm/audit/solr/spool') + advanced_ranger_storm_audit_properties['xasecure.audit.provider.summary.enabled'] = storm_plugin_install_properties.get('xasecure.audit.provider.summary.enabled','false') + + + advanced_ranger_storm_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore'] = storm_plugin_install_properties.get('xasecure.policymgr.clientssl.keystore','/usr/hdp/current/storm-client/conf/ranger-plugin-keystore.jks') + advanced_ranger_storm_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore.password'] = storm_plugin_install_properties.get('xasecure.policymgr.clientssl.keystore.password','myKeyFilePassword') + advanced_ranger_storm_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore'] = storm_plugin_install_properties.get('xasecure.policymgr.clientssl.truststore','/usr/hdp/current/storm-client/conf/ranger-plugin-truststore.jks') + advanced_ranger_storm_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore.password'] = storm_plugin_install_properties.get('xasecure.policymgr.clientssl.truststore.password','changeit') + advanced_ranger_storm_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore.credential.file'] = storm_plugin_install_properties.get('xasecure.policymgr.clientssl.keystore.credential.file','jceks://file{{credential_file}}') + advanced_ranger_storm_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore.credential.file'] = storm_plugin_install_properties.get('xasecure.policymgr.clientssl.truststore.credential.file','jceks://file{{credential_file}}') + + + advanced_ranger_storm_security_properties['ranger.plugin.storm.service.name'] = storm_plugin_install_properties.get('ranger.plugin.storm.service.name','{{repo_name}}') + advanced_ranger_storm_security_properties['ranger.plugin.storm.policy.source.impl'] = storm_plugin_install_properties.get('ranger.plugin.storm.policy.source.impl','org.apache.ranger.admin.client.RangerAdminRESTClient') + advanced_ranger_storm_security_properties['ranger.plugin.storm.policy.rest.url'] = storm_plugin_install_properties.get('ranger.plugin.storm.policy.rest.url','{{policymgr_mgr_url}}') + advanced_ranger_storm_security_properties['ranger.plugin.storm.policy.rest.ssl.config.file'] = storm_plugin_install_properties.get('ranger.plugin.storm.policy.rest.ssl.config.file','/usr/hdp/current/storm-client/conf/ranger-policymgr-ssl.xml') + advanced_ranger_storm_security_properties['ranger.plugin.storm.policy.pollIntervalMs'] = storm_plugin_install_properties.get('ranger.plugin.storm.policy.pollIntervalMs','30000') + advanced_ranger_storm_security_properties['ranger.plugin.storm.policy.cache.dir'] = storm_plugin_install_properties.get('ranger.plugin.storm.policy.cache.dir','/etc/ranger/{{repo_name}}/policycache') + + + date_time_stamp = getDateTimeNow() + plugin_configuration_data = '[{"Clusters":{"desired_config":[{"type": "ranger-storm-plugin-properties", "service_config_version_note": "Initial configuration for Ranger STORM plugin" ,"tag":"' + str(date_time_stamp) + '", "properties":' + json.dumps( + advanced_ranger_storm_plugin_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-storm-audit", "service_config_version_note": "Initial configuration for Ranger STORM plugin" ,"tag":"' + str(date_time_stamp) + '", "properties":' + json.dumps( + advanced_ranger_storm_audit_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-storm-policymgr-ssl", "service_config_version_note": "Initial configuration for Ranger STORM plugin" ,"tag":"' + str(date_time_stamp) + '", "properties":' + json.dumps( + advanced_ranger_storm_policymgr_ssl_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-storm-security", "service_config_version_note": "Initial configuration for Ranger STORM plugin" ,"tag":"' + str(date_time_stamp) + '", "properties":' + json.dumps( + advanced_ranger_storm_security_properties) + ',"properties_attributes": {"final": "false"}}]}}]' + + print ('####################### ranger_storm_plugin_properties configuration :') + for each_key in advanced_ranger_storm_plugin_properties: + print str(each_key) + ' = ' + str(advanced_ranger_storm_plugin_properties[each_key]) + + print ('####################### ranger_storm_audit_properties configuration :') + for each_key in advanced_ranger_storm_audit_properties: + print str(each_key) + ' = ' + str(advanced_ranger_storm_audit_properties[each_key]) + + print ('####################### ranger_storm_policymgr_ssl_properties configuration :') + for each_key in advanced_ranger_storm_policymgr_ssl_properties: + print str(each_key) + ' = ' + str(advanced_ranger_storm_policymgr_ssl_properties[each_key]) + + print ('####################### ranger_storm_security_properties configuration :') + for each_key in advanced_ranger_storm_security_properties: + print str(each_key) + ' = ' + str(advanced_ranger_storm_security_properties[each_key]) + + + + confirm_configurations = raw_input('please confirm the above configuration values y/n (n) : ') + if(confirm_configurations == ''): + confirm_configurations = 'n' + print ('Input registered as ' + str(confirm_configurations)) + + + if(confirm_configurations.lower() == 'y'): + ranger_config_request_url = ambari_cluster_url + request_result = call_ambari_api(ranger_config_request_url, 'PUT', ambari_username_password, str(plugin_configuration_data)) + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + if response_code == 200 and response is not None: + print('ranger storm plugin configuration added successfully in ambari.') + return True + else: + print('ranger storm plugin configuration add failed in ambari.') + return False + else: + print('ranger storm plugin configuration add failed in ambari.') + return False + else: + print ('exiting installation without configuration !') + sys.exit(0) + else: + print('ranger storm plugin configuration add failed in ambari.') + return False + +def port_ranger_kafka_plugin_to_ambari(): + print('Trying to add ranger kafka plugin.') + flag_kafka_plugin_installed,kafka_plugin_installed_properties = get_kafka_plugin_configuration() + if flag_kafka_plugin_installed and kafka_plugin_installed_properties is not None: + advanced_ranger_kafka_plugin_properties = dict() + advanced_ranger_kafka_audit_properties = dict() + advanced_ranger_kafka_policymgr_ssl_properties = dict() + advanced_ranger_kafka_security_properties = dict() + advanced_kafka_log4j_properties = dict() + + print('Kafka plugin is installed and enabled, adding to configurations') + advanced_kafka_broker_properties = get_kafka_configs_from_ambari() + advanced_kafka_broker_properties['authorizer.class.name'] = 'org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer' + + + advanced_ranger_kafka_plugin_properties['policy_user'] = 'ambari-qa' + advanced_ranger_kafka_plugin_properties['hadoop.rpc.protection'] = '' + advanced_ranger_kafka_plugin_properties['common.name.for.certificate'] = '' + advanced_ranger_kafka_plugin_properties['zookeeper.connect'] = 'localhost:2181' + advanced_ranger_kafka_plugin_properties['ranger-kafka-plugin-enabled'] = 'Yes' + advanced_ranger_kafka_plugin_properties['REPOSITORY_CONFIG_USERNAME'] = 'kafka' + advanced_ranger_kafka_plugin_properties['REPOSITORY_CONFIG_PASSWORD'] = 'kafka' + + + advanced_ranger_kafka_audit_properties['xasecure.audit.is.enabled'] = kafka_plugin_installed_properties.get('xasecure.audit.is.enabled','true') + advanced_ranger_kafka_audit_properties['xasecure.audit.destination.db'] = kafka_plugin_installed_properties.get('xasecure.audit.db.is.enabled','false') + advanced_ranger_kafka_audit_properties['xasecure.audit.destination.db.jdbc.url'] = kafka_plugin_installed_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.url','{{audit_jdbc_url}}') + advanced_ranger_kafka_audit_properties['xasecure.audit.destination.db.user'] = kafka_plugin_installed_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.user','{{xa_audit_db_user}}') + advanced_ranger_kafka_audit_properties['xasecure.audit.destination.db.password'] = kafka_plugin_installed_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.password','crypted') + advanced_ranger_kafka_audit_properties['xasecure.audit.destination.db.jdbc.driver'] = kafka_plugin_installed_properties.get('xasecure.audit.jpa.javax.persistence.jdbc.driver','{{jdbc_driver}}') + advanced_ranger_kafka_audit_properties['xasecure.audit.credential.provider.file'] = kafka_plugin_installed_properties.get('xasecure.audit.credential.provider.file','jceks://file{{credential_file}}') + advanced_ranger_kafka_audit_properties['xasecure.audit.destination.db.batch.filespool.dir'] = kafka_plugin_installed_properties.get('xasecure.audit.destination.db.batch.filespool.dir','/var/log/kafka/audit/db/spool') + advanced_ranger_kafka_audit_properties['xasecure.audit.destination.hdfs'] = kafka_plugin_installed_properties.get('xasecure.audit.destination.hdfs','true') + advanced_ranger_kafka_audit_properties['xasecure.audit.destination.hdfs.dir'] = kafka_plugin_installed_properties.get('xasecure.audit.destination.hdfs.dir','hdfs://NAMENODE_HOSTNAME:8020/ranger/audit') + advanced_ranger_kafka_audit_properties['xasecure.audit.destination.hdfs.batch.filespool.dir'] = kafka_plugin_installed_properties.get('xasecure.audit.destination.hdfs.batch.filespool.dir','/var/log/kafka/audit/hdfs/spool') + advanced_ranger_kafka_audit_properties['xasecure.audit.destination.solr'] = kafka_plugin_installed_properties.get('xasecure.audit.destination.solr','true') + advanced_ranger_kafka_audit_properties['xasecure.audit.destination.solr.urls'] = kafka_plugin_installed_properties.get('xasecure.audit.destination.solr.urls','{{ranger_audit_solr_urls}}') + advanced_ranger_kafka_audit_properties['xasecure.audit.destination.solr.zookeepers'] = kafka_plugin_installed_properties.get('xasecure.audit.db.is.enabledxasecure.audit.destination.solr.zookeepers','none') + advanced_ranger_kafka_audit_properties['xasecure.audit.destination.solr.batch.filespool.dir'] = kafka_plugin_installed_properties.get('xasecure.audit.destination.solr.batch.filespool.dir','/var/log/kafka/audit/solr/spool') + advanced_ranger_kafka_audit_properties['xasecure.audit.provider.summary.enabled'] = kafka_plugin_installed_properties.get('xasecure.audit.db.is.enabled','true') + + advanced_ranger_kafka_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore'] = kafka_plugin_installed_properties.get('xasecure.policymgr.clientssl.keystore','/usr/hdp/current/kafka-broker/config/ranger-plugin-keystore.jks') + advanced_ranger_kafka_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore.password'] = kafka_plugin_installed_properties.get('xasecure.policymgr.clientssl.keystore.password','myKeyFilePassword') + advanced_ranger_kafka_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore'] = kafka_plugin_installed_properties.get('xasecure.policymgr.clientssl.truststore','/usr/hdp/current/kafka-broker/config/ranger-plugin-truststore.jks') + advanced_ranger_kafka_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore.password'] = kafka_plugin_installed_properties.get('xasecure.policymgr.clientssl.truststore.password','changeit') + advanced_ranger_kafka_policymgr_ssl_properties['xasecure.policymgr.clientssl.keystore.credential.file'] = kafka_plugin_installed_properties.get('xasecure.policymgr.clientssl.keystore.credential.file','jceks://file/{{credential_file}}') + advanced_ranger_kafka_policymgr_ssl_properties['xasecure.policymgr.clientssl.truststore.credential.file'] = kafka_plugin_installed_properties.get('xasecure.policymgr.clientssl.truststore.credential.file','jceks://file/{{credential_file}}') + + advanced_ranger_kafka_security_properties['ranger.plugin.kafka.service.name'] = kafka_plugin_installed_properties.get('ranger.plugin.kafka.service.name','{{repo_name}}') + advanced_ranger_kafka_security_properties['ranger.plugin.kafka.policy.source.impl'] = kafka_plugin_installed_properties.get('ranger.plugin.kafka.policy.source.impl','org.apache.ranger.admin.client.RangerAdminRESTClient') + advanced_ranger_kafka_security_properties['ranger.plugin.kafka.policy.rest.url'] = kafka_plugin_installed_properties.get('ranger.plugin.kafka.policy.rest.url','{{policymgr_mgr_url}}') + advanced_ranger_kafka_security_properties['ranger.plugin.kafka.policy.rest.ssl.config.file'] = kafka_plugin_installed_properties.get('ranger.plugin.kafka.policy.rest.ssl.config.file','/etc/kafka/conf/ranger-policymgr-ssl.xml') + advanced_ranger_kafka_security_properties['ranger.plugin.kafka.policy.pollIntervalMs'] = kafka_plugin_installed_properties.get('ranger.plugin.kafka.policy.pollIntervalMs','30000') + advanced_ranger_kafka_security_properties['ranger.plugin.kafka.policy.cache.dir'] = kafka_plugin_installed_properties.get('ranger.plugin.kafka.policy.cache.dir','/etc/ranger/{{repo_name}}/policycache') + + advanced_kafka_log4j_properties['content'] = kafka_plugin_installed_properties.get('kafka.log4j.properties','') + + date_time_stamp = getDateTimeNow() + plugin_configuration_data = '[{"Clusters":{"desired_config":[{"type": "kafka-broker", "service_config_version_note": "Initial configuration for Ranger KAFKA plugin" ,"tag":"' + str(date_time_stamp) + '", "properties":' + json.dumps( + advanced_kafka_broker_properties) + ',"properties_attributes": {"final": "false"}},{"type": "kafka-log4j", "service_config_version_note": "Initial configuration for Ranger KAFKA plugin" ,"tag":"' + str(date_time_stamp) + '", "properties":' + json.dumps( + advanced_kafka_log4j_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-kafka-plugin-properties", "service_config_version_note": "Initial configuration for Ranger KAFKA plugin" ,"tag":"' + str(date_time_stamp) + '", "properties":' + json.dumps( + advanced_ranger_kafka_plugin_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-kafka-audit", "service_config_version_note": "Initial configuration for Ranger KAFKA plugin" ,"tag":"' + str(date_time_stamp) + '", "properties":' + json.dumps( + advanced_ranger_kafka_audit_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-kafka-policymgr-ssl", "service_config_version_note": "Initial configuration for Ranger KAFKA plugin" ,"tag":"' + str(date_time_stamp) + '", "properties":' + json.dumps( + advanced_ranger_kafka_policymgr_ssl_properties) + ',"properties_attributes": {"final": "false"}},{"type": "ranger-kafka-security", "service_config_version_note": "Initial configuration for Ranger KAFKA plugin" ,"tag":"' + str(date_time_stamp) + '", "properties":' + json.dumps( + advanced_ranger_kafka_security_properties) + ',"properties_attributes": {"final": "false"}}]}}]' + + + print ('####################### kafka_broker_properties configuration :') + for each_key in advanced_kafka_broker_properties: + print str(each_key) + ' = ' + str(advanced_kafka_broker_properties[each_key]) + + print ('####################### kafka_log4j_properties configuration :') + for each_key in advanced_kafka_log4j_properties: + print str(each_key) + ' = ' + str(advanced_kafka_log4j_properties[each_key]) + + + print ('####################### ranger_kafka_plugin_properties configuration :') + for each_key in advanced_ranger_kafka_plugin_properties: + print str(each_key) + ' = ' + str(advanced_ranger_kafka_plugin_properties[each_key]) + + print ('####################### ranger_kafka_audit_properties configuration :') + for each_key in advanced_ranger_kafka_audit_properties: + print str(each_key) + ' = ' + str(advanced_ranger_kafka_audit_properties[each_key]) + + print ('####################### ranger_kafka_policymgr_ssl_properties configuration :') + for each_key in advanced_ranger_kafka_policymgr_ssl_properties: + print str(each_key) + ' = ' + str(advanced_ranger_kafka_policymgr_ssl_properties[each_key]) + + print ('####################### ranger_kafka_security_properties configuration :') + for each_key in advanced_ranger_kafka_security_properties: + print str(each_key) + ' = ' + str(advanced_ranger_kafka_security_properties[each_key]) + + confirm_configurations = raw_input('please confirm the above configuration values y/n (n) : ') + if(confirm_configurations == ''): + confirm_configurations = 'n' + print ('input registered as ' + str(confirm_configurations)) + + + if(confirm_configurations.lower() == 'y'): + ranger_config_request_url = ambari_cluster_url + request_result = call_ambari_api(ranger_config_request_url, 'PUT', ambari_username_password, str(plugin_configuration_data)) + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + if response_code == 200 and response is not None: + print('ranger kafka plugin configuration added successfully in ambari.') + return True + else: + print('ranger kafka plugin configuration add failed in ambari.') + return False + else: + print('ranger kafka plugin configuration add failed in ambari.') + return False + else: + print ('exiting installation without configuration !') + sys.exit(0) + else: + print('ranger kafka plugin configuration add failed in ambari.') + return False + + + +def get_hdfs_plugin_configuration(): + flag_hdfs_plugin_installed = False + hdfs_plugin_install_properties = dict() + print('hdfs plugin is present and installed to ranger,getting additional properties from installed files.') + base_hadoop_conf_path = '/etc/hadoop/conf/' + hdfs_site_xml_path = os.path.join(base_hadoop_conf_path, 'hdfs-site.xml') + hdfs_site_xml_properties = import_properties_from_xml(hdfs_site_xml_path) + ranger_audit_xml_path = os.path.join(base_hadoop_conf_path, 'ranger-hdfs-audit.xml') + hdfs_plugin_install_properties = import_properties_from_xml(ranger_audit_xml_path, hdfs_plugin_install_properties) + ranger_hdfs_security_xml_path = os.path.join(base_hadoop_conf_path, 'ranger-hdfs-security.xml') + hdfs_plugin_install_properties = import_properties_from_xml(ranger_hdfs_security_xml_path, hdfs_plugin_install_properties) + ranger_policy_ssl_xml_path = os.path.join(base_hadoop_conf_path, 'ranger-policymgr-ssl.xml') + hdfs_plugin_install_properties = import_properties_from_xml(ranger_policy_ssl_xml_path, hdfs_plugin_install_properties) + flag_plugin_installed = check_plugin_enabled('hdfs', hdfs_plugin_install_properties) + if(flag_plugin_installed): + flag_hdfs_plugin_installed = True + return flag_hdfs_plugin_installed, hdfs_plugin_install_properties, hdfs_site_xml_properties + + +def get_yarn_plugin_configuration(): + flag_yarn_plugin_installed = False + yarn_plugin_installed_properties = dict() + print('yarn plugin is present and installed to ranger,getting additional properties from installed files.') + base_yarn_conf_path = '/etc/hadoop/conf/' + yarn_site_xml_path = os.path.join(base_yarn_conf_path,'yarn-site.xml') + yarn_site_xml_properties = import_properties_from_xml(yarn_site_xml_path) + ranger_yarn_audit_properties_path = os.path.join(base_yarn_conf_path,'ranger-yarn-audit.xml') + yarn_plugin_installed_properties = import_properties_from_xml(ranger_yarn_audit_properties_path, yarn_plugin_installed_properties) + ranger_yarn_security_properties_path = os.path.join(base_yarn_conf_path,'ranger-yarn-security.xml') + yarn_plugin_installed_properties = import_properties_from_xml(ranger_yarn_security_properties_path, yarn_plugin_installed_properties) + ranger_policymgr_ssl_properties_path = os.path.join(base_yarn_conf_path,'ranger-policymgr-ssl.xml') + yarn_plugin_installed_properties = import_properties_from_xml(ranger_policymgr_ssl_properties_path, yarn_plugin_installed_properties) + flag_plugin_installed = check_plugin_enabled('yarn', yarn_plugin_installed_properties) + if(flag_plugin_installed): + flag_yarn_plugin_installed = True + return flag_yarn_plugin_installed,yarn_plugin_installed_properties,yarn_site_xml_properties + + +def get_hive_plugin_configuration(): + flag_hive_plugin_installed = False + hive_plugin_install_properties = dict() + print('hive plugin is present and installed to ranger, configuring to setup in ambari.') + base_hive_conf_path = '/etc/hive/conf/conf.server/' + hive_server2_xml_path = os.path.join(base_hive_conf_path, 'hiveserver2-site.xml') + hive_server2_xml_properties = import_properties_from_xml(hive_server2_xml_path) + ranger_audit_xml_path = os.path.join(base_hive_conf_path, 'ranger-hive-audit.xml') + hive_plugin_install_properties = import_properties_from_xml(ranger_audit_xml_path, hive_plugin_install_properties) + ranger_hive_security_xml_path = os.path.join(base_hive_conf_path, 'ranger-hive-security.xml') + hive_plugin_install_properties = import_properties_from_xml(ranger_hive_security_xml_path, hive_plugin_install_properties) + ranger_policy_ssl_xml_path = os.path.join(base_hive_conf_path, 'ranger-policymgr-ssl.xml') + hive_plugin_install_properties = import_properties_from_xml(ranger_policy_ssl_xml_path, hive_plugin_install_properties) + flag_plugin_installed = check_plugin_enabled('hive', hive_plugin_install_properties) + + if(flag_plugin_installed): + flag_hive_plugin_installed = True + return flag_hive_plugin_installed, hive_plugin_install_properties, hive_server2_xml_properties + +def get_hive_configs_from_ambari(): + desired_config_url = ambari_cluster_url + '?fields=Clusters/desired_configs' + request_result = call_ambari_api(desired_config_url,'GET',ambari_username_password,None) + response_code = None + desired_configs_response = None + if request_result is not None: + response_code = request_result.getcode() + desired_configs_response = json.loads(json.JSONEncoder().encode(request_result.read())) + + hive_site_tag = str(json.loads(desired_configs_response)['Clusters']['desired_configs']['hive-site']['tag']) + hive_env_tag = str(json.loads(desired_configs_response)['Clusters']['desired_configs']['hive-env']['tag']) + + hive_env_properties_url = ambari_cluster_url + '/configurations?type=hive-env&tag='+hive_env_tag + hive_env_properties_response = None + print ('hive_env_properties_url = ' + str(hive_env_properties_url)) + request_result = call_ambari_api(hive_env_properties_url,'GET',ambari_username_password,None) + if request_result is not None: + response_code = request_result.getcode() + hive_env_properties_response = json.loads(json.JSONEncoder().encode(request_result.read())) + print 'hive-env len response = ' , len(json.loads(hive_env_properties_response)['items']) + hive_env_properties = json.loads(hive_env_properties_response)['items'][0]['properties'] + print ('hive_env_properties = ' + str(hive_env_properties)) + + hive_site_properties_url = ambari_cluster_url + '/configurations?type=hive-site&tag='+hive_site_tag + hive_site_properties_response = None + request_result = call_ambari_api(hive_site_properties_url,'GET',ambari_username_password,None) + if request_result is not None: + response_code = request_result.getcode() + hive_site_properties_response = json.loads(json.JSONEncoder().encode(request_result.read())) + print 'hive-site len response = ' , len(json.loads(hive_site_properties_response)['items']) + hive_site_properties = json.loads(hive_site_properties_response)['items'][0]['properties'] + print ('hive_site_properties = ' + str(hive_site_properties)) + + return hive_env_properties,hive_site_properties + + + +def get_hbase_plugin_configuration(): + flag_hbase_plugin_installed = False + hbase_plugin_install_properties = dict() + print('hbase plugin is present and installed to ranger, configuring to setup in ambari.') + base_hbase_conf_path = '/etc/hbase/conf/' + hbase_site_xml_path = os.path.join(base_hbase_conf_path, 'hbase-site.xml') + hbase_site_xml_properties = import_properties_from_xml(hbase_site_xml_path) + ranger_audit_xml_path = os.path.join(base_hbase_conf_path, 'ranger-hbase-audit.xml') + hbase_plugin_install_properties = import_properties_from_xml(ranger_audit_xml_path, hbase_plugin_install_properties) + ranger_hbase_security_xml_path = os.path.join(base_hbase_conf_path, 'ranger-hbase-security.xml') + hbase_plugin_install_properties = import_properties_from_xml(ranger_hbase_security_xml_path, hbase_plugin_install_properties) + ranger_policy_ssl_xml_path = os.path.join(base_hbase_conf_path, 'ranger-policymgr-ssl.xml') + hbase_plugin_install_properties = import_properties_from_xml(ranger_policy_ssl_xml_path, hbase_plugin_install_properties) + flag_plugin_installed = check_plugin_enabled('hbase', hbase_plugin_install_properties) + if(flag_plugin_installed): + flag_hbase_plugin_installed = True + return flag_hbase_plugin_installed, hbase_plugin_install_properties, hbase_site_xml_properties + + +def get_knox_plugin_configuration(): + flag_knox_plugin_installed = False + knox_plugin_install_properties = dict() + print('knox plugin is present and installed to ranger, configuring to setup in ambari.') + base_knox_conf_path = '/etc/knox/conf/' + ranger_audit_xml_path = os.path.join(base_knox_conf_path, 'ranger-knox-audit.xml') + knox_plugin_install_properties = import_properties_from_xml(ranger_audit_xml_path, knox_plugin_install_properties) + ranger_knox_security_xml_path = os.path.join(base_knox_conf_path, 'ranger-knox-security.xml') + knox_plugin_install_properties = import_properties_from_xml(ranger_knox_security_xml_path, knox_plugin_install_properties) + ranger_policy_ssl_xml_path = os.path.join(base_knox_conf_path, 'ranger-policymgr-ssl.xml') + knox_plugin_install_properties = import_properties_from_xml(ranger_policy_ssl_xml_path, knox_plugin_install_properties) + flag_plugin_installed = check_plugin_enabled('knox', knox_plugin_install_properties) + if(flag_plugin_installed): + flag_knox_plugin_installed = True + return flag_knox_plugin_installed, knox_plugin_install_properties + + + +def get_storm_plugin_configuration(): + flag_storm_plugin_installed = False + storm_plugin_install_properties = dict() + print('storm plugin is present and installed to ranger, configuring to setup in ambari.') + base_storm_conf_path = '/etc/storm/conf/' + ranger_audit_xml_path = os.path.join(base_storm_conf_path, 'ranger-storm-audit.xml') + storm_plugin_install_properties = import_properties_from_xml(ranger_audit_xml_path, storm_plugin_install_properties) + ranger_storm_security_xml_path = os.path.join(base_storm_conf_path, 'ranger-storm-security.xml') + storm_plugin_install_properties = import_properties_from_xml(ranger_storm_security_xml_path, storm_plugin_install_properties) + ranger_policy_ssl_xml_path = os.path.join(base_storm_conf_path, 'ranger-policymgr-ssl.xml') + storm_plugin_install_properties = import_properties_from_xml(ranger_policy_ssl_xml_path, storm_plugin_install_properties) + flag_plugin_installed = check_plugin_enabled('storm', storm_plugin_install_properties) + if(flag_plugin_installed): + flag_storm_plugin_installed = True + return flag_storm_plugin_installed, storm_plugin_install_properties + + +def get_storm_configs_from_ambari(): + desired_config_url = ambari_cluster_url + '?fields=Clusters/desired_configs' + request_result = call_ambari_api(desired_config_url,'GET',ambari_username_password,None) + response_code = None + desired_configs_response = None + if request_result is not None: + response_code = request_result.getcode() + desired_configs_response = json.loads(json.JSONEncoder().encode(request_result.read())) + + storm_site_tag = str(json.loads(desired_configs_response)['Clusters']['desired_configs']['storm-site']['tag']) + print ('storm_site_tag = ' + storm_site_tag) + + kafka_broker_properties_url = ambari_cluster_url + '/configurations?type=storm-site&tag='+storm_site_tag + + request_result = call_ambari_api(kafka_broker_properties_url,'GET',ambari_username_password,None) + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + print 'storm-site len response = ' , len(json.loads(response)['items']) + storm_site_properties = json.loads(response)['items'][0]['properties'] + print ('storm_site_properties = ' + str(storm_site_properties)) + + return storm_site_properties + + + + +def get_kafka_plugin_configuration(): + flag_kafka_plugin_installed = False + kafka_plugin_install_properties = dict() + print('kafka plugin is present and installed to ranger configuring to setup ambari') + base_kafka_conf_path = '/etc/kafka/conf/' + ranger_audit_xml_path = os.path.join(base_kafka_conf_path,'ranger-kafka-audit.xml') + kafka_plugin_install_properties = import_properties_from_xml(ranger_audit_xml_path, kafka_plugin_install_properties) + ranger_kafka_security_xml_path = os.path.join(base_kafka_conf_path,'ranger-kafka-security.xml') + kafka_plugin_install_properties = import_properties_from_xml(ranger_kafka_security_xml_path, kafka_plugin_install_properties) + ranger_policymgr_ssl_xml_path = os.path.join(base_kafka_conf_path,'ranger-policymgr-ssl.xml') + kafka_plugin_install_properties = import_properties_from_xml(ranger_policymgr_ssl_xml_path, kafka_plugin_install_properties) + kafka_log4j_xml_path = os.path.join(base_kafka_conf_path,'log4j.properties') + kafka_plugin_install_properties['kafka.log4j.properties'] = read_properties_file(kafka_log4j_xml_path) + + flag_plugin_installed = check_plugin_enabled('kafka', kafka_plugin_install_properties) + if flag_plugin_installed: + flag_kafka_plugin_installed = True + return flag_kafka_plugin_installed, kafka_plugin_install_properties + +def get_kafka_configs_from_ambari(): + desired_config_url = ambari_cluster_url + '?fields=Clusters/desired_configs' + request_result = call_ambari_api(desired_config_url,'GET',ambari_username_password,None) + response_code = None + desired_configs_response = None + if request_result is not None: + response_code = request_result.getcode() + desired_configs_response = json.loads(json.JSONEncoder().encode(request_result.read())) + + kafka_broker_tag = str(json.loads(desired_configs_response)['Clusters']['desired_configs']['kafka-broker']['tag']) + print ('kafka_broker_tag = ' + kafka_broker_tag) + + kafka_broker_properties_url = ambari_cluster_url + '/configurations?type=kafka-broker&tag='+kafka_broker_tag + + request_result = call_ambari_api(kafka_broker_properties_url,'GET',ambari_username_password,None) + if request_result is not None: + response_code = request_result.getcode() + response = json.loads(json.JSONEncoder().encode(request_result.read())) + print 'kafka-broker len response = ' , len(json.loads(response)['items']) + kafka_broker_properties = json.loads(response)['items'][0]['properties'] + print ('kafka_broker_properties = ' + str(kafka_broker_properties)) + + return kafka_broker_properties + + + +def check_plugin_enabled(component_name, component_plugin_install_properties): + flag_plugin_installed = False + repository_key = 'ranger.plugin.' + component_name + '.service.name' + if not (str(component_plugin_install_properties[repository_key]).strip() == ''): + repo_base_path = os.path.join('/etc/ranger', component_plugin_install_properties[repository_key]) + print('repo_base_path = ' + str(repo_base_path)) + if os.path.exists(repo_base_path): + print('Plugin is installed for component ' + component_name) + flag_plugin_installed = True + return flag_plugin_installed + + +def call_ambari_api(ambari_url, method, username_password, data): + try: + url = ambari_url + base64string = base64.encodestring('{0}'.format(username_password)).replace('\n', '') + headers = {"X-Requested-By": "ambari"} + request = urllib2.Request(url, data, headers, 'compressed') + request.get_method = lambda: method + request.add_header("Authorization", "Basic {0}".format(base64string)) + result = urllib2.urlopen(request) + return result + except urllib2.URLError, e: + if isinstance(e, urllib2.HTTPError): + print("HTTP Code: {0}".format(e.code)) + print("HTTP Data: {0}".format(e.read())) + return e + else: + print("Error: {0}".format(e.reason)) + print ('ambari server is not reachable, please make sure valid ambari server url has been provided and ambari server is started.') + return e + except httplib.BadStatusLine: + print("ambari service is not reachable, please restart the service and then try again") + return None + + +def import_properties_from_file(install_properties_path, properties_from_file=None): + if properties_from_file is None: + print('properties_from_file is none initializing to dict') + properties_from_file = dict() + if os.path.isfile(install_properties_path): + install_properties_file = open(install_properties_path) + for each_line in install_properties_file.read().split('\n'): + each_line = each_line.strip() + if len(each_line) == 0: continue + if '#https.service.port' in each_line: + each_line = each_line.strip('#') + if '#' in each_line: continue + key, value = each_line.strip().split("=", 1) + key = key.strip() + value = value.strip() + properties_from_file[key] = value + else: + print('Property file not found at path : ' + str(install_properties_path)) + return properties_from_file + +def read_properties_file(properties_file_path): + file_text = '' + if(os.path.isfile(properties_file_path)): + print('property file exists reading file content') + file_text = open(properties_file_path,'r').read() + else: + print('file not found at path : ' + str(properties_file_path)) + return file_text + + + +def import_properties_from_xml(xml_path, properties_from_xml=None): + print('getting values from file : ' + str(xml_path)) + if os.path.isfile(xml_path): + xml = ET.parse(xml_path) + root = xml.getroot() + if properties_from_xml is None: + properties_from_xml = dict() + for child in root.findall('property'): + name = child.find("name").text.strip() + value = child.find("value").text.strip() if child.find("value").text is not None else "" + properties_from_xml[name] = value + else: + print('XML file not found at path : ' + str(xml_path)) + return properties_from_xml + + +def get_authentication_method(): + print('Getting authentication method for ranger services') + ranger_conf_path = '/etc/ranger/admin/conf' + security_appln_context_path = os.path.join(ranger_conf_path,'security-applicationContext.xml') + print ('security_appln_context_path = ' + security_appln_context_path) + app_context_xml_tree = ET.parse(security_appln_context_path) + app_context_xml_root = app_context_xml_tree.getroot() + reference_auth_method = None + authentication_method = None + for child_nodes in app_context_xml_root.getiterator(): + if( ('authentication-provider' in str(child_nodes.tag)) and not('-ref' in str(child_nodes.attrib)) ): + reference_auth_method = child_nodes.attrib['ref'] + + if( reference_auth_method is not None and 'jaasAuthProvider' in reference_auth_method): + authentication_method = 'UNIX' + elif( reference_auth_method is not None and 'activeDirectoryAuthenticationProvider' in reference_auth_method): + authentication_method = 'ACTIVE_DIRECTORY' + elif( reference_auth_method is not None and 'ldapAuthProvider' in reference_auth_method): + authentication_method = 'LDAP' + else: + authentication_method = 'NONE' + + return authentication_method + + + +def call_keystore(libpath, aliasKey, aliasValue, filepath, getorcreateorlist): + finalLibPath = libpath.replace('\\', '/').replace('//', '/') + finalFilePath = 'jceks://file/' + filepath.replace('\\', '/').replace('//', '/') + if getorcreateorlist == 'create': + commandtorun = ['java', '-cp', finalLibPath, 'org.apache.ranger.credentialapi.buildks', 'create', aliasKey, '-value', aliasValue, '-provider', finalFilePath] + p = Popen(commandtorun, stdin=PIPE, stdout=PIPE, stderr=PIPE) + output, error = p.communicate() + statuscode = p.returncode + return statuscode + elif getorcreateorlist == 'get': + commandtorun = ['java', '-cp', finalLibPath, 'org.apache.ranger.credentialapi.buildks', 'get', aliasKey, '-provider', finalFilePath] + p = Popen(commandtorun, stdin=PIPE, stdout=PIPE, stderr=PIPE) + output, error = p.communicate() + statuscode = p.returncode + return statuscode, output + elif getorcreateorlist == 'list': + commandtorun = ['java', '-cp', finalLibPath, 'org.apache.ranger.credentialapi.buildks', 'list', '-provider', finalFilePath] + p = Popen(commandtorun, stdin=PIPE, stdout=PIPE, stderr=PIPE) + output, error = p.communicate() + statuscode = p.returncode + return statuscode, output + else: + print('proper command not received for input need get or create') + + +def get_hdp_version(): + return_code = -1 + hdp_output = '' + hdp_version = None + match = None + statuscode = -1 + try: + command_to_run = 'hdp-select status hadoop-client' + output = Popen(command_to_run, stdin=PIPE, stdout=PIPE, stderr=PIPE, shell=True) + return_code, error = output.communicate() + statuscode = output.returncode + except Exception, e: + print('Error : ' + str(e)) + if statuscode == 0: + hdp_version = re.sub('hadoop-client - ', '', return_code) + hdp_version = hdp_version.rstrip() + match = re.match('[0-9]+.[0-9]+.[0-9]+.[0-9]+-[0-9]+', hdp_version) + print ('hdp_version = ' + hdp_version) + else: + print('Unable to determine the current version because of a non-zero return code of {0}'.format(str(return_code))) + + if match is None: + print('Failed to get extracted version') + return None + else: + return hdp_version + +def getDateTimeNow(): + return datetime.datetime.now().strftime("%Y%m%d%H%M%S") + + +if __name__ == '__main__': + + + if len(sys.argv) > 1: + function_to_call = sys.argv[1] if len(sys.argv) > 1 else None + base_url = sys.argv[2] if len(sys.argv) > 2 else None + print ('base url = ' + base_url) + ambari_username_password = sys.argv[3] if len(sys.argv) > 3 else None + print ('ambari_username_password = ' + ambari_username_password) + cluster_name = sys.argv[4] if len(sys.argv) > 4 else None + print ('cluster_name = ' + cluster_name) + ranger_admin_fqdn = sys.argv[5] if len(sys.argv) > 5 else None + print ('ranger_admin_fqdn = ' + ranger_admin_fqdn) + ranger_service_name = 'RANGER' + admin_component_name = 'RANGER_ADMIN' + usersync_component_name = 'RANGER_USERSYNC' + ambari_cluster_url = str(base_url) + '/api/v1/clusters/' + str(cluster_name) + ambari_service_url = str(ambari_cluster_url) + '/services' + hdp_dir = os.path.join('/usr', 'hdp') + hdp_current_dir = os.path.join(hdp_dir, 'current') + hdp_version = get_hdp_version() + print('Found hdp_version = ' + str(hdp_version)) + hdp_version_dir = os.path.join(hdp_dir, hdp_version) + if function_to_call is not None and len(function_to_call) > 0: + print('Found first argument as : ' + function_to_call) + function_to_call = int(function_to_call) + if function_to_call == 1: + print('Porting ranger admin installation details to ambari.') + port_ranger_admin_installation_to_ambari() + elif function_to_call == 2: + print('Porting ranger User-sync installation details to ambari.') + port_ranger_usersync_installation_to_ambari() + elif function_to_call == 3: + print('Porting ranger kms installation details to ambari.') + port_ranger_kms_installation_to_ambari() + elif function_to_call == 4: + print('Porting ranger hdfs plugin details to ambari.') + port_ranger_hdfs_plugin_to_ambari() + elif function_to_call == 5: + print('Porting ranger yarn plugin details to ambari.') + port_ranger_yarn_plugin_to_ambari() + elif function_to_call == 6: + print('Porting ranger Hive plugin details to ambari.') + port_ranger_hive_plugin_to_ambari() + elif function_to_call == 7: + print('Porting ranger Hbase plugin details to ambari.') + port_ranger_hbase_plugin_to_ambari() + elif function_to_call == 8: + print('Porting ranger Knox plugin details to ambari.') + port_ranger_knox_plugin_to_ambari() + elif function_to_call == 9: + print('Porting ranger Storm plugin details to ambari.') + port_ranger_storm_plugin_to_ambari() + elif function_to_call == 10: + print('Porting ranger Kafka plugin details to ambari.') + port_ranger_kafka_plugin_to_ambari() + else: + print ('Unsupported option passed for installation, please pass proper supported option') + + else: + print('Usage :' + '\n python import_ranger_to_ambari.py {install option eg. 1} { ambari server url (eg. http://100.100.100.100:8080) } {ambari server username password (eg. demo_user:demo_pass) } {cluster name (eg. ambari_cluster)} {FQDN of host having Ranger Admin or Ranger Usersync or plugins installe (eg. ambari.server.com)} ' + '\n Actual call will be like : python ranger_port_script.py 1 http://100.100.100.100:8080 demo_user:demo_pass ambari_cluster ambari.server.com' + '\n Pass first parameter as 1 for Ranger integration with Ambari.' + '\n Pass first parameter as 2 for Ranger User-sync integration with Ambari.' + '\n Pass first parameter as 3 for Ranger KMS integration with Ambari.' + '\n Pass first parameter as 4 for Ranger Hdfs Plugin integration with Ambari.' + '\n Pass first parameter as 5 for Ranger Yarn Plugin integration with Ambari.' + '\n Pass first parameter as 6 for Ranger Hive Plugin integration with Ambari.' + '\n Pass first parameter as 7 for Ranger Hbase Plugin integration with Ambari.' + '\n Pass first parameter as 8 for Ranger Knox Plugin integration with Ambari.' + '\n Pass first parameter as 9 for Ranger Storm Plugin integration with Ambari.' + '\n Pass first parameter as 10 for Ranger Kafka Plugin integration with Ambari.') + + sys.exit(0) + diff --git a/migration-util/ambari2.1-hdp2.3-ranger0.50/bin/ranger_admin_install.properties b/migration-util/ambari2.1-hdp2.3-ranger0.50/bin/ranger_admin_install.properties new file mode 100755 index 00000000000..f892a602dac --- /dev/null +++ b/migration-util/ambari2.1-hdp2.3-ranger0.50/bin/ranger_admin_install.properties @@ -0,0 +1,33 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# +# This file provides list of deployment variables for the Policy Manager Web Application to be migrated to Ambari server +# + +# Below are the mandatory parameters, required to be filled in by the user. + +# +# DB password for the DB admin user-id +# +# For example: +# db_root_user=root +# db_root_user=SYS +# +# Mandatory properties for migration to be filled by user prior to migration. +# db_root_user = needs to be updated by user before running the migration script. +# db_root_password = needs to be updated by user before running the migration script. +db_root_user= +db_root_password= diff --git a/migration-util/ambari2.1-hdp2.3-ranger0.50/doc/README.TXT b/migration-util/ambari2.1-hdp2.3-ranger0.50/doc/README.TXT new file mode 100755 index 00000000000..bd56e8deb06 --- /dev/null +++ b/migration-util/ambari2.1-hdp2.3-ranger0.50/doc/README.TXT @@ -0,0 +1,78 @@ +Utility to Migrate Ranger Config into Ambari-2.1.0 (from a previous manual install of Ranger service and plugins) +----------------------------------------------------------------------------- + +Pre-requisites: +---------------- + * Ambari Server (2.1.0) installed on one of the host of the cluster. + * Ranger service is manually installed outside Ambari. + * If user had Ambari 1.7.0 installed or Ambari 2.0.0, Ambari needs to be upgraded to 2.1.0, before this script is run. + * HDP 2.3 Components should be installed. + * Ranger service is expected to be up and running. + * Whichever component plugin needs to imported, that component should be up and running in Ambari server. + * Whichever component plugin needs to be imported, that plugin needs to be installed as well as enabled independently by the user outside Ambari. + * The installation folder paths for each component is as follows : + * For Ranger Admin service: /usr/hdp//ranger-admin + * For Ranger Usersync service: /usr/hdp//ranger-usersync + * For Ranger Hbase plugin: /usr/hdp//ranger-hbase-plugin + * For Ranger Hdfs plugin: /usr/hdp//ranger-hdfs-plugin + * For Ranger Hive plugin: /usr/hdp//ranger-hive-plugin + * For Ranger Knox plugin: /usr/hdp//ranger-knox-plugin + * For Ranger Storm plugin: /usr/hdp//ranger-storm-plugin + +Pre Install: +------------ + * Please take a backup of existing ranger DB and configurations, in case required. + * Please take a backup of existing ambari DB and configurations, in case required. + * You must have an existing MySQL Server, Oracle Server, or Postgres database instance running to be used by Ranger. + * Ensure that the access for the DB Admin user (root in case of MySQL or SYS in case of Oracle) is enabled in DB server from any host. + * Execute the following command on the Ambari Server host. + * Replace database-type with mysql or oracle and /jdbc/driver/path based on the location of the MySQL or Oracle JDBC driver: + + ambari-server setup --jdbc-db={database-type} --jdbc-driver={/jdbc/driver/path} + +Steps to Add Ranger in a Ambari HDP cluster: +-------------------------------------------- + * In order to know about usage of the script, Execute the command: + python import_ranger_to_ambari.py + * Migration script locates the existing config in post-install properties files used by the service. + * This script will collect required configs from the independently installed Ranger service configurations + and after verification from the user, post it to the specified Ambari Server. + * Set appropriate values in the _install.properties template file, only if required. + For Ranger Admin service, ranger_admin_install.properties + * For script to use proper values, mandatory properties to be filled by user are as follows : + 1) During Ranger_Admin installation migration db_root_username and db_root_password are mandatory, + which can be set in the ranger_admin_install.properties + +To import Ranger (Admin and User-Sync) service and plugins we need to run the python script using command line as shown below, +with valid input parameters, from the host where specific Ranger component has been installed / enabled : + +python import_ranger_to_ambari.py {install option} {ambari server url} {ambari server admin username:password} {cluster name} {FQDN of host having Ranger Admin or Ranger Usersync or plugins installed} + +for example the actual command will be as : + +python import_ranger_to_ambari.py 1 http://100.100.100.100:8080 admin:admin ambari_cluster rangerambari-feb09-rhel6-mp-sec-6.cs1cloud.internal + +First parameter (install option) is to mention the service type to be ported to Ambari that is, + 1 for adding Ranger service and Ranger Admin component to Ambari. + 2 for adding Ranger User sync component to Ambari. + 3 for adding Ranger KMS component to Ambari. + 4 to import Ranger Hdfs Plugin configs to Ambari. + 5 to import Ranger Yarn Plugin configs to Ambari. + 6 to import Ranger Hive Plugin configs to Ambari. + 7 to import Ranger Hbase Plugin configs to Ambari. + 8 to import Ranger Knox Plugin configs to Ambari. + 9 to import Ranger Storm Plugin configs to Ambari. + 10 to import Ranger Storm Plugin configs to Ambari. + + * After running the script with first parameter as 1, Ranger service should be visible as Ambari service and Ranger-Admin should be visible. + * After running with 2 Ranger-Usersync should also be visible as its component, like-wise for the respective plugins. + * After executing the script with options 3 to 8 - please visit Ambari UI and restart the individual component, after the UI reflects the changes. + +Debugging: +---------- + * Make sure to back up the ranger config and DB prior to running the scripts. + * It is possible that the service-components may be added to Ambari but the installation may fail. In that case, look for the logs from Ambari-UI. + * If any of the pre-requisite is not met this might happen, in that case, try installation from Ambari-UI itself. + * If the services are configured and not started it may show up as Install Pending, reinstall both Admin and User-sync from Ambari UI, and then start the services. + * In case if the services are installed and in stopped state, restart them from Ambari-UI. + From 67e845a3bf4c704c647457f7a0404a3e3a7551a2 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Fri, 7 Aug 2015 12:19:11 +0530 Subject: [PATCH 032/202] RANGER-588 : Take care of Ranger KMS installation even if java is not in PATH Signed-off-by: Velmurugan Periasamy --- kms/scripts/db_setup.py | 23 +---------------------- kms/scripts/dba_script.py | 26 ++------------------------ 2 files changed, 3 insertions(+), 46 deletions(-) mode change 100644 => 100755 kms/scripts/db_setup.py mode change 100644 => 100755 kms/scripts/dba_script.py diff --git a/kms/scripts/db_setup.py b/kms/scripts/db_setup.py old mode 100644 new mode 100755 index 61940cca3ce..5e2f9506a99 --- a/kms/scripts/db_setup.py +++ b/kms/scripts/db_setup.py @@ -72,31 +72,10 @@ def populate_global_dict(): key , value = each_line.strip().split("=",1) key = key.strip() if 'PASSWORD' in key: - jceks_file_path = os.path.join(RANGER_KMS_HOME, 'jceks','ranger_db.jceks') - statuscode,value = call_keystore(library_path,key,'',jceks_file_path,'get') - if statuscode == 1: - value = '' + value = '' value = value.strip() globalDict[key] = value -def call_keystore(libpath,aliasKey,aliasValue , filepath,getorcreate): - finalLibPath = libpath.replace('\\','/').replace('//','/') - finalFilePath = 'jceks://file/'+filepath.replace('\\','/').replace('//','/') - if getorcreate == 'create': - commandtorun = ['java', '-cp', finalLibPath, 'org.apache.ranger.credentialapi.buildks' ,'create', aliasKey, '-value', aliasValue, '-provider',finalFilePath] - p = Popen(commandtorun,stdin=PIPE, stdout=PIPE, stderr=PIPE) - output, error = p.communicate() - statuscode = p.returncode - return statuscode - elif getorcreate == 'get': - commandtorun = ['java', '-cp', finalLibPath, 'org.apache.ranger.credentialapi.buildks' ,'get', aliasKey, '-provider',finalFilePath] - p = Popen(commandtorun,stdin=PIPE, stdout=PIPE, stderr=PIPE) - output, error = p.communicate() - statuscode = p.returncode - return statuscode, output - else: - print 'proper command not received for input need get or create' - class BaseDB(object): def check_connection(self, db_name, db_user, db_password): diff --git a/kms/scripts/dba_script.py b/kms/scripts/dba_script.py old mode 100644 new mode 100755 index 03e0a19e193..b2aa80a550d --- a/kms/scripts/dba_script.py +++ b/kms/scripts/dba_script.py @@ -37,25 +37,6 @@ elif os_name == "WINDOWS": RANGER_KMS_HOME = os.getenv("RANGER_KMS_HOME") -def call_keystore(libpath,aliasKey,aliasValue , filepath,getorcreate): - finalLibPath = libpath.replace('\\','/').replace('//','/') - finalFilePath = 'jceks://file/'+filepath.replace('\\','/').replace('//','/') - if getorcreate == 'create': - commandtorun = ['java', '-cp', finalLibPath, 'org.apache.ranger.credentialapi.buildks' ,'create', aliasKey, '-value', aliasValue, '-provider',finalFilePath] - p = Popen(commandtorun,stdin=PIPE, stdout=PIPE, stderr=PIPE) - output, error = p.communicate() - statuscode = p.returncode - return statuscode - elif getorcreate == 'get': - commandtorun = ['java', '-cp', finalLibPath, 'org.apache.ranger.credentialapi.buildks' ,'get', aliasKey, '-provider',finalFilePath] - p = Popen(commandtorun,stdin=PIPE, stdout=PIPE, stderr=PIPE) - output, error = p.communicate() - statuscode = p.returncode - return statuscode, output - else: - print 'proper command not received for input need get or create' - - def check_output(query): if os_name == "LINUX": p = subprocess.Popen(shlex.split(query), stdout=subprocess.PIPE) @@ -83,17 +64,14 @@ def populate_global_dict(): elif os_name == "WINDOWS": read_config_file = open(os.path.join(RANGER_KMS_HOME,'bin','install_config.properties')) library_path = os.path.join(RANGER_KMS_HOME,"cred","lib","*") - read_config_file = open(os.path.join(RANGER_KMS_HOME,'install.properties')) + read_config_file = open(os.path.join(RANGER_KMS_HOME,'install.properties')) for each_line in read_config_file.read().split('\n') : if len(each_line) == 0 : continue if re.search('=', each_line): key , value = each_line.strip().split("=",1) key = key.strip() if 'PASSWORD' in key: - jceks_file_path = os.path.join(RANGER_KMS_HOME, 'jceks','ranger_db.jceks') - statuscode,value = call_keystore(library_path,key,'',jceks_file_path,'get') - if statuscode == 1: - value = '' + value = '' value = value.strip() globalDict[key] = value From 7e2677b7d65bdb20fb5113c13b5f2fc0bf2d363e Mon Sep 17 00:00:00 2001 From: rmani Date: Tue, 28 Jul 2015 10:54:49 -0700 Subject: [PATCH 033/202] BUG-41359 : UserSync process performance issue due to user group cache inconsistency --- .../ranger/unixusersync/model/XUserInfo.java | 21 +++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/model/XUserInfo.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/model/XUserInfo.java index 5a59fc7b6a6..ca228188e12 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/model/XUserInfo.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/model/XUserInfo.java @@ -27,7 +27,8 @@ public class XUserInfo { private String name ; private String description ; - private List groups = new ArrayList() ; + private List groupNameList = new ArrayList() ; + private List groupIdList = new ArrayList() ; public String getId() { return id; @@ -48,8 +49,24 @@ public void setDescription(String description) { this.description = description; } + public void setGroupNameList(List groupNameList) { + this.groupNameList = groupNameList; + } + + public List getGroupNameList() { + return groupNameList; + } + + public List getGroupIdList() { + return groupIdList; + } + + public void setGroupIdList(List groupIdList) { + this.groupIdList = groupIdList; + } + public List getGroups() { - return groups; + return groupNameList; } } From 9e0f2da6476f9bb34d5a6310e8614ed0b096f250 Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Fri, 12 Jun 2015 16:29:04 -0700 Subject: [PATCH 034/202] RANGER-551 Policy Validation: If resource levels are not valid for any hierarchy then checks about missing mandatory levels should be skipped Signed-off-by: Madhan Neethiraj --- .../validation/RangerPolicyValidator.java | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java index d27b6671c39..84f750db4ac 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java @@ -322,26 +322,26 @@ boolean isValidResourceNames(final RangerPolicy policy, final ListUDF or DB->TBL->COL hierarchy. - * However, if both UDF and TBL were required then we can detect that policy does not specify mandatory levels for any of the candidate hierarchies. - */ - Set> validHierarchies = filterHierarchies_mandatoryResourcesSpecifiedInPolicy(policyResources, candidateHierarchies, defHelper); - if (validHierarchies.isEmpty()) { - failures.add(new ValidationFailureDetailsBuilder() - .field("resources") - .subField("missing mandatory") - .isSemanticallyIncorrect() - .becauseOf("policy is missing required resources. Mandatory fields of potential hierarchies are: " + toStringHierarchies_mandatory(candidateHierarchies, defHelper)) - .build()); - valid = false; - } else { - if (LOG.isDebugEnabled()) { - LOG.debug("isValidResourceNames: Found hierarchies with all mandatory fields specified: " + toStringHierarchies_mandatory(validHierarchies, defHelper)); + /* + * Among the candidate hierarchies there should be at least one for which policy specifies all of the mandatory resources. Note that there could be multiple + * hierarchies that meet that criteria, e.g. a hive policy that specified only DB. It is not clear if it belongs to DB->UDF or DB->TBL->COL hierarchy. + * However, if both UDF and TBL were required then we can detect that policy does not specify mandatory levels for any of the candidate hierarchies. + */ + Set> validHierarchies = filterHierarchies_mandatoryResourcesSpecifiedInPolicy(policyResources, candidateHierarchies, defHelper); + if (validHierarchies.isEmpty()) { + failures.add(new ValidationFailureDetailsBuilder() + .field("resources") + .subField("missing mandatory") + .isSemanticallyIncorrect() + .becauseOf("policy is missing required resources. Mandatory fields of potential hierarchies are: " + toStringHierarchies_mandatory(candidateHierarchies, defHelper)) + .build()); + valid = false; + } else { + if (LOG.isDebugEnabled()) { + LOG.debug("isValidResourceNames: Found hierarchies with all mandatory fields specified: " + toStringHierarchies_mandatory(validHierarchies, defHelper)); + } } } } From 6087c375a45b17226002019aa2c0c40779558c25 Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Thu, 18 Jun 2015 15:30:51 -0700 Subject: [PATCH 035/202] RANGER-560 Policy validation: user friendly error messages about validation failures Signed-off-by: Madhan Neethiraj --- .../validation/RangerPolicyValidator.java | 265 ++++++++++++++---- .../model/validation/RangerValidator.java | 42 ++- .../validation/ValidationFailureDetails.java | 38 ++- .../ValidationFailureDetailsBuilder.java | 19 +- .../validation/TestRangerPolicyValidator.java | 22 +- .../TestValidationFailureDetails.java | 39 +++ 6 files changed, 345 insertions(+), 80 deletions(-) create mode 100644 agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestValidationFailureDetails.java diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java index 84f750db4ac..88170490ee9 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java @@ -19,11 +19,7 @@ package org.apache.ranger.plugin.model.validation; -import java.util.ArrayList; -import java.util.HashSet; -import java.util.List; -import java.util.Map; -import java.util.Set; +import java.util.*; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; @@ -75,15 +71,18 @@ boolean isValid(Long id, Action action, List failures) boolean valid = true; if (action != Action.DELETE) { - failures.add(new ValidationFailureDetailsBuilder() + failures.add(new RangerPolicyValidationErrorBuilder() .isAnInternalError() - .becauseOf("isValid(Long) is only supported for DELETE") + .becauseOf("method signature isValid(Long) is only supported for DELETE") + .errorCode(ErrorCode.InternalError_InvalidMethodInvocation) .build()); valid = false; } else if (id == null) { - failures.add(new ValidationFailureDetailsBuilder() + failures.add(new RangerPolicyValidationErrorBuilder() + .becauseOf("policy id was null/missing") .field("id") .isMissing() + .errorCode(ErrorCode.Missing_PolicyId_Delete) .build()); valid = false; } else if (getPolicy(id) == null) { @@ -110,10 +109,11 @@ boolean isValid(RangerPolicy policy, Action action, boolean isAdmin, List policies = getPolicies(serviceName, policyName); if (CollectionUtils.isNotEmpty(policies)) { if (policies.size() > 1) { - failures.add(new ValidationFailureDetailsBuilder() + failures.add(new RangerPolicyValidationErrorBuilder() + .field("name") .isAnInternalError() .becauseOf("multiple policies found with the name[" + policyName + "]") + .errorCode(ErrorCode.InternalError_Data_MultiplePoliciesSameName) .build()); valid = false; } else if (action == Action.CREATE) { // size == 1 - failures.add(new ValidationFailureDetailsBuilder() - .field("name") + failures.add(new RangerPolicyValidationErrorBuilder() + .field("policy name") .isSemanticallyIncorrect() - .becauseOf("policy already exists with name[" + policyName + "]; its id is[" + policies.iterator().next().getId() + "]") + .becauseOf("A policy already exists with name[" + policyName + "] for service[" + serviceName + "]; its id is[" + policies.iterator().next().getId() + "]") + .errorCode(ErrorCode.Duplicate_PolicyName_Create) .build()); valid = false; } else if (!policies.iterator().next().getId().equals(id)) { // size == 1 && action == UPDATE - failures.add(new ValidationFailureDetailsBuilder() + failures.add(new RangerPolicyValidationErrorBuilder() .field("id/name") .isSemanticallyIncorrect() + .errorCode(ErrorCode.Duplicate_PolicyName_Update) .becauseOf("id/name conflict: another policy already exists with name[" + policyName + "], its id is[" + policies.iterator().next().getId() + "]") .build()); valid = false; @@ -177,19 +184,21 @@ boolean isValid(RangerPolicy policy, Action action, boolean isAdmin, List 1 || !matchedPolicy.getId().equals(policy.getId())))) { - failures.add(new ValidationFailureDetailsBuilder() + String message = String.format("another policy[%s] with matching resources[%s] exists for service[%s]!", + matchedPolicy.getName(), matchedPolicy.getResources(), policy.getService()); + failures.add(new RangerPolicyValidationErrorBuilder() .field("resources") .isSemanticallyIncorrect() - .becauseOf("found another policy[" + matchedPolicy.getName() + "] with matching resources[" + matchedPolicy.getResources() + "]!") + .becauseOf(message) + .errorCode(ErrorCode.Duplicate_PolicyResource) .build()); valid = false; } @@ -312,12 +328,14 @@ boolean isValidResourceNames(final RangerPolicy policy, final List> candidateHierarchies = filterHierarchies_hierarchyHasAllPolicyResources(policyResources, hierarchies, defHelper); if (candidateHierarchies.isEmpty()) { // let's build a helpful message for user - failures.add(new ValidationFailureDetailsBuilder() - .field("resources") + String message = String.format("policy resources %s are not compatible with any resource hierarchy for service def[%s]! Valid hierarchies are: %s", + policyResources.toString(), serviceDef.getName(), toStringHierarchies_all(hierarchies, defHelper)); + failures.add(new RangerPolicyValidationErrorBuilder() + .field("policy resources") .subField("incompatible") .isSemanticallyIncorrect() - .becauseOf(String.format("policy resources [%s] were incompatible with all the hierarchies for this service defs! Valid hierarchies are: %s", - policyResources.toString(), toStringHierarchies_all(hierarchies, defHelper))) + .becauseOf(message) + .errorCode(ErrorCode.Invalid_PolicyResource_NoCompatibleHierarchy) .build()); valid = false; } else { @@ -331,11 +349,12 @@ boolean isValidResourceNames(final RangerPolicy policy, final List> validHierarchies = filterHierarchies_mandatoryResourcesSpecifiedInPolicy(policyResources, candidateHierarchies, defHelper); if (validHierarchies.isEmpty()) { - failures.add(new ValidationFailureDetailsBuilder() - .field("resources") + failures.add(new RangerPolicyValidationErrorBuilder() + .field("policy resources") .subField("missing mandatory") .isSemanticallyIncorrect() - .becauseOf("policy is missing required resources. Mandatory fields of potential hierarchies are: " + toStringHierarchies_mandatory(candidateHierarchies, defHelper)) + .errorCode(ErrorCode.Invalid_PolicyResource_MissingMandatory) + .becauseOf("policy is missing required resources. Mandatory resources of potential hierarchies are: " + toStringHierarchies_mandatory(candidateHierarchies, defHelper)) .build()); valid = false; } else { @@ -438,16 +457,18 @@ boolean isValidResourceFlags(final Map inputPolicy Map policyResources = getPolicyResourceWithLowerCaseKeys(inputPolicyResources); for (RangerResourceDef resourceDef : resourceDefs) { if (resourceDef == null) { - failures.add(new ValidationFailureDetailsBuilder() + failures.add(new RangerPolicyValidationErrorBuilder() .field("resource-def") .isAnInternalError() + .errorCode(ErrorCode.InternalError_Data_NullResourceDef) .becauseOf("a resource-def on resource def collection of service-def[" + serviceDefName + "] was null") .build()); valid = false; } else if (StringUtils.isBlank(resourceDef.getName())) { - failures.add(new ValidationFailureDetailsBuilder() + failures.add(new RangerPolicyValidationErrorBuilder() .field("resource-def-name") .isAnInternalError() + .errorCode(ErrorCode.InternalError_Data_NullResourceDefName) .becauseOf("name of a resource-def on resource def collection of service-def[" + serviceDefName + "] was null") .build()); valid = false; @@ -462,31 +483,34 @@ boolean isValidResourceFlags(final Map inputPolicy boolean excludesSupported = Boolean.TRUE.equals(resourceDef.getExcludesSupported()); // could be null boolean policyResourceIsExcludes = Boolean.TRUE.equals(policyResource.getIsExcludes()); // could be null if (policyResourceIsExcludes && !excludesSupported) { - failures.add(new ValidationFailureDetailsBuilder() + failures.add(new RangerPolicyValidationErrorBuilder() .field("isExcludes") .subField(resourceName) .isSemanticallyIncorrect() + .errorCode(ErrorCode.Invalid_Excludes_NotSupported) .becauseOf("isExcludes specified as [" + policyResourceIsExcludes + "] for resource [" + resourceName + "] which doesn't support isExcludes") .build()); valid = false; } if (policyResourceIsExcludes && !isAdmin) { - failures.add(new ValidationFailureDetailsBuilder() + failures.add(new RangerPolicyValidationErrorBuilder() .field("isExcludes") .subField("isAdmin") .isSemanticallyIncorrect() .becauseOf("isExcludes specified as [" + policyResourceIsExcludes + "] for resource [" + resourceName + "]. Insufficient permissions to create excludes policy.") + .errorCode(ErrorCode.Invalid_Excludes_RequiresAdmin) .build()); valid = false; } boolean recursiveSupported = Boolean.TRUE.equals(resourceDef.getRecursiveSupported()); boolean policyIsRecursive = Boolean.TRUE.equals(policyResource.getIsRecursive()); if (policyIsRecursive && !recursiveSupported) { - failures.add(new ValidationFailureDetailsBuilder() + failures.add(new RangerPolicyValidationErrorBuilder() .field("isRecursive") .subField(resourceName) .isSemanticallyIncorrect() .becauseOf("isRecursive specified as [" + policyIsRecursive + "] for resource [" + resourceName + "] which doesn't support isRecursive") + .errorCode(ErrorCode.Invalid_Recursive_NotSupported) .build()); valid = false; } @@ -517,11 +541,14 @@ boolean isValidResourceValues(Map resourceMap, Lis if (StringUtils.isBlank(aValue)) { LOG.debug("resource value was blank"); } else if (!aValue.matches(regEx)) { - failures.add(new ValidationFailureDetailsBuilder() + String message = String.format("Value[%s] of resource[%s] does not conform to the validation regex[%s] defined on the service-def[%s]", aValue, name, regEx, serviceDef.getName()); + LOG.debug(message); + failures.add(new RangerPolicyValidationErrorBuilder() .field("resource-values") .subField(name) .isSemanticallyIncorrect() - .becauseOf("resources value[" + aValue + "] does not match validation regex[" + regEx + "] defined on service-def[" + serviceDef.getName() + "]") + .becauseOf(message) + .errorCode(ErrorCode.Invalid_ResourceValue_RegEx) .build()); valid = false; } @@ -546,10 +573,11 @@ boolean isValidPolicyItems(List policyItems, List accesses, List accessTypes = getAccessTypes(serviceDef); for (RangerPolicyItemAccess access : accesses) { if (access == null) { - failures.add(new ValidationFailureDetailsBuilder() + failures.add(new RangerPolicyValidationErrorBuilder() .field("policy item access") .isMissing() .becauseOf("policy items access object was null") + .errorCode(ErrorCode.InternalError_Data_NullPolicyItemAccess) .build()); valid = false; } else { @@ -650,19 +681,21 @@ boolean isValidPolicyItemAccess(RangerPolicyItemAccess access, List _TemplateId2Template = createMap(MessageTemplateData); + + static int[][] ErrorCode2MessageTemplateData = new int[][] { + { ErrorCode.InternalError_InvalidMethodInvocation, MessageId.InternalError}, + { ErrorCode.Missing_PolicyId_Delete, MessageId.MissingField}, + { ErrorCode.Missing_PolicyObject, MessageId.InternalError}, + { ErrorCode.Missing_PolicyId_Update, MessageId.MissingField}, + { ErrorCode.Invalid_PolicyId, MessageId.InvalidField}, + { ErrorCode.Missing_PolicyName, MessageId.MissingField}, + { ErrorCode.InternalError_Data_MultiplePoliciesSameName, MessageId.InternalError_BadData}, + { ErrorCode.Duplicate_PolicyName_Create, MessageId.DuplicateValue}, + { ErrorCode.Duplicate_PolicyName_Update, MessageId.DuplicateValue}, + { ErrorCode.Missing_ServiceName, MessageId.MissingField}, + { ErrorCode.Invalid_ServiceName, MessageId.InvalidField}, + { ErrorCode.Missing_PolicyItems, MessageId.MissingField}, + { ErrorCode.InternalError_Data_MissingServiceDef, MessageId.InternalError_BadData}, + { ErrorCode.Duplicate_PolicyResource, MessageId.DuplicateValue}, + { ErrorCode.Invalid_PolicyResource_NoCompatibleHierarchy, MessageId.InvalidField}, + { ErrorCode.Invalid_PolicyResource_MissingMandatory, MessageId.MissingField}, + { ErrorCode.InternalError_Data_NullResourceDef, MessageId.InternalError_BadData}, + { ErrorCode.InternalError_Data_NullResourceDefName, MessageId.InternalError_BadData}, + { ErrorCode.Invalid_Excludes_NotSupported, MessageId.InvalidField}, + { ErrorCode.Invalid_Excludes_RequiresAdmin, MessageId.InvalidField}, + { ErrorCode.Invalid_Recursive_NotSupported, MessageId.InvalidField}, + { ErrorCode.Invalid_ResourceValue_RegEx, MessageId.InvalidField}, + { ErrorCode.InternalError_Data_NullPolicyItem, MessageId.InternalError_BadData}, + { ErrorCode.Missing_PolicyItemAccesses, MessageId.MissingField}, + { ErrorCode.Missing_PolicyItemUserGroup, MessageId.MissingField}, + { ErrorCode.InternalError_Data_NullPolicyItemAccess, MessageId.InternalError_BadData}, + { ErrorCode.Missing_PolicyItemAccessType, MessageId.MissingField}, + { ErrorCode.Invalid_PolicyItemAccessType, MessageId.InvalidField}, + { ErrorCode.Invalid_PolicyItemAccessType_Deny, MessageId.InvalidField}, + + }; + static final Map _ErrorCode2MessageTemplate = createMap(ErrorCode2MessageTemplateData); + } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java index 3246138db6f..381864d14cd 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java @@ -106,9 +106,10 @@ String serializeFailures(List failures) { LOG.warn("serializeFailures: called while list of failures is null/empty!"); } else { StringBuilder builder = new StringBuilder(); - for (ValidationFailureDetails aFailure : failures) { - builder.append(aFailure.toString()); - builder.append(";"); + for (int i = 0; i < failures.size(); i++) { + builder.append(String.format("(%d)", i)); + builder.append(failures.get(i).toString()); + builder.append(" "); } message = builder.toString(); } @@ -651,4 +652,39 @@ Set getEnumValues(RangerEnumDef enumDef) { return result; } + static Map createMap(int[][] data) { + Map result = new HashMap<>(); + if (data != null) { + for (int[] row : data) { + Integer key = row[0]; + Integer value = row[1]; + if (result.containsKey(key)) { + LOG.warn("createMap: Internal error: duplicate key: multiple rows found for [" + key + "]. Skipped"); + } else { + result.put(key, value); + } + } + } + return result; + } + + static Map createMap(Object[][] data) { + Map result = new HashMap<>(); + if (data != null) { + for (Object[] row : data) { + Integer key = (Integer)row[0]; + String value = (String)row[1]; + if (key == null) { + LOG.warn("createMap: error converting key[" + row[0] + "] to Integer! Sipped!"); + } else if (StringUtils.isEmpty(value)) { + LOG.warn("createMap: empty/null value. Skipped!"); + } else if (result.containsKey(key)) { + LOG.warn("createMap: Internal error: duplicate key. Multiple rows found for [" + key + "]. Skipped"); + } else { + result.put(key, value); + } + } + } + return result; + } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/ValidationFailureDetails.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/ValidationFailureDetails.java index 015203a0d8f..64e7e507480 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/ValidationFailureDetails.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/ValidationFailureDetails.java @@ -19,18 +19,27 @@ package org.apache.ranger.plugin.model.validation; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + import java.util.Objects; +import java.util.regex.Matcher; +import java.util.regex.Pattern; public class ValidationFailureDetails { + private static final Log LOG = LogFactory.getLog(ValidationFailureDetails.class); + final String _fieldName; final String _subFieldName; final boolean _missing; final boolean _semanticError; final boolean _internalError; final String _reason; - - public ValidationFailureDetails(String fieldName, String subFieldName, boolean missing, boolean semanticError, boolean internalError, String reason) { + final int _errorCode; + + public ValidationFailureDetails(int errorCode, String fieldName, String subFieldName, boolean missing, boolean semanticError, boolean internalError, String reason) { + _errorCode = errorCode; _missing = missing; _semanticError = semanticError; _internalError = internalError; @@ -39,6 +48,11 @@ public ValidationFailureDetails(String fieldName, String subFieldName, boolean m _reason = reason; } + // TODO - legacy signature remove after all 3 are ported over to new message framework + public ValidationFailureDetails(String fieldName, String subFieldName, boolean missing, boolean semanticError, boolean internalError, String reason) { + this(-1, fieldName, subFieldName, missing, semanticError, internalError, reason); + } + public String getFieldName() { return _fieldName; } @@ -61,18 +75,29 @@ String getType() { public String getSubFieldName() { return _subFieldName; } - + + // matches "{blah}", "{{blah}", "{ }" and yields variables names like "blah", "{blah", " ", etc. for substitution + static final Pattern _Pattern = Pattern.compile("\\{([^\\}]+)\\}"); + + public String substituteVariables(String template) { + return template.replace("{field}", _fieldName == null ? "" : _fieldName) + .replace("{sub-field}", _subFieldName == null ? "" : _subFieldName) + .replace("{reason}", _reason == null ? "" : _reason); + } + + // TODO legacy implementation. Remove when all @Override public String toString() { + LOG.debug("ValidationFailureDetails.toString()"); return String.format("Field[%s]%s is %s: reason[%s]", _fieldName, _subFieldName == null ? "" : ", subField[" + _subFieldName + "]", getType(), _reason); } - + @Override public int hashCode() { - return Objects.hash(_fieldName, _subFieldName, _missing, _semanticError, _internalError, _reason); + return Objects.hash(_fieldName, _subFieldName, _missing, _semanticError, _internalError, _reason, _errorCode); } @Override @@ -86,6 +111,7 @@ public boolean equals(Object obj) { Objects.equals(_reason, that._reason) && _internalError == that._internalError && _missing == that._missing && - _semanticError == that._semanticError; + _semanticError == that._semanticError && + _errorCode == that._errorCode; } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/ValidationFailureDetailsBuilder.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/ValidationFailureDetailsBuilder.java index 3a57341581a..ab67f1f1659 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/ValidationFailureDetailsBuilder.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/ValidationFailureDetailsBuilder.java @@ -20,13 +20,14 @@ package org.apache.ranger.plugin.model.validation; public class ValidationFailureDetailsBuilder { - private String _fieldName; - private boolean _missing; - private boolean _semanticError; - private String _reason; - private String _subFieldName; - private boolean _internalError; - + protected String _fieldName; + protected boolean _missing; + protected boolean _semanticError; + protected String _reason; + protected String _subFieldName; + protected boolean _internalError; + protected int _errorCode; + ValidationFailureDetailsBuilder becauseOf(String aReason) { _reason = aReason; return this; @@ -61,4 +62,8 @@ ValidationFailureDetailsBuilder isAnInternalError() { return this; } + ValidationFailureDetailsBuilder errorCode(int errorCode) { + _errorCode = errorCode; + return this; + } } diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java index 6236d71c663..e0f3b0e2c22 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java @@ -341,7 +341,7 @@ public final void testIsValid_failures() throws Exception { filter.setParam(SearchFilter.SERVICE_NAME, "service-name"); filter.setParam(SearchFilter.POLICY_NAME, "policy-name"); when(_store.getPolicies(filter)).thenReturn(existingPolicies); - checkFailure_isValid(Action.CREATE, "semantic", "name"); + checkFailure_isValid(Action.CREATE, "semantic", "policy name"); // update : does not exist for id when(_policy.getId()).thenReturn(7L); @@ -374,11 +374,11 @@ public final void testIsValid_failures() throws Exception { for (boolean isAdmin : new boolean[] { true, false }) { when(_policy.getService()).thenReturn(null); _failures.clear(); assertFalse(_validator.isValid(_policy, action, isAdmin, _failures)); - _utils.checkFailureForMissingValue(_failures, "service"); + _utils.checkFailureForMissingValue(_failures, "service name"); when(_policy.getService()).thenReturn(""); _failures.clear(); assertFalse(_validator.isValid(_policy, action, isAdmin, _failures)); - _utils.checkFailureForMissingValue(_failures, "service"); + _utils.checkFailureForMissingValue(_failures, "service name"); } } @@ -389,19 +389,19 @@ public final void testIsValid_failures() throws Exception { for (boolean isAdmin : new boolean[] { true, false }) { when(_policy.getService()).thenReturn(null); _failures.clear(); assertFalse(_validator.isValid(_policy, action, isAdmin, _failures)); - _utils.checkFailureForMissingValue(_failures, "service"); + _utils.checkFailureForMissingValue(_failures, "service name"); when(_policy.getService()).thenReturn(null); _failures.clear(); assertFalse(_validator.isValid(_policy, action, isAdmin, _failures)); - _utils.checkFailureForMissingValue(_failures, "service"); + _utils.checkFailureForMissingValue(_failures, "service name"); when(_policy.getService()).thenReturn("service-name"); _failures.clear(); assertFalse(_validator.isValid(_policy, action, isAdmin, _failures)); - _utils.checkFailureForSemanticError(_failures, "service"); + _utils.checkFailureForSemanticError(_failures, "service name"); when(_policy.getService()).thenReturn("another-service-name"); _failures.clear(); assertFalse(_validator.isValid(_policy, action, isAdmin, _failures)); - _utils.checkFailureForSemanticError(_failures, "service"); + _utils.checkFailureForSemanticError(_failures, "service name"); } } @@ -475,7 +475,7 @@ public final void testIsValid_failures() throws Exception { for (Action action : cu) { for (boolean isAdmin : new boolean[] { true, false }) { _failures.clear(); assertFalse(_validator.isValid(_policy, action, isAdmin, _failures)); - _utils.checkFailureForSemanticError(_failures, "resources"); + _utils.checkFailureForSemanticError(_failures, "policy resources"); } } } @@ -766,19 +766,19 @@ public final void test_isValidResourceNames_failures() { Map policyResources = _utils.createPolicyResourceMap(policyResourceMap_bad); when(_policy.getResources()).thenReturn(policyResources); assertFalse("Missing required resource and unknown resource", _validator.isValidResourceNames(_policy, _failures, _serviceDef)); - _utils.checkFailureForSemanticError(_failures, "resources"); + _utils.checkFailureForSemanticError(_failures, "policy resources"); // another bad resource map that straddles multiple hierarchies policyResources = _utils.createPolicyResourceMap(policyResourceMap_bad_multiple_hierarchies); when(_policy.getResources()).thenReturn(policyResources); _failures.clear(); assertFalse("Policy with resources for multiple hierarchies", _validator.isValidResourceNames(_policy, _failures, _serviceDef)); - _utils.checkFailureForSemanticError(_failures, "resources", "incompatible"); + _utils.checkFailureForSemanticError(_failures, "policy resources", "incompatible"); // another bad policy resource map that could match multiple hierarchies but is short on mandatory resources for all of those matches policyResources = _utils.createPolicyResourceMap(policyResourceMap_bad_multiple_hierarchies_missing_mandatory); when(_policy.getResources()).thenReturn(policyResources); _failures.clear(); assertFalse("Policy with resources for multiple hierarchies missing mandatory resources for all pontential matches", _validator.isValidResourceNames(_policy, _failures, _serviceDef)); - _utils.checkFailureForSemanticError(_failures, "resources", "missing mandatory"); + _utils.checkFailureForSemanticError(_failures, "policy resources", "missing mandatory"); } diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestValidationFailureDetails.java b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestValidationFailureDetails.java new file mode 100644 index 00000000000..0a758d11949 --- /dev/null +++ b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestValidationFailureDetails.java @@ -0,0 +1,39 @@ +package org.apache.ranger.plugin.model.validation; + +import junit.framework.TestCase; +import org.junit.Test; + +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import static org.junit.Assert.assertEquals; + +/** + * Created by alal on 6/17/15. + */ +public class TestValidationFailureDetails { + + @Test + public void test1() { + String[] templates = new String[] { + "The {field}, was missing and sub-field {sub-field} was mssing, too. Validation failed due to {reason}", // pattern at end. + "{field}, was missing and sub-field {sub-field} was mssing, too. Validation failed due to {reason}.", // pattern at start but not end. + "The {field}, was missing and sub-field {sub-field} was mssing, too. Validation failed due to {missing}.", // unknown substitute + "Template does not have field, but had {sub-field} along with a {reason} and a sprious field named {missing}.", // unknown substitute + }; + + ValidationFailureDetails failureDetails = new ValidationFailureDetails("id", "subType", false, false, false, "foo-bar"); + + String[] results = new String[] { + "The id, was missing and sub-field subType was mssing, too. Validation failed due to foo-bar", // pattern at end. + "id, was missing and sub-field subType was mssing, too. Validation failed due to foo-bar.", // pattern at start but not end. + "The id, was missing and sub-field subType was mssing, too. Validation failed due to {missing}.", // unknown substitute + "Template does not have field, but had subType along with a foo-bar and a sprious field named {missing}.", // unknown substitute + }; + + for (int i = 0; i < templates.length; i++) { + String result = failureDetails.substituteVariables(templates[i]); + assertEquals(results[i], result); + } + } +} \ No newline at end of file From 7a6f88a7be29e6ea32bb468c8a67e9fb11e10d7b Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Tue, 28 Jul 2015 23:22:31 -0700 Subject: [PATCH 036/202] RANGER-560 Apache license added to test file Signed-off-by: Madhan Neethiraj --- .../TestValidationFailureDetails.java | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestValidationFailureDetails.java b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestValidationFailureDetails.java index 0a758d11949..cf929c69c6b 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestValidationFailureDetails.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestValidationFailureDetails.java @@ -1,3 +1,22 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + package org.apache.ranger.plugin.model.validation; import junit.framework.TestCase; From 5fa82cba71a49b27a43e06a8dbcbcc9bd831627a Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Thu, 30 Jul 2015 15:33:42 -0700 Subject: [PATCH 037/202] RANGER-584 User friendly error messages for service validation error failures --- .../plugin/errors/ValidationErrorCode.java | 76 +++++++++ .../validation/RangerServiceValidator.java | 159 +++++++++++------- .../errors/TestValidationErrorCode.java | 72 ++++++++ .../TestValidationFailureDetails.java | 3 - 4 files changed, 248 insertions(+), 62 deletions(-) create mode 100644 agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java create mode 100644 agents-common/src/test/java/org/apache/ranger/plugin/errors/TestValidationErrorCode.java diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java new file mode 100644 index 00000000000..77d16f5c0a9 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java @@ -0,0 +1,76 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.errors; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +import java.text.MessageFormat; +import java.util.Arrays; + +public enum ValidationErrorCode { + + SERVICE_VALIDATION_ERR_UNSUPPORTED_ACTION(1001, "Internal error: unsupported action[{0}]; isValid(Long) is only supported for DELETE"), + SERVICE_VALIDATION_ERR_MISSING_FIELD(1002, "Internal error: missing field[{0}]"), + SERVICE_VALIDATION_ERR_NULL_SERVICE_OBJECT(1003, "Internal error: service object passed in was null"), + SERVICE_VALIDATION_ERR_EMPTY_SERVICE_ID(1004, "Internal error: service id was null/empty/blank"), + SERVICE_VALIDATION_ERR_INVALID_SERVICE_ID(1005, "No service found for id [{0}]"), + SERVICE_VALIDATION_ERR_INVALID_SERVICE_NAME(1006, "Service name[{0}] was null/empty/blank"), + SERVICE_VALIDATION_ERR_SERVICE_NAME_CONFICT(1007, "service with the name[{0}] already exists"), + SERVICE_VALIDATION_ERR_ID_NAME_CONFLICT(1008, "id/name conflict: another service already exists with name[{0}], its id is [{1}]"), + SERVICE_VALIDATION_ERR_MISSING_SERVICE_DEF(1009, "service def [{0}] was null/empty/blank"), + SERVICE_VALIDATION_ERR_INVALID_SERVICE_DEF(1010, "service def named[{0}] not found"), + SERVICE_VALIDATION_ERR_REQUIRED_PARM_MISSING(1011, "required configuration parameter is missing; missing parameters: {0}"), + ; + + + private static final Log LOG = LogFactory.getLog(ValidationErrorCode.class); + + final int _errorCode; + final String _template; + + ValidationErrorCode(int errorCode, String template) { + _errorCode = errorCode; + _template = template; + } + + public String getMessage(Object... items) { + if (LOG.isDebugEnabled()) { + LOG.debug(String.format("<== ValidationErrorCode.getMessage(%s)", Arrays.toString(items))); + } + + MessageFormat mf = new MessageFormat(_template); + String result = mf.format(items); + + if (LOG.isDebugEnabled()) { + LOG.debug(String.format("<== ValidationErrorCode.getMessage(%s): %s", Arrays.toString(items), result)); + } + return result; + } + + public int getErrorCode() { + return _errorCode; + } + + @Override + public String toString() { + return String.format("Code: %d, template: %s", _errorCode, _template); + } +} diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceValidator.java index 615e385f28f..3cfaa3e7771 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceValidator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceValidator.java @@ -26,6 +26,7 @@ import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.errors.ValidationErrorCode; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.store.ServiceStore; @@ -67,16 +68,21 @@ boolean isValid(Long id, Action action, List failures) boolean valid = true; if (action != Action.DELETE) { - failures.add(new ValidationFailureDetailsBuilder() - .isAnInternalError() - .becauseOf("unsupported action[" + action + "]; isValid(Long) is only supported for DELETE") - .build()); + ValidationErrorCode error = ValidationErrorCode.SERVICE_VALIDATION_ERR_UNSUPPORTED_ACTION; + failures.add(new RangerServiceValidationErrorBuilder() + .isAnInternalError() + .errorCode(error.getErrorCode()) + .becauseOf(error.getMessage(action)) + .build()); valid = false; } else if (id == null) { - failures.add(new ValidationFailureDetailsBuilder() - .field("id") - .isMissing() - .build()); + ValidationErrorCode error = ValidationErrorCode.SERVICE_VALIDATION_ERR_MISSING_FIELD; + failures.add(new RangerServiceValidationErrorBuilder() + .field("id") + .isMissing() + .errorCode(error.getErrorCode()) + .becauseOf(error.getMessage(id)) + .build()); valid = false; } else if (getService(id) == null) { if (LOG.isDebugEnabled()) { @@ -100,32 +106,34 @@ boolean isValid(RangerService service, Action action, List inputParameters = getServiceConfigParameters(service); Set missingParameters = Sets.difference(reqiredParameters, inputParameters); if (!missingParameters.isEmpty()) { - failures.add(new ValidationFailureDetailsBuilder() - .field("configuration") - .subField(missingParameters.iterator().next()) // we return any one parameter! - .isMissing() - .becauseOf("required configuration parameter is missing; missing parameters: " + missingParameters) - .build()); + ValidationErrorCode error = ValidationErrorCode.SERVICE_VALIDATION_ERR_REQUIRED_PARM_MISSING; + failures.add(new RangerServiceValidationErrorBuilder() + .field("configuration") + .subField(missingParameters.iterator().next()) // we return any one parameter! + .isMissing() + .errorCode(error.getErrorCode()) + .becauseOf(error.getMessage(missingParameters)) + .build()); valid = false; } } @@ -201,4 +219,27 @@ boolean isValid(RangerService service, Action action, List may = ImmutableSet.copyOf(ValidationErrorCode.values()); + + // set of enums that must not hvae any subsequent placeholders in it + Set mustNot = new HashSet(); + + for (int i = 0; i < 5; i++) { + String token = String.format("{%d", i); + // check which ones should not have anymore substition varabile placehoders in them, {0}, {1}, etc. + for (ValidationErrorCode anEnum : may) { + if (!anEnum._template.contains(token)) { + // if template does not have {1} then it surely must not have {2}, {3}, etc. + mustNot.add(anEnum); + } + } + // check for incorrectly numbers substition variable placeholders + for (ValidationErrorCode anEnum : mustNot) { + assertFalse(anEnum.toString() + ": contains " + token + ". Check for wongly numberd substition variable placeholders.", + anEnum._template.contains(token)); + } + } + } +} \ No newline at end of file diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestValidationFailureDetails.java b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestValidationFailureDetails.java index cf929c69c6b..815d41c0b03 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestValidationFailureDetails.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestValidationFailureDetails.java @@ -27,9 +27,6 @@ import static org.junit.Assert.assertEquals; -/** - * Created by alal on 6/17/15. - */ public class TestValidationFailureDetails { @Test From eab51d41acca8d47dfef32fb8da1946844bec745 Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Mon, 3 Aug 2015 12:50:39 -0700 Subject: [PATCH 038/202] RANGER-593 User friendly error messages for service def validation error failures --- .../plugin/errors/ValidationErrorCode.java | 24 ++- .../validation/RangerServiceDefValidator.java | 180 ++++++++++++------ .../errors/TestValidationErrorCode.java | 14 ++ 3 files changed, 155 insertions(+), 63 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java index 77d16f5c0a9..c40efc92840 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java @@ -26,7 +26,7 @@ import java.util.Arrays; public enum ValidationErrorCode { - + // SERVICE VALIDATION SERVICE_VALIDATION_ERR_UNSUPPORTED_ACTION(1001, "Internal error: unsupported action[{0}]; isValid(Long) is only supported for DELETE"), SERVICE_VALIDATION_ERR_MISSING_FIELD(1002, "Internal error: missing field[{0}]"), SERVICE_VALIDATION_ERR_NULL_SERVICE_OBJECT(1003, "Internal error: service object passed in was null"), @@ -38,6 +38,28 @@ public enum ValidationErrorCode { SERVICE_VALIDATION_ERR_MISSING_SERVICE_DEF(1009, "service def [{0}] was null/empty/blank"), SERVICE_VALIDATION_ERR_INVALID_SERVICE_DEF(1010, "service def named[{0}] not found"), SERVICE_VALIDATION_ERR_REQUIRED_PARM_MISSING(1011, "required configuration parameter is missing; missing parameters: {0}"), + + // SERVICE-DEF VALIDATION + SERVICE_DEF_VALIDATION_ERR_UNSUPPORTED_ACTION(2001, "Internal error: unsupported action[{0}]; isValid(Long) is only supported for DELETE"), + SERVICE_DEF_VALIDATION_ERR_MISSING_FIELD(2002, "Internal error: missing field[{0}]"), + SERVICE_DEF_VALIDATION_ERR_NULL_SERVICE_DEF_OBJECT(2003, "Internal error: service def object passed in was null"), + SERVICE_DEF_VALIDATION_ERR_EMPTY_SERVICE_DEF_ID(2004, "Internal error: service def id was null/empty/blank"), + SERVICE_DEF_VALIDATION_ERR_INVALID_SERVICE_DEF_ID(2005, "No service def found for id [{0}]"), + SERVICE_DEF_VALIDATION_ERR_INVALID_SERVICE_DEF_NAME(2006, "Service def name[{0}] was null/empty/blank"), + SERVICE_DEF_VALIDATION_ERR_SERVICE_DEF_NAME_CONFICT(2007, "service def with the name[{0}] already exists"), + SERVICE_DEF_VALIDATION_ERR_ID_NAME_CONFLICT(2008, "id/name conflict: another service def already exists with name[{0}], its id is [{1}]"), + SERVICE_DEF_VALIDATION_ERR_IMPLIED_GRANT_UNKNOWN_ACCESS_TYPE(2009, "implied grant[{0}] contains an unknown access types[{1}]"), + SERVICE_DEF_VALIDATION_ERR_IMPLIED_GRANT_IMPLIES_ITSELF(2010, "implied grants list [{0}] for access type[{1}] contains itself"), + SERVICE_DEF_VALIDATION_ERR_POLICY_CONDITION_NULL_EVALUATOR(2011, "evaluator on policy condition definition[{0}] was null/empty!"), + SERVICE_DEF_VALIDATION_ERR_CONFIG_DEF_UNKNOWN_ENUM(2012, "subtype[{0}] of service def config[{1}] was not among defined enums[{2}]"), + SERVICE_DEF_VALIDATION_ERR_CONFIG_DEF_UNKNOWN_ENUM_VALUE(2013, "default value[{0}] of service def config[{1}] was not among the valid values[{2}] of enums[{3}]"), + SERVICE_DEF_VALIDATION_ERR_CONFIG_DEF_MISSING_TYPE(2014, "type of service def config[{0}] was null/empty"), + SERVICE_DEF_VALIDATION_ERR_CONFIG_DEF_INVALID_TYPE(2015, "type[{0}] of service def config[{1}] is not among valid types: {2}"), + SERVICE_DEF_VALIDATION_ERR_RESOURCE_GRAPH_INVALID(2016, "Resource graph implied by various resources, e.g. parent value is invalid. Valid graph must forest (union of disjoint trees)."), + SERVICE_DEF_VALIDATION_ERR_ENUM_DEF_NULL_OBJECT(2017, "Internal error: An enum def in enums collection is null"), + SERVICE_DEF_VALIDATION_ERR_ENUM_DEF_NO_VALUES(2018, "enum [{0}] does not have any elements"), + SERVICE_DEF_VALIDATION_ERR_ENUM_DEF_INVALID_DEFAULT_INDEX(2019, "default index[{0}] for enum [{1}] is invalid"), + SERVICE_DEF_VALIDATION_ERR_ENUM_DEF_NULL_ENUM_ELEMENT(2020, "An enum element in enum element collection of enum [{0}] is null"), ; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefValidator.java index 32d0f1a1f53..75372c22462 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefValidator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefValidator.java @@ -31,6 +31,7 @@ import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.errors.ValidationErrorCode; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumDef; @@ -78,15 +79,20 @@ boolean isValid(final Long id, final Action action, final List accessTypeDefs, final boolean valid = true; if (CollectionUtils.isEmpty(accessTypeDefs)) { - failures.add(new ValidationFailureDetailsBuilder() + ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_MISSING_FIELD; + failures.add(new RangerServiceDefValidationErrorBuilder() .field("access types") .isMissing() - .becauseOf("access types collection was null/empty") + .errorCode(error.getErrorCode()) + .becauseOf(error.getMessage("access types")) .build()); valid = false; } else { @@ -248,22 +262,26 @@ boolean isValidAccessTypes(final List accessTypeDefs, final Collection impliedGrants = getImpliedGrants(def); Set unknownAccessTypes = Sets.difference(Sets.newHashSet(impliedGrants), accessNames); if (!unknownAccessTypes.isEmpty()) { - failures.add(new ValidationFailureDetailsBuilder() + ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_IMPLIED_GRANT_UNKNOWN_ACCESS_TYPE; + failures.add(new RangerServiceDefValidationErrorBuilder() .field("implied grants") .subField(unknownAccessTypes.iterator().next()) // we return just on item here. Message has all unknow items .isSemanticallyIncorrect() - .becauseOf("implied grant[" + impliedGrants + "] contains an unknown access types[" + unknownAccessTypes + "]") + .errorCode(error.getErrorCode()) + .becauseOf(error.getMessage(impliedGrants, unknownAccessTypes)) .build()); valid = false; } // implied grant should not imply itself! String name = def.getName(); // note: this name could be null/blank/empty! if (impliedGrants.contains(name)) { - failures.add(new ValidationFailureDetailsBuilder() + ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_IMPLIED_GRANT_IMPLIES_ITSELF; + failures.add(new RangerServiceDefValidationErrorBuilder() .field("implied grants") .subField(name) .isSemanticallyIncorrect() - .becauseOf("implied grants list [" + impliedGrants + "] for access type[" + name + "] contains itself") + .errorCode(error.getErrorCode()) + .becauseOf(error.getMessage(impliedGrants, name)) .build()); valid = false; } @@ -292,13 +310,13 @@ boolean isValidPolicyConditions(List policyConditions, String name = conditionDef.getName(); valid = isUnique(name, names, "policy condition def name", "policy condition defs", failures) && valid; if (StringUtils.isBlank(conditionDef.getEvaluator())) { - String reason = String.format("evaluator on policy condition definition[%s] was null/empty!", name); - LOG.debug(reason); - failures.add(new ValidationFailureDetailsBuilder() + ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_POLICY_CONDITION_NULL_EVALUATOR; + failures.add(new RangerServiceDefValidationErrorBuilder() .field("policy condition def evaluator") .subField(name) .isMissing() - .becauseOf(reason) + .errorCode(error.getErrorCode()) + .becauseOf(error.getMessage(name)) .build()); valid = false; } @@ -355,12 +373,13 @@ boolean isValidConfigOfEnumType(RangerServiceConfigDef configDef, List enumValues = getEnumValues(enumDef); if (!enumValues.contains(defaultValue)) { - String reason = String.format("default value[%s] of service def config[%s] was not among the valid values[%s] of enums[%s]", defaultValue, configName, enumValues, subType); - failures.add(new ValidationFailureDetailsBuilder() - .field("config def default value") - .subField(configName) - .isSemanticallyIncorrect() - .becauseOf(reason) - .build()); + ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_CONFIG_DEF_UNKNOWN_ENUM_VALUE; + failures.add(new RangerServiceDefValidationErrorBuilder() + .field("config def default value") + .subField(configName) + .isSemanticallyIncorrect() + .errorCode(error.getErrorCode()) + .becauseOf(error.getMessage(defaultValue, configName, enumValues, subType)) + .build()); valid = false; } } @@ -397,21 +417,23 @@ boolean isValidConfigType(String type, String configName, List validTypes = ImmutableSet.of("bool", "enum", "int", "string", "password", "path"); if (StringUtils.isBlank(type)) { - String reason = String.format("type of service def config[%s] was null/empty", configName); - failures.add(new ValidationFailureDetailsBuilder() + ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_CONFIG_DEF_MISSING_TYPE; + failures.add(new RangerServiceDefValidationErrorBuilder() .field("config def type") .subField(configName) .isMissing() - .becauseOf(reason) + .errorCode(error.getErrorCode()) + .becauseOf(error.getMessage(configName)) .build()); valid = false; } else if (!validTypes.contains(type)) { - String reason = String.format("type[%s] of service def config[%s] is not among valid types: %s", type, configName, validTypes); - failures.add(new ValidationFailureDetailsBuilder() + ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_CONFIG_DEF_INVALID_TYPE; + failures.add(new RangerServiceDefValidationErrorBuilder() .field("config def type") .subField(configName) .isSemanticallyIncorrect() - .becauseOf(reason) + .errorCode(error.getErrorCode()) + .becauseOf(error.getMessage(type, configName, validTypes)) .build()); valid = false; } @@ -430,11 +452,12 @@ boolean isValidResources(RangerServiceDef serviceDef, List resources = serviceDef.getResources(); if (CollectionUtils.isEmpty(resources)) { - String reason = "service def resources collection was null/empty"; - failures.add(new ValidationFailureDetailsBuilder() + ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_MISSING_FIELD; + failures.add(new RangerServiceDefValidationErrorBuilder() .field("resources") .isMissing() - .becauseOf(reason) + .errorCode(error.getErrorCode()) + .becauseOf(error.getMessage("resources")) .build()); valid = false; } else { @@ -463,10 +486,12 @@ boolean isValidResourceGraph(RangerServiceDef serviceDef, List enumDefs, List ids = new HashSet(); for (RangerEnumDef enumDef : enumDefs) { if (enumDef == null) { - failures.add(new ValidationFailureDetailsBuilder() + ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_ENUM_DEF_NULL_OBJECT; + failures.add(new RangerServiceDefValidationErrorBuilder() .field("enum def") .isMissing() - .becauseOf("An enum def in enums collection is null") + .errorCode(error.getErrorCode()) + .becauseOf(error.getMessage()) .build()); valid = false; } else { @@ -511,11 +538,13 @@ boolean isValidEnums(List enumDefs, List enumDefs, List= enumDef.getElements().size()) { // max index is one less than the size of the elements list - failures.add(new ValidationFailureDetailsBuilder() + ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_ENUM_DEF_INVALID_DEFAULT_INDEX; + failures.add(new RangerServiceDefValidationErrorBuilder() .field("enum default index") .subField(enumName) .isSemanticallyIncorrect() - .becauseOf("default index[" + defaultIndex + "] for enum [" + enumName + "] is invalid") + .errorCode(error.getErrorCode()) + .becauseOf(error.getMessage(defaultIndex, enumName)) .build()); valid = false; } @@ -556,11 +587,13 @@ boolean isValidEnumElements(List enumElementsDefs, List ids = new HashSet(); for (RangerEnumElementDef elementDef : enumElementsDefs) { if (elementDef == null) { - failures.add(new ValidationFailureDetailsBuilder() + ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_ENUM_DEF_NULL_ENUM_ELEMENT; + failures.add(new RangerServiceDefValidationErrorBuilder() .field("enum element") .subField(enumName) .isMissing() - .becauseOf("An enum element in enum element collection of enum [" + enumName + "] is null") + .errorCode(error.getErrorCode()) + .becauseOf(error.getMessage(enumName)) .build()); valid = false; } else { @@ -575,4 +608,27 @@ boolean isValidEnumElements(List enumElementsDefs, List errorCodes = new HashSet<>(); + for (ValidationErrorCode anEnum : ValidationErrorCode.values()) { + int errorCode = anEnum.getErrorCode(); + // errorCode that we see must not have been seen so far. + assertFalse("ValidationErrorCode: error code [" + errorCode + "] used multiple times!", errorCodes.contains(errorCode)); + errorCodes.add(errorCode); + } + } } \ No newline at end of file From 77e3408e1a72637936690f0ba0cee34c60068be6 Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Tue, 4 Aug 2015 10:38:44 -0700 Subject: [PATCH 039/202] RANGER-594 User friendly error messages for policy validation error failures and unify error processing for all 3 types validations --- .../plugin/errors/ValidationErrorCode.java | 25 ++ .../validation/RangerPolicyValidator.java | 361 ++++++------------ .../validation/RangerServiceDefValidator.java | 67 ++-- .../validation/RangerServiceValidator.java | 45 +-- .../validation/ValidationFailureDetails.java | 21 +- .../ValidationFailureDetailsBuilder.java | 2 +- .../TestValidationFailureDetails.java | 55 --- 7 files changed, 185 insertions(+), 391 deletions(-) delete mode 100644 agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestValidationFailureDetails.java diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java index c40efc92840..b458394d6aa 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java @@ -60,6 +60,31 @@ public enum ValidationErrorCode { SERVICE_DEF_VALIDATION_ERR_ENUM_DEF_NO_VALUES(2018, "enum [{0}] does not have any elements"), SERVICE_DEF_VALIDATION_ERR_ENUM_DEF_INVALID_DEFAULT_INDEX(2019, "default index[{0}] for enum [{1}] is invalid"), SERVICE_DEF_VALIDATION_ERR_ENUM_DEF_NULL_ENUM_ELEMENT(2020, "An enum element in enum element collection of enum [{0}] is null"), + + // POLICY VALIDATION + POLICY_VALIDATION_ERR_UNSUPPORTED_ACTION(3001, "Internal error: method signature isValid(Long) is only supported for DELETE"), + POLICY_VALIDATION_ERR_MISSING_FIELD(3002, "Internal error: missing field[{0}]"), + POLICY_VALIDATION_ERR_NULL_POLICY_OBJECT(3003, "Internal error: policy object passed in was null"), + POLICY_VALIDATION_ERR_INVALID_POLICY_ID(3004, "Invalid policy id provided for update: no policy found for id[{0}]"), + POLICY_VALIDATION_ERR_POLICY_NAME_MULTIPLE_POLICIES_WITH_SAME_NAME(3005, "Internal error: multiple policies found with the name[{0}]"), + POLICY_VALIDATION_ERR_POLICY_NAME_CONFLICT(3006, "id/name conflict: another policy already exists with name[{0}] for service[{1}, its id is[{2}]"), + POLICY_VALIDATION_ERR_INVALID_SERVICE_NAME(3007, "no service found with name[{0}]"), + POLICY_VALIDATION_ERR_MISSING_POLICY_ITEMS(3008, "at least one policy item must be specified if audit isn't enabled"), + POLICY_VALIDATION_ERR_MISSING_SERVICE_DEF(3009, "Internal error: Service def[{0}] of policy's service[{1}] does not exist!"), + POLICY_VALIDATION_ERR_DUPLICATE_POLICY_RESOURCE(3010, "another policy[{0}] with matching resources[{1}] exists for service[{2}]!"), + POLICY_VALIDATION_ERR_INVALID_RESOURCE_NO_COMPATIBLE_HIERARCHY(3011, "policy resources [{0}] are not compatible with any resource hierarchy for service def[{1}]! Valid hierarchies are: {2}"), + POLICY_VALIDATION_ERR_INVALID_RESOURCE_MISSING_MANDATORY(3012, "policy is missing required resources. Mandatory resources of potential hierarchies are: {0}"), + POLICY_VALIDATION_ERR_NULL_RESOURCE_DEF(3013, "Internal error: a resource-def on resource def collection of service-def[{0}] was null"), + POLICY_VALIDATION_ERR_MISSING_RESOURCE_DEF_NAME(3014, "Internal error: name of a resource-def on resource def collection of service-def[{0}] was null"), + POLICY_VALIDATION_ERR_EXCLUDES_NOT_SUPPORTED(3015, "isExcludes specified as [{0}] for resource [{1}] which doesn't support isExcludes"), + POLICY_VALIDATION_ERR_EXCLUDES_REQUIRES_ADMIN(3016, "isExcludes specified as [{0}] for resource [{1}]. Insufficient permissions to create excludes policy."), + POLICY_VALIDATION_ERR_RECURSIVE_NOT_SUPPORTED(3017, "isRecursive specified as [{0}] for resource [{1}] which doesn't support isRecursive"), + POLICY_VALIDATION_ERR_INVALID_RESOURCE_VALUE_REGEX(3018, "Value[{0}] of resource[{1}] does not conform to the validation regex[{2}] defined on the service-def[{3}]"), + POLICY_VALIDATION_ERR_NULL_POLICY_ITEM(3019, "policy items object was null"), + POLICY_VALIDATION_ERR_MISSING_USER_AND_GROUPS(3020, "both users and user-groups collections on the policy item were null/empty"), + POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_ACCESS(3021, "policy items access object was null"), + POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_INVALID(3022, "access type[{0}] not among valid types for service[{1}]"), + POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_DENY(3023, "access type is set to deny. Currently deny access types are not supported."), ; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java index 88170490ee9..da817c69996 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java @@ -25,6 +25,7 @@ import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.errors.ValidationErrorCode; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; @@ -71,19 +72,22 @@ boolean isValid(Long id, Action action, List failures) boolean valid = true; if (action != Action.DELETE) { - failures.add(new RangerPolicyValidationErrorBuilder() + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_UNSUPPORTED_ACTION; + failures.add(new ValidationFailureDetailsBuilder() .isAnInternalError() - .becauseOf("method signature isValid(Long) is only supported for DELETE") - .errorCode(ErrorCode.InternalError_InvalidMethodInvocation) + .becauseOf(error.getMessage()) + .errorCode(error.getErrorCode()) .build()); valid = false; } else if (id == null) { - failures.add(new RangerPolicyValidationErrorBuilder() - .becauseOf("policy id was null/missing") - .field("id") - .isMissing() - .errorCode(ErrorCode.Missing_PolicyId_Delete) - .build()); + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_FIELD; + failures.add(new ValidationFailureDetailsBuilder() + .becauseOf("policy id was null/missing") + .field("id") + .isMissing() + .errorCode(error.getErrorCode()) + .becauseOf(error.getMessage("id")) + .build()); valid = false; } else if (getPolicy(id) == null) { if (LOG.isDebugEnabled()) { @@ -107,34 +111,33 @@ boolean isValid(RangerPolicy policy, Action action, boolean isAdmin, List policies = getPolicies(serviceName, policyName); if (CollectionUtils.isNotEmpty(policies)) { if (policies.size() > 1) { - failures.add(new RangerPolicyValidationErrorBuilder() + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_NAME_MULTIPLE_POLICIES_WITH_SAME_NAME; + failures.add(new ValidationFailureDetailsBuilder() .field("name") .isAnInternalError() - .becauseOf("multiple policies found with the name[" + policyName + "]") - .errorCode(ErrorCode.InternalError_Data_MultiplePoliciesSameName) + .becauseOf(error.getMessage(policyName)) + .errorCode(error.getErrorCode()) .build()); valid = false; } else if (action == Action.CREATE) { // size == 1 - failures.add(new RangerPolicyValidationErrorBuilder() + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_NAME_CONFLICT; + failures.add(new ValidationFailureDetailsBuilder() .field("policy name") .isSemanticallyIncorrect() - .becauseOf("A policy already exists with name[" + policyName + "] for service[" + serviceName + "]; its id is[" + policies.iterator().next().getId() + "]") - .errorCode(ErrorCode.Duplicate_PolicyName_Create) + .becauseOf(error.getMessage(policyName, serviceName, policies.iterator().next().getId())) + .errorCode(error.getErrorCode()) .build()); valid = false; } else if (!policies.iterator().next().getId().equals(id)) { // size == 1 && action == UPDATE - failures.add(new RangerPolicyValidationErrorBuilder() + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_NAME_CONFLICT; + failures.add(new ValidationFailureDetailsBuilder() .field("id/name") .isSemanticallyIncorrect() - .errorCode(ErrorCode.Duplicate_PolicyName_Update) - .becauseOf("id/name conflict: another policy already exists with name[" + policyName + "], its id is[" + policies.iterator().next().getId() + "]") + .becauseOf(error.getMessage(policyName, serviceName, policies.iterator().next().getId())) + .errorCode(error.getErrorCode()) .build()); valid = false; } @@ -184,21 +189,23 @@ boolean isValid(RangerPolicy policy, Action action, boolean isAdmin, List policies = getPoliciesForResourceSignature(policy.getService(), signature); if (CollectionUtils.isNotEmpty(policies)) { + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_DUPLICATE_POLICY_RESOURCE; RangerPolicy matchedPolicy = policies.iterator().next(); // there shouldn't be a matching policy for create. During update only match should be to itself if (action == Action.CREATE || (action == Action.UPDATE && (policies.size() > 1 || !matchedPolicy.getId().equals(policy.getId())))) { - String message = String.format("another policy[%s] with matching resources[%s] exists for service[%s]!", - matchedPolicy.getName(), matchedPolicy.getResources(), policy.getService()); - failures.add(new RangerPolicyValidationErrorBuilder() - .field("resources") - .isSemanticallyIncorrect() - .becauseOf(message) - .errorCode(ErrorCode.Duplicate_PolicyResource) - .build()); + failures.add(new ValidationFailureDetailsBuilder() + .field("resources") + .isSemanticallyIncorrect() + .becauseOf(error.getMessage(matchedPolicy.getName(), matchedPolicy.getResources(), policy.getService())) + .errorCode(error.getErrorCode()) + .build()); valid = false; } } @@ -327,15 +333,13 @@ boolean isValidResourceNames(final RangerPolicy policy, final List> candidateHierarchies = filterHierarchies_hierarchyHasAllPolicyResources(policyResources, hierarchies, defHelper); if (candidateHierarchies.isEmpty()) { - // let's build a helpful message for user - String message = String.format("policy resources %s are not compatible with any resource hierarchy for service def[%s]! Valid hierarchies are: %s", - policyResources.toString(), serviceDef.getName(), toStringHierarchies_all(hierarchies, defHelper)); - failures.add(new RangerPolicyValidationErrorBuilder() + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_NO_COMPATIBLE_HIERARCHY; + failures.add(new ValidationFailureDetailsBuilder() .field("policy resources") .subField("incompatible") .isSemanticallyIncorrect() - .becauseOf(message) - .errorCode(ErrorCode.Invalid_PolicyResource_NoCompatibleHierarchy) + .becauseOf(error.getMessage(policyResources.toString(), serviceDef.getName(), toStringHierarchies_all(hierarchies, defHelper))) + .errorCode(error.getErrorCode()) .build()); valid = false; } else { @@ -349,12 +353,13 @@ boolean isValidResourceNames(final RangerPolicy policy, final List> validHierarchies = filterHierarchies_mandatoryResourcesSpecifiedInPolicy(policyResources, candidateHierarchies, defHelper); if (validHierarchies.isEmpty()) { - failures.add(new RangerPolicyValidationErrorBuilder() + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_MISSING_MANDATORY; + failures.add(new ValidationFailureDetailsBuilder() .field("policy resources") .subField("missing mandatory") .isSemanticallyIncorrect() - .errorCode(ErrorCode.Invalid_PolicyResource_MissingMandatory) - .becauseOf("policy is missing required resources. Mandatory resources of potential hierarchies are: " + toStringHierarchies_mandatory(candidateHierarchies, defHelper)) + .becauseOf(error.getMessage(toStringHierarchies_mandatory(candidateHierarchies, defHelper))) + .errorCode(error.getErrorCode()) .build()); valid = false; } else { @@ -457,19 +462,21 @@ boolean isValidResourceFlags(final Map inputPolicy Map policyResources = getPolicyResourceWithLowerCaseKeys(inputPolicyResources); for (RangerResourceDef resourceDef : resourceDefs) { if (resourceDef == null) { - failures.add(new RangerPolicyValidationErrorBuilder() + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_RESOURCE_DEF; + failures.add(new ValidationFailureDetailsBuilder() .field("resource-def") .isAnInternalError() - .errorCode(ErrorCode.InternalError_Data_NullResourceDef) - .becauseOf("a resource-def on resource def collection of service-def[" + serviceDefName + "] was null") + .becauseOf(error.getMessage(serviceDefName)) + .errorCode(error.getErrorCode()) .build()); valid = false; } else if (StringUtils.isBlank(resourceDef.getName())) { - failures.add(new RangerPolicyValidationErrorBuilder() + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_RESOURCE_DEF_NAME; + failures.add(new ValidationFailureDetailsBuilder() .field("resource-def-name") .isAnInternalError() - .errorCode(ErrorCode.InternalError_Data_NullResourceDefName) - .becauseOf("name of a resource-def on resource def collection of service-def[" + serviceDefName + "] was null") + .becauseOf(error.getMessage(serviceDefName)) + .errorCode(error.getErrorCode()) .build()); valid = false; } else { @@ -483,34 +490,37 @@ boolean isValidResourceFlags(final Map inputPolicy boolean excludesSupported = Boolean.TRUE.equals(resourceDef.getExcludesSupported()); // could be null boolean policyResourceIsExcludes = Boolean.TRUE.equals(policyResource.getIsExcludes()); // could be null if (policyResourceIsExcludes && !excludesSupported) { - failures.add(new RangerPolicyValidationErrorBuilder() + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_EXCLUDES_NOT_SUPPORTED; + failures.add(new ValidationFailureDetailsBuilder() .field("isExcludes") .subField(resourceName) .isSemanticallyIncorrect() - .errorCode(ErrorCode.Invalid_Excludes_NotSupported) - .becauseOf("isExcludes specified as [" + policyResourceIsExcludes + "] for resource [" + resourceName + "] which doesn't support isExcludes") + .becauseOf(error.getMessage(policyResourceIsExcludes, resourceName)) + .errorCode(error.getErrorCode()) .build()); valid = false; } if (policyResourceIsExcludes && !isAdmin) { - failures.add(new RangerPolicyValidationErrorBuilder() + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_EXCLUDES_REQUIRES_ADMIN; + failures.add(new ValidationFailureDetailsBuilder() .field("isExcludes") .subField("isAdmin") .isSemanticallyIncorrect() - .becauseOf("isExcludes specified as [" + policyResourceIsExcludes + "] for resource [" + resourceName + "]. Insufficient permissions to create excludes policy.") - .errorCode(ErrorCode.Invalid_Excludes_RequiresAdmin) + .becauseOf(error.getMessage(policyResourceIsExcludes, resourceName)) + .errorCode(error.getErrorCode()) .build()); valid = false; } boolean recursiveSupported = Boolean.TRUE.equals(resourceDef.getRecursiveSupported()); boolean policyIsRecursive = Boolean.TRUE.equals(policyResource.getIsRecursive()); if (policyIsRecursive && !recursiveSupported) { - failures.add(new RangerPolicyValidationErrorBuilder() + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_RECURSIVE_NOT_SUPPORTED; + failures.add(new ValidationFailureDetailsBuilder() .field("isRecursive") .subField(resourceName) .isSemanticallyIncorrect() - .becauseOf("isRecursive specified as [" + policyIsRecursive + "] for resource [" + resourceName + "] which doesn't support isRecursive") - .errorCode(ErrorCode.Invalid_Recursive_NotSupported) + .becauseOf(error.getMessage(policyIsRecursive, resourceName)) + .errorCode(error.getErrorCode()) .build()); valid = false; } @@ -541,14 +551,13 @@ boolean isValidResourceValues(Map resourceMap, Lis if (StringUtils.isBlank(aValue)) { LOG.debug("resource value was blank"); } else if (!aValue.matches(regEx)) { - String message = String.format("Value[%s] of resource[%s] does not conform to the validation regex[%s] defined on the service-def[%s]", aValue, name, regEx, serviceDef.getName()); - LOG.debug(message); - failures.add(new RangerPolicyValidationErrorBuilder() + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_VALUE_REGEX; + failures.add(new ValidationFailureDetailsBuilder() .field("resource-values") .subField(name) .isSemanticallyIncorrect() - .becauseOf(message) - .errorCode(ErrorCode.Invalid_ResourceValue_RegEx) + .becauseOf(error.getMessage(aValue, name, regEx, serviceDef.getName())) + .errorCode(error.getErrorCode()) .build()); valid = false; } @@ -573,11 +582,12 @@ boolean isValidPolicyItems(List policyItems, List accesses, List accessTypes = getAccessTypes(serviceDef); for (RangerPolicyItemAccess access : accesses) { if (access == null) { - failures.add(new RangerPolicyValidationErrorBuilder() + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_ACCESS; + failures.add(new ValidationFailureDetailsBuilder() .field("policy item access") .isMissing() - .becauseOf("policy items access object was null") - .errorCode(ErrorCode.InternalError_Data_NullPolicyItemAccess) + .becauseOf(error.getMessage()) + .errorCode(error.getErrorCode()) .build()); valid = false; } else { @@ -681,34 +694,33 @@ boolean isValidPolicyItemAccess(RangerPolicyItemAccess access, List _TemplateId2Template = createMap(MessageTemplateData); - - static int[][] ErrorCode2MessageTemplateData = new int[][] { - { ErrorCode.InternalError_InvalidMethodInvocation, MessageId.InternalError}, - { ErrorCode.Missing_PolicyId_Delete, MessageId.MissingField}, - { ErrorCode.Missing_PolicyObject, MessageId.InternalError}, - { ErrorCode.Missing_PolicyId_Update, MessageId.MissingField}, - { ErrorCode.Invalid_PolicyId, MessageId.InvalidField}, - { ErrorCode.Missing_PolicyName, MessageId.MissingField}, - { ErrorCode.InternalError_Data_MultiplePoliciesSameName, MessageId.InternalError_BadData}, - { ErrorCode.Duplicate_PolicyName_Create, MessageId.DuplicateValue}, - { ErrorCode.Duplicate_PolicyName_Update, MessageId.DuplicateValue}, - { ErrorCode.Missing_ServiceName, MessageId.MissingField}, - { ErrorCode.Invalid_ServiceName, MessageId.InvalidField}, - { ErrorCode.Missing_PolicyItems, MessageId.MissingField}, - { ErrorCode.InternalError_Data_MissingServiceDef, MessageId.InternalError_BadData}, - { ErrorCode.Duplicate_PolicyResource, MessageId.DuplicateValue}, - { ErrorCode.Invalid_PolicyResource_NoCompatibleHierarchy, MessageId.InvalidField}, - { ErrorCode.Invalid_PolicyResource_MissingMandatory, MessageId.MissingField}, - { ErrorCode.InternalError_Data_NullResourceDef, MessageId.InternalError_BadData}, - { ErrorCode.InternalError_Data_NullResourceDefName, MessageId.InternalError_BadData}, - { ErrorCode.Invalid_Excludes_NotSupported, MessageId.InvalidField}, - { ErrorCode.Invalid_Excludes_RequiresAdmin, MessageId.InvalidField}, - { ErrorCode.Invalid_Recursive_NotSupported, MessageId.InvalidField}, - { ErrorCode.Invalid_ResourceValue_RegEx, MessageId.InvalidField}, - { ErrorCode.InternalError_Data_NullPolicyItem, MessageId.InternalError_BadData}, - { ErrorCode.Missing_PolicyItemAccesses, MessageId.MissingField}, - { ErrorCode.Missing_PolicyItemUserGroup, MessageId.MissingField}, - { ErrorCode.InternalError_Data_NullPolicyItemAccess, MessageId.InternalError_BadData}, - { ErrorCode.Missing_PolicyItemAccessType, MessageId.MissingField}, - { ErrorCode.Invalid_PolicyItemAccessType, MessageId.InvalidField}, - { ErrorCode.Invalid_PolicyItemAccessType_Deny, MessageId.InvalidField}, - - }; - static final Map _ErrorCode2MessageTemplate = createMap(ErrorCode2MessageTemplateData); - } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefValidator.java index 75372c22462..0507fc4de8e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefValidator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefValidator.java @@ -80,7 +80,7 @@ boolean isValid(final Long id, final Action action, final List accessTypeDefs, final boolean valid = true; if (CollectionUtils.isEmpty(accessTypeDefs)) { ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_MISSING_FIELD; - failures.add(new RangerServiceDefValidationErrorBuilder() + failures.add(new ValidationFailureDetailsBuilder() .field("access types") .isMissing() .errorCode(error.getErrorCode()) @@ -263,7 +263,7 @@ boolean isValidAccessTypes(final List accessTypeDefs, final Set unknownAccessTypes = Sets.difference(Sets.newHashSet(impliedGrants), accessNames); if (!unknownAccessTypes.isEmpty()) { ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_IMPLIED_GRANT_UNKNOWN_ACCESS_TYPE; - failures.add(new RangerServiceDefValidationErrorBuilder() + failures.add(new ValidationFailureDetailsBuilder() .field("implied grants") .subField(unknownAccessTypes.iterator().next()) // we return just on item here. Message has all unknow items .isSemanticallyIncorrect() @@ -276,7 +276,7 @@ boolean isValidAccessTypes(final List accessTypeDefs, final String name = def.getName(); // note: this name could be null/blank/empty! if (impliedGrants.contains(name)) { ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_IMPLIED_GRANT_IMPLIES_ITSELF; - failures.add(new RangerServiceDefValidationErrorBuilder() + failures.add(new ValidationFailureDetailsBuilder() .field("implied grants") .subField(name) .isSemanticallyIncorrect() @@ -311,7 +311,7 @@ boolean isValidPolicyConditions(List policyConditions, valid = isUnique(name, names, "policy condition def name", "policy condition defs", failures) && valid; if (StringUtils.isBlank(conditionDef.getEvaluator())) { ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_POLICY_CONDITION_NULL_EVALUATOR; - failures.add(new RangerServiceDefValidationErrorBuilder() + failures.add(new ValidationFailureDetailsBuilder() .field("policy condition def evaluator") .subField(name) .isMissing() @@ -374,7 +374,7 @@ boolean isValidConfigOfEnumType(RangerServiceConfigDef configDef, List enumValues = getEnumValues(enumDef); if (!enumValues.contains(defaultValue)) { ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_CONFIG_DEF_UNKNOWN_ENUM_VALUE; - failures.add(new RangerServiceDefValidationErrorBuilder() + failures.add(new ValidationFailureDetailsBuilder() .field("config def default value") .subField(configName) .isSemanticallyIncorrect() @@ -418,7 +418,7 @@ boolean isValidConfigType(String type, String configName, List validTypes = ImmutableSet.of("bool", "enum", "int", "string", "password", "path"); if (StringUtils.isBlank(type)) { ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_CONFIG_DEF_MISSING_TYPE; - failures.add(new RangerServiceDefValidationErrorBuilder() + failures.add(new ValidationFailureDetailsBuilder() .field("config def type") .subField(configName) .isMissing() @@ -428,7 +428,7 @@ boolean isValidConfigType(String type, String configName, List resources = serviceDef.getResources(); if (CollectionUtils.isEmpty(resources)) { ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_MISSING_FIELD; - failures.add(new RangerServiceDefValidationErrorBuilder() + failures.add(new ValidationFailureDetailsBuilder() .field("resources") .isMissing() .errorCode(error.getErrorCode()) @@ -487,7 +487,7 @@ boolean isValidResourceGraph(RangerServiceDef serviceDef, List enumDefs, List enumDefs, List enumDefs, List= enumDef.getElements().size()) { // max index is one less than the size of the elements list ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_ENUM_DEF_INVALID_DEFAULT_INDEX; - failures.add(new RangerServiceDefValidationErrorBuilder() + failures.add(new ValidationFailureDetailsBuilder() .field("enum default index") .subField(enumName) .isSemanticallyIncorrect() @@ -588,7 +588,7 @@ boolean isValidEnumElements(List enumElementsDefs, List enumElementsDefs, List failures) boolean valid = true; if (action != Action.DELETE) { ValidationErrorCode error = ValidationErrorCode.SERVICE_VALIDATION_ERR_UNSUPPORTED_ACTION; - failures.add(new RangerServiceValidationErrorBuilder() + failures.add(new ValidationFailureDetailsBuilder() .isAnInternalError() .errorCode(error.getErrorCode()) .becauseOf(error.getMessage(action)) @@ -77,7 +77,7 @@ boolean isValid(Long id, Action action, List failures) valid = false; } else if (id == null) { ValidationErrorCode error = ValidationErrorCode.SERVICE_VALIDATION_ERR_MISSING_FIELD; - failures.add(new RangerServiceValidationErrorBuilder() + failures.add(new ValidationFailureDetailsBuilder() .field("id") .isMissing() .errorCode(error.getErrorCode()) @@ -107,7 +107,7 @@ boolean isValid(RangerService service, Action action, List missingParameters = Sets.difference(reqiredParameters, inputParameters); if (!missingParameters.isEmpty()) { ValidationErrorCode error = ValidationErrorCode.SERVICE_VALIDATION_ERR_REQUIRED_PARM_MISSING; - failures.add(new RangerServiceValidationErrorBuilder() + failures.add(new ValidationFailureDetailsBuilder() .field("configuration") .subField(missingParameters.iterator().next()) // we return any one parameter! .isMissing() @@ -219,27 +219,4 @@ boolean isValid(RangerService service, Action action, List Date: Tue, 18 Aug 2015 16:27:14 +0530 Subject: [PATCH 040/202] RANGER-618 : KMS gets slower in key creation once Database grows Signed-off-by: Velmurugan Periasamy --- .../hadoop/crypto/key/RangerKeyStore.java | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java index dc8efde6e25..ff82f53eb3f 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java @@ -83,6 +83,7 @@ private static final class SecretKeyEntry { } private Hashtable keyEntries = new Hashtable(); + private Hashtable deltaEntries = new Hashtable(); RangerKeyStore() { } @@ -136,7 +137,7 @@ public Date engineGetCreationDate(String alias) { public void addKeyEntry(String alias, Key key, char[] password, String cipher, int bitLength, String description, int version, String attributes) throws KeyStoreException { - synchronized(keyEntries) { + synchronized(deltaEntries) { try { Class c = null; @@ -163,7 +164,8 @@ public void addKeyEntry(String alias, Key key, char[] password, String cipher, i entry.description = description; entry.version = version; entry.attributes = attributes; - keyEntries.put(alias.toLowerCase(), entry); + deltaEntries.put(alias.toLowerCase(), entry); + keyEntries.put(alias.toLowerCase(), entry); } catch (Exception e) { logger.error(e.getMessage()); throw new KeyStoreException(e.getMessage()); @@ -177,7 +179,8 @@ public void engineDeleteEntry(String alias) { synchronized(keyEntries) { dbOperationDelete(convertAlias(alias)); - keyEntries.remove(convertAlias(alias)); + keyEntries.remove(convertAlias(alias)); + deltaEntries.remove(convertAlias(alias)); } } @@ -214,7 +217,7 @@ public int engineSize() { public void engineStore(OutputStream stream, char[] password) throws IOException, NoSuchAlgorithmException, CertificateException { - synchronized(keyEntries) { + synchronized(deltaEntries) { // password is mandatory when storing if (password == null) { throw new IllegalArgumentException("Ranger Master Key can't be null"); @@ -223,7 +226,7 @@ public void engineStore(OutputStream stream, char[] password) MessageDigest md = getKeyedMessageDigest(password); byte digest[] = md.digest(); - for (Enumeration e = keyEntries.keys(); e.hasMoreElements();) { + for (Enumeration e = deltaEntries.keys(); e.hasMoreElements();) { ByteArrayOutputStream baos = new ByteArrayOutputStream(); DataOutputStream dos = new DataOutputStream(new DigestOutputStream(baos, md)); @@ -231,7 +234,7 @@ public void engineStore(OutputStream stream, char[] password) try{ String alias = e.nextElement(); - Object entry = keyEntries.get(alias); + Object entry = deltaEntries.get(alias); oos = new ObjectOutputStream(dos); oos.writeObject(((SecretKeyEntry)entry).sealedKey); @@ -250,6 +253,7 @@ public void engineStore(OutputStream stream, char[] password) } } } + clearDeltaEntires(); } } @@ -537,4 +541,8 @@ public void engineLoadKeyStoreFile(InputStream stream, char[] storePass, char[] } } + public void clearDeltaEntires(){ + deltaEntries.clear(); + } + } \ No newline at end of file From c35384545848ffb713be0b9c59a35578022ec413 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Tue, 25 Aug 2015 09:56:37 +0530 Subject: [PATCH 041/202] RANGER-623 : Enable plugin scripts should handle file permissions for certain umask value Signed-off-by: Velmurugan Periasamy --- agents-common/scripts/enable-agent.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/agents-common/scripts/enable-agent.sh b/agents-common/scripts/enable-agent.sh index 9f677098c3c..55130a59996 100755 --- a/agents-common/scripts/enable-agent.sh +++ b/agents-common/scripts/enable-agent.sh @@ -454,6 +454,10 @@ then fi fi done + if [ "${HCOMPONENT_NAME}" = "hbase" ] || [ "${HCOMPONENT_NAME}" = "storm" ]; + then + chmod 644 ${HCOMPONENT_CONF_DIR}/* + fi fi # From 7ccb14e53a0b79f478a010058872de25bb1e2197 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Mon, 31 Aug 2015 15:34:09 +0530 Subject: [PATCH 042/202] RANGER-628 : Make filters for ranger-admin search binds configurable Signed-off-by: Velmurugan Periasamy --- security-admin/scripts/install.properties | 6 +++++- security-admin/scripts/setup.sh | 8 ++++++++ .../handler/RangerAuthenticationProvider.java | 18 +++++++++++++----- .../resources/conf.dist/ranger-admin-site.xml | 10 ++++++++++ 4 files changed, 36 insertions(+), 6 deletions(-) diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties index 4618ee3b44a..eb0c7ecb3b6 100644 --- a/security-admin/scripts/install.properties +++ b/security-admin/scripts/install.properties @@ -47,7 +47,7 @@ SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar # DB password for the DB admin user-id # ************************************************************************** # ** If the password is left empty or not-defined here, -# ** it will be prompted to enter the password during installation process +# ** it will try with blank password during installation process # ************************************************************************** # #db_root_user=root|SYS|postgres|sa|dba @@ -138,6 +138,7 @@ authServicePort=5151 #xa_ldap_bind_dn="cn=admin,ou=users,dc=xasecure,dc=net" #xa_ldap_bind_password= #xa_ldap_referral=follow|ignore +#xa_ldap_userSearchFilter="(uid={0})" xa_ldap_url= xa_ldap_userDNpattern= @@ -148,6 +149,7 @@ xa_ldap_base_dn= xa_ldap_bind_dn= xa_ldap_bind_password= xa_ldap_referral= +xa_ldap_userSearchFilter= ####ACTIVE_DIRECTORY settings - Required only if have selected AD authentication #### # # Sample Settings @@ -158,6 +160,7 @@ xa_ldap_referral= #xa_ldap_ad_bind_dn="cn=administrator,ou=users,dc=xasecure,dc=net" #xa_ldap_ad_bind_password= #xa_ldap_ad_referral=follow|ignore +#xa_ldap_ad_userSearchFilter="(sAMAccountName={0})" xa_ldap_ad_domain= xa_ldap_ad_url= @@ -165,6 +168,7 @@ xa_ldap_ad_base_dn= xa_ldap_ad_bind_dn= xa_ldap_ad_bind_password= xa_ldap_ad_referral= +xa_ldap_ad_userSearchFilter= # ----------------------------------------------------------- # diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index e0b14c5ae23..bae62986a66 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -1330,6 +1330,10 @@ do_authentication_setup(){ newPropertyValue="${xa_ldap_referral}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + propertyName=ranger.ldap.user.searchfilter + newPropertyValue="${xa_ldap_userSearchFilter}" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + keystore="${cred_keystore_filename}" if [ "${keystore}" != "" ] @@ -1411,6 +1415,10 @@ do_authentication_setup(){ newPropertyValue="${xa_ldap_ad_referral}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + propertyName=ranger.ldap.ad.user.searchfilter + newPropertyValue="${xa_ldap_ad_userSearchFilter}" + updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file + keystore="${cred_keystore_filename}" if [ "${keystore}" != "" ] diff --git a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java index 1f1d957b1e4..abf4db47834 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java +++ b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java @@ -363,6 +363,7 @@ private Authentication getADBindAuthentication(Authentication authentication) { String rangerADBindPassword = PropertiesUtil.getProperty("ranger.ldap.ad.bind.password", ""); String rangerLdapDefaultRole = PropertiesUtil.getProperty("ranger.ldap.default.role", "ROLE_USER"); String rangerLdapReferral = PropertiesUtil.getProperty("ranger.ldap.ad.referral", "follow"); + String rangerLdapUserSearchFilter = PropertiesUtil.getProperty("ranger.ldap.ad.user.searchfilter", "(sAMAccountName={0})"); String userName = authentication.getName(); String userPassword = ""; if (authentication.getCredentials() != null) { @@ -378,8 +379,11 @@ private Authentication getADBindAuthentication(Authentication authentication) { ldapContextSource.setPooled(true); ldapContextSource.afterPropertiesSet(); - String searchFilter="(sAMAccountName={0})"; - FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(rangerLdapADBase, searchFilter,ldapContextSource); + //String searchFilter="(sAMAccountName={0})"; + if(rangerLdapUserSearchFilter==null||rangerLdapUserSearchFilter.trim().isEmpty()){ + rangerLdapUserSearchFilter="(sAMAccountName={0})"; + } + FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(rangerLdapADBase, rangerLdapUserSearchFilter,ldapContextSource); userSearch.setSearchSubtree(true); BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource); @@ -417,6 +421,7 @@ private Authentication getLdapBindAuthentication(Authentication authentication) String rangerLdapBindDN = PropertiesUtil.getProperty("ranger.ldap.bind.dn", ""); String rangerLdapBindPassword = PropertiesUtil.getProperty("ranger.ldap.bind.password", ""); String rangerLdapReferral = PropertiesUtil.getProperty("ranger.ldap.referral", "follow"); + String rangerLdapUserSearchFilter = PropertiesUtil.getProperty("ranger.ldap.user.searchfilter", "(uid={0})"); String userName = authentication.getName(); String userPassword = ""; if (authentication.getCredentials() != null) { @@ -428,7 +433,7 @@ private Authentication getLdapBindAuthentication(Authentication authentication) ldapContextSource.setPassword(rangerLdapBindPassword); ldapContextSource.setReferral(rangerLdapReferral); ldapContextSource.setCacheEnvironmentProperties(false); - ldapContextSource.setAnonymousReadOnly(true); + ldapContextSource.setAnonymousReadOnly(false); ldapContextSource.setPooled(true); ldapContextSource.afterPropertiesSet(); @@ -437,8 +442,11 @@ private Authentication getLdapBindAuthentication(Authentication authentication) defaultLdapAuthoritiesPopulator.setGroupSearchFilter(rangerLdapGroupSearchFilter); defaultLdapAuthoritiesPopulator.setIgnorePartialResultException(true); - String searchFilter="(uid={0})"; - FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(rangerLdapBase, searchFilter,ldapContextSource); + //String searchFilter="(uid={0})"; + if(rangerLdapUserSearchFilter==null||rangerLdapUserSearchFilter.trim().isEmpty()){ + rangerLdapUserSearchFilter="(uid={0})"; + } + FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(rangerLdapBase, rangerLdapUserSearchFilter,ldapContextSource); userSearch.setSearchSubtree(true); BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource); diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml index 822a5075882..6009693bbe8 100644 --- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml +++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml @@ -217,4 +217,14 @@ + + ranger.ldap.user.searchfilter + (uid={0}) + + + + ranger.ldap.ad.user.searchfilter + (sAMAccountName={0}) + + From 44a23ef788692b37d2375142b9074677f2df92dc Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Thu, 3 Sep 2015 03:25:19 +0530 Subject: [PATCH 043/202] RANGER-637 : Make REFERRAL property in Ranger User sync configurable Signed-off-by: Velmurugan Periasamy --- jisql/src/main/java/org/apache/util/sql/Jisql.java | 1 - .../ldapusersync/process/LdapUserGroupBuilder.java | 7 ++++--- .../unixusersync/config/UserGroupSyncConfig.java | 14 ++++++++++++++ unixauthservice/scripts/install.properties | 2 ++ .../scripts/templates/installprop2xml.properties | 1 + .../scripts/templates/ranger-ugsync-template.xml | 4 ++++ 6 files changed, 25 insertions(+), 4 deletions(-) diff --git a/jisql/src/main/java/org/apache/util/sql/Jisql.java b/jisql/src/main/java/org/apache/util/sql/Jisql.java index 9c743564a44..cf7563c7130 100644 --- a/jisql/src/main/java/org/apache/util/sql/Jisql.java +++ b/jisql/src/main/java/org/apache/util/sql/Jisql.java @@ -755,7 +755,6 @@ private void printAllExceptions(SQLException sqle) { + sqle.getErrorCode()); sqle = sqle.getNextException(); } - System.out.println("java.library.path:"+System.getProperty("java.library.path")); } /** diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java index 93893ef8a61..66c6e284bbe 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java @@ -57,7 +57,7 @@ public class LdapUserGroupBuilder implements UserGroupSource { private String ldapBindDn; private String ldapBindPassword; private String ldapAuthenticationMechanism; - + private String ldapReferral; private String searchBase; private String userSearchBase; @@ -135,7 +135,7 @@ private void createLdapContext() throws Throwable { ldapBindPassword = config.getLdapBindPassword(); //ldapBindPassword = "admin-password"; ldapAuthenticationMechanism = config.getLdapAuthenticationMechanism(); - + ldapReferral = config.getContextReferral(); Properties env = new Properties(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); @@ -144,7 +144,7 @@ private void createLdapContext() throws Throwable { env.put(Context.SECURITY_PRINCIPAL, ldapBindDn); env.put(Context.SECURITY_CREDENTIALS, ldapBindPassword); env.put(Context.SECURITY_AUTHENTICATION, ldapAuthenticationMechanism); - env.put(Context.REFERRAL, "follow") ; + env.put(Context.REFERRAL, ldapReferral) ; ldapContext = new InitialLdapContext(env, null); @@ -235,6 +235,7 @@ private void createLdapContext() throws Throwable { + ", groupMemberAttributeName: " + groupMemberAttributeName + ", groupNameAttribute: " + groupNameAttribute + ", groupUserMapSyncEnabled: " + groupUserMapSyncEnabled + + ", ldapReferral: " + ldapReferral ); } diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java index f8b68f2e644..7240fce840a 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java @@ -172,6 +172,8 @@ public class UserGroupSyncConfig { private static final String DEFAULT_POLICYMGR_PASSWORD = "rangerusersync"; private static final String SYNC_SOURCE = "ranger.usersync.sync.source"; + private static final String LGSYNC_REFERRAL = "ranger.usersync.ldap.referral"; + private static final String DEFAULT_LGSYNC_REFERRAL = "ignore"; private Properties prop = new Properties() ; private static volatile UserGroupSyncConfig me = null ; @@ -715,4 +717,16 @@ public String getSyncSource() { } return syncSource; } + public String getContextReferral() { + String referral="ignore"; + if(prop!=null && prop.containsKey(LGSYNC_REFERRAL)){ + referral=prop.getProperty(LGSYNC_REFERRAL); + if(referral==null||referral.trim().isEmpty()){ + referral=DEFAULT_LGSYNC_REFERRAL; + }else{ + referral=referral.trim().toLowerCase(); + } + } + return referral; + } } diff --git a/unixauthservice/scripts/install.properties b/unixauthservice/scripts/install.properties index 521562086c0..f206d0a8aff 100644 --- a/unixauthservice/scripts/install.properties +++ b/unixauthservice/scripts/install.properties @@ -169,3 +169,5 @@ SYNC_PAGED_RESULTS_ENABLED= # search results would be returned page by page with the specified number of entries per page # default value: 500 SYNC_PAGED_RESULTS_SIZE= +#LDAP context referral could be ignore or follow +SYNC_LDAP_REFERRAL =ignore diff --git a/unixauthservice/scripts/templates/installprop2xml.properties b/unixauthservice/scripts/templates/installprop2xml.properties index f102b5244d8..77b8eac50ce 100644 --- a/unixauthservice/scripts/templates/installprop2xml.properties +++ b/unixauthservice/scripts/templates/installprop2xml.properties @@ -48,3 +48,4 @@ AUTH_SSL_KEYSTORE_PASSWORD = ranger.usersync.keystore.password AUTH_SSL_TRUSTSTORE_FILE = ranger.usersync.truststore.file AUTH_SSL_TRUSTSTORE_PASSWORD = ranger.usersync.truststore.password AUTH_SSL_ENABLED = ranger.usersync.enabled +SYNC_LDAP_REFERRAL = ranger.usersync.ldap.referral diff --git a/unixauthservice/scripts/templates/ranger-ugsync-template.xml b/unixauthservice/scripts/templates/ranger-ugsync-template.xml index 268deb3cf0d..2bf55621718 100644 --- a/unixauthservice/scripts/templates/ranger-ugsync-template.xml +++ b/unixauthservice/scripts/templates/ranger-ugsync-template.xml @@ -181,4 +181,8 @@ ranger.usersync.sync.source + + ranger.usersync.ldap.referral + + From 28f7d1f56351496469b7028af2ccaf49f7046e8a Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Wed, 2 Sep 2015 16:59:30 +0530 Subject: [PATCH 044/202] RANGER-638 : Ranger admin should redirect back to login page when login cookies are no longer valid. Signed-off-by: Velmurugan Periasamy --- security-admin/src/main/webapp/scripts/utils/XAUtils.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security-admin/src/main/webapp/scripts/utils/XAUtils.js b/security-admin/src/main/webapp/scripts/utils/XAUtils.js index a83b22a5da7..6d84d1cf7d9 100644 --- a/security-admin/src/main/webapp/scripts/utils/XAUtils.js +++ b/security-admin/src/main/webapp/scripts/utils/XAUtils.js @@ -1012,6 +1012,9 @@ define(function(require) { var XAGlobals = require('utils/XAGlobals'); var that = this; var vXPortalUser = SessionMgr.getUserProfile(); + if(_.isEmpty(vXPortalUser.attributes)){ + return controller; + } var denyControllerActions = []; var denyModulesObj = []; var userModuleNames = _.pluck(vXPortalUser.get('userPermList'),'moduleName'); From 72b4df5c011e750e426f7d4b6b6f8729be62752b Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Tue, 8 Sep 2015 12:31:08 -0700 Subject: [PATCH 045/202] RANGER-639 Package commons-lang, which is a required dependency, as part of storm plugin Signed-off-by: sneethiraj --- src/main/assembly/storm-agent.xml | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/src/main/assembly/storm-agent.xml b/src/main/assembly/storm-agent.xml index aacdb78d185..22a75a7ed87 100644 --- a/src/main/assembly/storm-agent.xml +++ b/src/main/assembly/storm-agent.xml @@ -42,27 +42,28 @@ org.eclipse.persistence:eclipselink org.eclipse.persistence:javax.persistence commons-collections:commons-collections - com.sun.jersey:jersey-bundle + com.sun.jersey:jersey-bundle commons-logging:commons-logging:jar:${commons.logging.version} com.google.guava:guava:jar:${guava.version} org.codehaus.jackson:jackson-jaxrs:jar:${codehaus.jackson.version} org.codehaus.jackson:jackson-core-asl:jar:${codehaus.jackson.storm.version} org.codehaus.jackson:jackson-mapper-asl:jar:${codehaus.jackson.storm.version} - org.apache.httpcomponents:httpclient:jar:${httpcomponent.httpclient.version} - org.apache.httpcomponents:httpcore:jar:${httpcomponent.httpcore.version} - org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version} - org.noggit:noggit:jar:${noggit.version} - com.google.protobuf:protobuf-java:jar:${protobuf-java.version} - org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version} - org.apache.htrace:htrace-core:jar:${htrace-core.version} - commons-cli:commons-cli:jar:${commons.cli.version} + org.apache.httpcomponents:httpclient:jar:${httpcomponent.httpclient.version} + org.apache.httpcomponents:httpcore:jar:${httpcomponent.httpcore.version} + org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version} + org.noggit:noggit:jar:${noggit.version} + com.google.protobuf:protobuf-java:jar:${protobuf-java.version} + org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version} + org.apache.htrace:htrace-core:jar:${htrace-core.version} + commons-cli:commons-cli:jar:${commons.cli.version} + commons-lang:commons-lang:jar:${commons.lang.version} /install/lib false - 755 - 644 + 755 + 644 commons-cli:commons-cli commons-collections:commons-collections @@ -76,8 +77,8 @@ org.slf4j:slf4j-api:jar:${slf4j-api.version} org.apache.hadoop:hadoop-common:jar:${hadoop-common.version} org.apache.hadoop:hadoop-auth:jar:${hadoop-common.version} - security_plugins.ranger-plugins-cred:ranger-plugins-cred - org.apache.ranger:credentialbuilder + security_plugins.ranger-plugins-cred:ranger-plugins-cred + org.apache.ranger:credentialbuilder From a3c9d8c6b1b4f72b0ef6c23abb49693c2c73e504 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Wed, 9 Sep 2015 14:55:19 +0530 Subject: [PATCH 046/202] RANGER-642 : Update USERSEARCHFILTER for Ranger Authentication on Windows Signed-off-by: Velmurugan Periasamy --- security-admin/src/bin/ranger_install.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/security-admin/src/bin/ranger_install.py b/security-admin/src/bin/ranger_install.py index 2970715219f..99c8ab831b5 100644 --- a/security-admin/src/bin/ranger_install.py +++ b/security-admin/src/bin/ranger_install.py @@ -944,6 +944,10 @@ def update_properties(): propertyName="ranger.ldap.referral" newPropertyValue=os.getenv("RANGER_LDAP_REFERRAL") updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) + + propertyName="ranger.ldap.user.searchfilter" + newPropertyValue=os.getenv("RANGER_LDAP_USERSEARCHFILTER") + updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) elif os.getenv("RANGER_AUTHENTICATION_METHOD") == "ACTIVE_DIRECTORY": propertyName="ranger.authentication.method" @@ -974,6 +978,10 @@ def update_properties(): newPropertyValue=os.getenv("RANGER_LDAP_AD_REFERRAL") updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) + propertyName="ranger.ldap.ad.user.searchfilter" + newPropertyValue=os.getenv("RANGER_LDAP_AD_USERSEARCHFILTER") + updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) + def setup_authentication(authentication_method, xmlPath): if authentication_method == "UNIX": # log("Setting up UNIX authentication for : " + xmlPath,"debug") From 8d7b6cd7387975b038bd3decd2d671687702309e Mon Sep 17 00:00:00 2001 From: Abhay Kulkarni Date: Wed, 9 Sep 2015 15:03:54 -0700 Subject: [PATCH 047/202] RANGER-621 - Updated Solr service-def to fix incorrect impliedGrants Signed-off-by: Madhan Neethiraj --- .../main/resources/service-defs/ranger-servicedef-solr.json | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-solr.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-solr.json index bc27352b06d..2f12721e101 100644 --- a/agents-common/src/main/resources/service-defs/ranger-servicedef-solr.json +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-solr.json @@ -49,11 +49,9 @@ "name":"solr_admin", "label":"Solr Admin", "impliedGrants":[ - "query,update,others" + "query","update","others" ] - } - ], "configs":[ { From 9adc04efd568746d98232efbcaa1b7525c5ee3a4 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Thu, 3 Sep 2015 17:51:20 +0530 Subject: [PATCH 048/202] RANGER-641 : Ranger KMS startup fails if java not set and started using service Signed-off-by: Velmurugan Periasamy --- kms/scripts/ranger-kms | 4 ++++ kms/scripts/setup.sh | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/kms/scripts/ranger-kms b/kms/scripts/ranger-kms index 805ebcc0020..dfde6d5c63b 100755 --- a/kms/scripts/ranger-kms +++ b/kms/scripts/ranger-kms @@ -32,6 +32,10 @@ RANGER_KMS_EWS_LIB_DIR="${RANGER_KMS_EWS_DIR}/webapp/WEB-INF/classes/lib" JAVA_OPTS=" ${JAVA_OPTS} -XX:MaxPermSize=256m -Xmx1024m -Xms1024m " +if [ -f ${RANGER_KMS_DIR}/ews/webapp/WEB-INF/classes/conf/java_home.sh ]; then + . ${RANGER_KMS_DIR}/ews/webapp/WEB-INF/classes/conf/java_home.sh +fi + for custom_env_script in `find ${RANGER_KMS_DIR}/ews/webapp/WEB-INF/classes/conf/ -name "ranger-kms-env*"`; do if [ -f $custom_env_script ]; then . $custom_env_script diff --git a/kms/scripts/setup.sh b/kms/scripts/setup.sh index 2e7dd8ecd65..e0c3136cbc3 100755 --- a/kms/scripts/setup.sh +++ b/kms/scripts/setup.sh @@ -326,7 +326,7 @@ setup_kms(){ log "[I] Adding ranger kms provider as services in hadoop-common jar" for f in lib/hadoop-common*.jar do - jar -uf ${f} META-INF/services/org.apache.hadoop.crypto.key.KeyProviderFactory + ${JAVA_HOME}/bin/jar -uf ${f} META-INF/services/org.apache.hadoop.crypto.key.KeyProviderFactory chown ${unix_user}:${unix_group} ${f} done cd ${oldP} @@ -334,8 +334,8 @@ setup_kms(){ update_properties() { newPropertyValue='' - #echo "export JAVA_HOME=${JAVA_HOME}" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/java_home.sh - #chmod a+rx ${WEBAPP_ROOT}/WEB-INF/classes/conf/java_home.sh + echo "export JAVA_HOME=${JAVA_HOME}" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/java_home.sh + chmod a+rx ${WEBAPP_ROOT}/WEB-INF/classes/conf/java_home.sh to_file=$PWD/ews/webapp/WEB-INF/classes/conf/dbks-site.xml From ff75b9baf10e97b25cd480c49c576ee09a3c8bb3 Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Fri, 28 Aug 2015 18:19:56 -0700 Subject: [PATCH 049/202] RANGER-627 Add start/stop/progress log messages so processing of Audit's JVM shutdown hooks can be monitored --- .../audit/provider/AsyncAuditProvider.java | 48 +++++++++++++------ .../audit/provider/AuditProviderFactory.java | 9 +++- .../audit/provider/DbAuditProvider.java | 15 +----- .../provider/MultiDestAuditProvider.java | 10 ++-- 4 files changed, 47 insertions(+), 35 deletions(-) diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/AsyncAuditProvider.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/AsyncAuditProvider.java index f469d801e82..446ef95e4f8 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/AsyncAuditProvider.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/AsyncAuditProvider.java @@ -42,6 +42,9 @@ public class AsyncAuditProvider extends MultiDestAuditProvider implements private int mMaxQueueSize = 10 * 1024; private int mMaxFlushInterval = 5000; // 5 seconds + private static final int mStopLoopIntervalSecs = 1; // 1 second + private static final int mWaitToCompleteLoopIntervalSecs = 1; // 1 second + // Summary of logs handled private AtomicLong lifeTimeInLogCount = new AtomicLong(0); // Total count, including drop count private AtomicLong lifeTimeOutLogCount = new AtomicLong(0); @@ -110,15 +113,24 @@ public void start() { @Override public void stop() { - mThread.interrupt(); - + LOG.info("==> AsyncAuditProvider.stop()"); try { - mThread.join(); - } catch (InterruptedException excp) { - LOG.error("AsyncAuditProvider.stop(): failed while waiting for thread to exit", excp); - } + LOG.info("Interrupting child thread of " + mName + "..." ); + mThread.interrupt(); + while (mThread.isAlive()) { + try { + LOG.info(String.format("Waiting for child thread of %s to exit. Sleeping for %d secs", mName, mStopLoopIntervalSecs)); + mThread.join(mStopLoopIntervalSecs * 1000); + } catch (InterruptedException e) { + LOG.warn("Interrupted while waiting for child thread to join! Proceeding with stop", e); + break; + } + } - super.stop(); + super.stop(); + } finally { + LOG.info("<== AsyncAuditProvider.stop()"); + } } @Override @@ -144,6 +156,7 @@ public void run() { flush(); } } catch (InterruptedException excp) { + LOG.info("AsyncAuditProvider.run - Interrupted! Breaking out of while loop."); break; } catch (Exception excp) { logFailedEvent(event, excp); @@ -237,16 +250,21 @@ private boolean isEmpty() { public void waitToComplete(long maxWaitSeconds) { LOG.debug("==> AsyncAuditProvider.waitToComplete()"); - for (long waitTime = 0; !isEmpty() - && (maxWaitSeconds <= 0 || maxWaitSeconds > waitTime); waitTime++) { - try { - Thread.sleep(1000); - } catch (Exception excp) { - // ignore + try { + for (long waitTime = 0; !isEmpty() + && (maxWaitSeconds <= 0 || maxWaitSeconds > waitTime); waitTime += mWaitToCompleteLoopIntervalSecs) { + try { + LOG.info(String.format("%d messages yet to be flushed by %s. Sleeoping for %d sec", mQueue.size(), mName, mWaitToCompleteLoopIntervalSecs)); + Thread.sleep(mWaitToCompleteLoopIntervalSecs * 1000); + } catch (InterruptedException excp) { + // someone really wants service to exit, abandon unwritten audits and exit. + LOG.warn("Caught interrupted exception! " + mQueue.size() + " messages still unflushed! Won't wait for queue to flush, exiting...", excp); + break; + } } + } finally { + LOG.debug("<== AsyncAuditProvider.waitToComplete()"); } - - LOG.debug("<== AsyncAuditProvider.waitToComplete()"); } private long getTimeTillNextFlush() { diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java index 1146e0bde52..723b5285ee5 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java @@ -451,8 +451,13 @@ public JVMShutdownHook(AuditHandler provider) { } public void run() { - mProvider.waitToComplete(); - mProvider.stop(); + LOG.info("==> JVMShutdownHook.run()"); + try { + mProvider.waitToComplete(); + mProvider.stop(); + } finally { + LOG.info("<== JVMShutdownHook.run()"); + } } } } diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/DbAuditProvider.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/DbAuditProvider.java index f23f17d21e9..8319d36a72d 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/DbAuditProvider.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/DbAuditProvider.java @@ -106,7 +106,7 @@ public boolean log(AuditEventBase event) { try { if(preCreate(event)) { DaoManager daoMgr = daoManager; - + if(daoMgr != null) { event.persist(daoMgr); @@ -120,6 +120,7 @@ public boolean log(AuditEventBase event) { logFailedEvent(event); } } + LOG.debug("<== DbAuditProvider.log()"); return isSuccess; } @@ -167,18 +168,6 @@ public void stop() { cleanUp(); } - - @Override - public void waitToComplete() { - LOG.info("DbAuditProvider.waitToComplete()"); - waitToComplete(-1); - } - - @Override - public void waitToComplete(long timeout) { - LOG.info("DbAuditProvider.waitToComplete():timeout=" + timeout); - - } @Override public void flush() { diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MultiDestAuditProvider.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MultiDestAuditProvider.java index 26108ca5ab4..282f5abfa0b 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MultiDestAuditProvider.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MultiDestAuditProvider.java @@ -161,7 +161,7 @@ public void start() { try { provider.start(); } catch (Throwable excp) { - LOG.error("AsyncAuditProvider.start(): failed for provider { " + LOG.error("MultiDestAuditProvider.start(): failed for provider { " + provider.getClass().getName() + " }", excp); } } @@ -173,7 +173,7 @@ public void stop() { try { provider.stop(); } catch (Throwable excp) { - LOG.error("AsyncAuditProvider.stop(): failed for provider { " + LOG.error("MultiDestAuditProvider.stop(): failed for provider { " + provider.getClass().getName() + " }", excp); } } @@ -186,7 +186,7 @@ public void waitToComplete() { provider.waitToComplete(); } catch (Throwable excp) { LOG.error( - "AsyncAuditProvider.waitToComplete(): failed for provider { " + "MultiDestAuditProvider.waitToComplete(): failed for provider { " + provider.getClass().getName() + " }", excp); } } @@ -199,7 +199,7 @@ public void waitToComplete(long timeout) { provider.waitToComplete(timeout); } catch (Throwable excp) { LOG.error( - "AsyncAuditProvider.waitToComplete(): failed for provider { " + "MultiDestAuditProvider.waitToComplete(): failed for provider { " + provider.getClass().getName() + " }", excp); } } @@ -211,7 +211,7 @@ public void flush() { try { provider.flush(); } catch (Throwable excp) { - LOG.error("AsyncAuditProvider.flush(): failed for provider { " + LOG.error("MultiDestAuditProvider.flush(): failed for provider { " + provider.getClass().getName() + " }", excp); } } From e6ac04c570f59689076c6d8d78d922b3c579c0f3 Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Fri, 4 Sep 2015 18:42:05 -0700 Subject: [PATCH 050/202] RANGER-632 Simplify policy and service-def validation related error messages that would be seen by the user. Signed-off-by: Alok Lal --- .../plugin/errors/ValidationErrorCode.java | 36 +++++++++-------- .../validation/RangerPolicyValidator.java | 39 +++++++++++++------ .../validation/ValidationFailureDetails.java | 2 +- 3 files changed, 48 insertions(+), 29 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java index b458394d6aa..72f7205291c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java @@ -32,12 +32,12 @@ public enum ValidationErrorCode { SERVICE_VALIDATION_ERR_NULL_SERVICE_OBJECT(1003, "Internal error: service object passed in was null"), SERVICE_VALIDATION_ERR_EMPTY_SERVICE_ID(1004, "Internal error: service id was null/empty/blank"), SERVICE_VALIDATION_ERR_INVALID_SERVICE_ID(1005, "No service found for id [{0}]"), - SERVICE_VALIDATION_ERR_INVALID_SERVICE_NAME(1006, "Service name[{0}] was null/empty/blank"), - SERVICE_VALIDATION_ERR_SERVICE_NAME_CONFICT(1007, "service with the name[{0}] already exists"), - SERVICE_VALIDATION_ERR_ID_NAME_CONFLICT(1008, "id/name conflict: another service already exists with name[{0}], its id is [{1}]"), - SERVICE_VALIDATION_ERR_MISSING_SERVICE_DEF(1009, "service def [{0}] was null/empty/blank"), - SERVICE_VALIDATION_ERR_INVALID_SERVICE_DEF(1010, "service def named[{0}] not found"), - SERVICE_VALIDATION_ERR_REQUIRED_PARM_MISSING(1011, "required configuration parameter is missing; missing parameters: {0}"), + SERVICE_VALIDATION_ERR_INVALID_SERVICE_NAME(1006, "Missing service name"), + SERVICE_VALIDATION_ERR_SERVICE_NAME_CONFICT(1007, "Duplicate service name: name=[{0}]"), + SERVICE_VALIDATION_ERR_ID_NAME_CONFLICT(1008, "Duplicate service name: name=[{0}], id=[{1}]"), + SERVICE_VALIDATION_ERR_MISSING_SERVICE_DEF(1009, "Missing service def"), + SERVICE_VALIDATION_ERR_INVALID_SERVICE_DEF(1010, "Service def not found: service-def-name=[{0}]"), + SERVICE_VALIDATION_ERR_REQUIRED_PARM_MISSING(1011, "Missing required configuration parameter(s): missing parameters={0}"), // SERVICE-DEF VALIDATION SERVICE_DEF_VALIDATION_ERR_UNSUPPORTED_ACTION(2001, "Internal error: unsupported action[{0}]; isValid(Long) is only supported for DELETE"), @@ -65,26 +65,28 @@ public enum ValidationErrorCode { POLICY_VALIDATION_ERR_UNSUPPORTED_ACTION(3001, "Internal error: method signature isValid(Long) is only supported for DELETE"), POLICY_VALIDATION_ERR_MISSING_FIELD(3002, "Internal error: missing field[{0}]"), POLICY_VALIDATION_ERR_NULL_POLICY_OBJECT(3003, "Internal error: policy object passed in was null"), - POLICY_VALIDATION_ERR_INVALID_POLICY_ID(3004, "Invalid policy id provided for update: no policy found for id[{0}]"), + POLICY_VALIDATION_ERR_INVALID_POLICY_ID(3004, "No policy found for id[{0}]"), POLICY_VALIDATION_ERR_POLICY_NAME_MULTIPLE_POLICIES_WITH_SAME_NAME(3005, "Internal error: multiple policies found with the name[{0}]"), - POLICY_VALIDATION_ERR_POLICY_NAME_CONFLICT(3006, "id/name conflict: another policy already exists with name[{0}] for service[{1}, its id is[{2}]"), + POLICY_VALIDATION_ERR_POLICY_NAME_CONFLICT(3006, "Another policy already exists for this name: policy-id=[{0}], service=[{1}]"), POLICY_VALIDATION_ERR_INVALID_SERVICE_NAME(3007, "no service found with name[{0}]"), POLICY_VALIDATION_ERR_MISSING_POLICY_ITEMS(3008, "at least one policy item must be specified if audit isn't enabled"), POLICY_VALIDATION_ERR_MISSING_SERVICE_DEF(3009, "Internal error: Service def[{0}] of policy's service[{1}] does not exist!"), - POLICY_VALIDATION_ERR_DUPLICATE_POLICY_RESOURCE(3010, "another policy[{0}] with matching resources[{1}] exists for service[{2}]!"), - POLICY_VALIDATION_ERR_INVALID_RESOURCE_NO_COMPATIBLE_HIERARCHY(3011, "policy resources [{0}] are not compatible with any resource hierarchy for service def[{1}]! Valid hierarchies are: {2}"), - POLICY_VALIDATION_ERR_INVALID_RESOURCE_MISSING_MANDATORY(3012, "policy is missing required resources. Mandatory resources of potential hierarchies are: {0}"), + POLICY_VALIDATION_ERR_DUPLICATE_POLICY_RESOURCE(3010, "Another policy already exists for matching resource: policy-name=[{0}], service=[{1}]"), + POLICY_VALIDATION_ERR_INVALID_RESOURCE_NO_COMPATIBLE_HIERARCHY(3011, "Invalid resources specified. {0} policy can specify values for one of the following resource sets: {1}"), + POLICY_VALIDATION_ERR_INVALID_RESOURCE_MISSING_MANDATORY(3012, "Invalid resources specified. {0} policy must specify values for one of the following resource sets: {1}"), POLICY_VALIDATION_ERR_NULL_RESOURCE_DEF(3013, "Internal error: a resource-def on resource def collection of service-def[{0}] was null"), POLICY_VALIDATION_ERR_MISSING_RESOURCE_DEF_NAME(3014, "Internal error: name of a resource-def on resource def collection of service-def[{0}] was null"), - POLICY_VALIDATION_ERR_EXCLUDES_NOT_SUPPORTED(3015, "isExcludes specified as [{0}] for resource [{1}] which doesn't support isExcludes"), - POLICY_VALIDATION_ERR_EXCLUDES_REQUIRES_ADMIN(3016, "isExcludes specified as [{0}] for resource [{1}]. Insufficient permissions to create excludes policy."), - POLICY_VALIDATION_ERR_RECURSIVE_NOT_SUPPORTED(3017, "isRecursive specified as [{0}] for resource [{1}] which doesn't support isRecursive"), - POLICY_VALIDATION_ERR_INVALID_RESOURCE_VALUE_REGEX(3018, "Value[{0}] of resource[{1}] does not conform to the validation regex[{2}] defined on the service-def[{3}]"), + POLICY_VALIDATION_ERR_EXCLUDES_NOT_SUPPORTED(3015, "Excludes option not supported: resource-name=[{0}]"), + POLICY_VALIDATION_ERR_EXCLUDES_REQUIRES_ADMIN(3016, "Insufficient permissions to create excludes policy"), + POLICY_VALIDATION_ERR_RECURSIVE_NOT_SUPPORTED(3017, "Recursive option not supported: resource-name=[{0}]."), + POLICY_VALIDATION_ERR_INVALID_RESOURCE_VALUE_REGEX(3018, "Invalid resource specified. A value of [{0}] is not valid for resource [{1}]"), POLICY_VALIDATION_ERR_NULL_POLICY_ITEM(3019, "policy items object was null"), POLICY_VALIDATION_ERR_MISSING_USER_AND_GROUPS(3020, "both users and user-groups collections on the policy item were null/empty"), POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_ACCESS(3021, "policy items access object was null"), - POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_INVALID(3022, "access type[{0}] not among valid types for service[{1}]"), - POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_DENY(3023, "access type is set to deny. Currently deny access types are not supported."), + POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_INVALID(3022, "Invalid access type: access type=[{0}], valid access types=[{1}]"), + POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_DENY(3023, "Currently deny access types are not supported. Access type is set to deny."), + POLICY_VALIDATION_ERR_INVALID_RESOURCE_NO_COMPATIBLE_HIERARCHY_SINGLE(3024, "Invalid resources specified. {0} policy can specify values for the following resources: {1}"), + POLICY_VALIDATION_ERR_INVALID_RESOURCE_MISSING_MANDATORY_SINGLE(3025, "Invalid resources specified. {0} policy must specify values for the following resources: {1}"), ; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java index da817c69996..66768c2b154 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java @@ -170,7 +170,7 @@ boolean isValid(RangerPolicy policy, Action action, boolean isAdmin, List> candidateHierarchies = filterHierarchies_hierarchyHasAllPolicyResources(policyResources, hierarchies, defHelper); if (candidateHierarchies.isEmpty()) { - ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_NO_COMPATIBLE_HIERARCHY; + if (LOG.isDebugEnabled()) { + LOG.debug(String.format("No compatible resource hierarchies found: resource[%s], service-def[%s], valid-resource-hierarchies[%s]", + policyResources.toString(), serviceDef.getName(), toStringHierarchies_all(hierarchies, defHelper))); + } + ValidationErrorCode error; + if (hierarchies.size() == 1) { // we can give a simpler message for single hierarchy service-defs which is the majority of cases + error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_NO_COMPATIBLE_HIERARCHY_SINGLE; + } else { + error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_NO_COMPATIBLE_HIERARCHY; + } failures.add(new ValidationFailureDetailsBuilder() .field("policy resources") .subField("incompatible") .isSemanticallyIncorrect() - .becauseOf(error.getMessage(policyResources.toString(), serviceDef.getName(), toStringHierarchies_all(hierarchies, defHelper))) + .becauseOf(error.getMessage(serviceDef.getName(), toStringHierarchies_all(hierarchies, defHelper))) .errorCode(error.getErrorCode()) .build()); valid = false; @@ -353,12 +362,17 @@ boolean isValidResourceNames(final RangerPolicy policy, final List> validHierarchies = filterHierarchies_mandatoryResourcesSpecifiedInPolicy(policyResources, candidateHierarchies, defHelper); if (validHierarchies.isEmpty()) { - ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_MISSING_MANDATORY; + ValidationErrorCode error; + if (candidateHierarchies.size() == 1) { // we can provide better message if there is a single candidate hierarchy + error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_MISSING_MANDATORY_SINGLE; + } else { + error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_MISSING_MANDATORY; + } failures.add(new ValidationFailureDetailsBuilder() .field("policy resources") .subField("missing mandatory") .isSemanticallyIncorrect() - .becauseOf(error.getMessage(toStringHierarchies_mandatory(candidateHierarchies, defHelper))) + .becauseOf(error.getMessage(serviceDef.getName(), toStringHierarchies_mandatory(candidateHierarchies, defHelper))) .errorCode(error.getErrorCode()) .build()); valid = false; @@ -495,7 +509,7 @@ boolean isValidResourceFlags(final Map inputPolicy .field("isExcludes") .subField(resourceName) .isSemanticallyIncorrect() - .becauseOf(error.getMessage(policyResourceIsExcludes, resourceName)) + .becauseOf(error.getMessage(resourceName)) .errorCode(error.getErrorCode()) .build()); valid = false; @@ -506,7 +520,7 @@ boolean isValidResourceFlags(final Map inputPolicy .field("isExcludes") .subField("isAdmin") .isSemanticallyIncorrect() - .becauseOf(error.getMessage(policyResourceIsExcludes, resourceName)) + .becauseOf(error.getMessage()) .errorCode(error.getErrorCode()) .build()); valid = false; @@ -519,7 +533,7 @@ boolean isValidResourceFlags(final Map inputPolicy .field("isRecursive") .subField(resourceName) .isSemanticallyIncorrect() - .becauseOf(error.getMessage(policyIsRecursive, resourceName)) + .becauseOf(error.getMessage(resourceName)) .errorCode(error.getErrorCode()) .build()); valid = false; @@ -551,12 +565,15 @@ boolean isValidResourceValues(Map resourceMap, Lis if (StringUtils.isBlank(aValue)) { LOG.debug("resource value was blank"); } else if (!aValue.matches(regEx)) { + if (LOG.isDebugEnabled()) { + LOG.debug(String.format("Resource failed regex check: value[%s], resource-name[%s], regEx[%s], service-def-name[%s]", aValue, name, regEx, serviceDef.getName())); + } ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_VALUE_REGEX; failures.add(new ValidationFailureDetailsBuilder() .field("resource-values") .subField(name) .isSemanticallyIncorrect() - .becauseOf(error.getMessage(aValue, name, regEx, serviceDef.getName())) + .becauseOf(error.getMessage(aValue, name)) .errorCode(error.getErrorCode()) .build()); valid = false; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/ValidationFailureDetails.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/ValidationFailureDetails.java index a0e85738275..e9ad40a9d2c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/ValidationFailureDetails.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/ValidationFailureDetails.java @@ -74,7 +74,7 @@ public String getSubFieldName() { @Override public String toString() { LOG.debug("ValidationFailureDetails.toString()"); - return String.format("%s: error code[%d], reason[%s], field[%s], subfield[%s], type[%s]", "Policy validation failure", + return String.format(" %s: error code[%d], reason[%s], field[%s], subfield[%s], type[%s]", "Validation failure", _errorCode, _reason, _fieldName, _subFieldName, getType()); } From 97453ff07cad0b7e73f645e22fb543b427680973 Mon Sep 17 00:00:00 2001 From: fi_niting Date: Tue, 15 Sep 2015 17:11:59 +0530 Subject: [PATCH 051/202] RANGER-632 Added validation error msg on Ranger UI in service/policy create page and also added pause option in bootstrap-notify plugin. Signed-off-by: Alok Lal --- .../bootstrap-notify/js/bootstrap-notify.js | 44 ++++++++++++++++--- .../src/main/webapp/scripts/utils/XAUtils.js | 26 ++++++++++- .../views/policies/RangerPolicyCreate.js | 12 +++-- .../scripts/views/service/ServiceCreate.js | 23 +++------- security-admin/src/main/webapp/styles/xa.css | 5 +++ 5 files changed, 80 insertions(+), 30 deletions(-) diff --git a/security-admin/src/main/webapp/libs/bower/bootstrap-notify/js/bootstrap-notify.js b/security-admin/src/main/webapp/libs/bower/bootstrap-notify/js/bootstrap-notify.js index e58c6c50ab0..ba309e210bc 100644 --- a/security-admin/src/main/webapp/libs/bower/bootstrap-notify/js/bootstrap-notify.js +++ b/security-admin/src/main/webapp/libs/bower/bootstrap-notify/js/bootstrap-notify.js @@ -47,13 +47,21 @@ this.$note.text(this.options.message.text); } else this.$note.html(this.options.message); - + + var style = this.options.type == 'error' ? 'color:#a94442' : 'color:#3c763d'; + if(this.options.closable) { - var link = $('×'); + var link = $('×'); $(link).on('click', $.proxy(onClose, this)); this.$note.prepend(link); } + if(this.options.pausable) { + var pauseLink = $(''); + $(pauseLink).on('click', $.proxy(onPause, this)); + this.$note.prepend(pauseLink); + + } return this; }; @@ -64,10 +72,31 @@ return false; }; + var onPause = function() { + if(this.$note.find('.pause').is(':visible')){ + clearInterval(this.clearNotifyInterval) + this.$note.find('.pause').hide() + this.$note.find('.play').show() + }else{ + setFadeOut(this) + this.$note.find('.pause').show() + this.$note.find('.play').hide() + } + return false; + }; + var setFadeOut = function(self){ + var that = self; + self.clearNotifyInterval = setTimeout(function() { + that.$note.fadeOut('slow', $.proxy(that.onClose, that)); + }, self.options.fadeOut.delay || 7000); + }; + Notification.prototype.show = function () { - if(this.options.fadeOut.enabled) - this.$note.delay(this.options.fadeOut.delay || 3000).fadeOut('slow', $.proxy(onClose, this)); - + var that = this; + if(this.options.fadeOut.enabled){ + setFadeOut(this) + } +// this.$note.delay(this.options.fadeOut.delay || 3000).fadeOut('slow', $.proxy(onClose, this)); this.$element.append(this.$note); this.$note.alert(); }; @@ -88,10 +117,11 @@ transition: 'fade', fadeOut: { enabled: true, - delay: 3000 + delay: 7000 }, message: null, onClose: function () {}, - onClosed: function () {} + onClosed: function () {}, + pausable: false } })(window.jQuery); diff --git a/security-admin/src/main/webapp/scripts/utils/XAUtils.js b/security-admin/src/main/webapp/scripts/utils/XAUtils.js index 6d84d1cf7d9..3f52fb2990a 100644 --- a/security-admin/src/main/webapp/scripts/utils/XAUtils.js +++ b/security-admin/src/main/webapp/scripts/utils/XAUtils.js @@ -194,7 +194,8 @@ define(function(require) { html : html, text : text }, - type : 'info' + type : 'info', + pausable: true }; } $('.top-right').notify(options).show(); @@ -220,7 +221,8 @@ define(function(require) { html : html, text : text }, - type : 'error' + type : 'error', + pausable: true }; } $('.top-right').notify(options).show(); @@ -246,6 +248,7 @@ define(function(require) { html : html }, type : 'success', + pausable: true }; } $('.top-right').notify(options).show(); @@ -1096,5 +1099,24 @@ define(function(require) { }) return {'userRoleList' : userRoleList }; }; + XAUtils.showErrorMsg = function(respMsg){ + var respArr = respMsg.split(/\([0-9]*\)/); + respArr.shift(); + _.each(respArr, function(str){ + var validationMsg = str.split(','), erroCodeMsg = ''; + //get code from string + if(!_.isUndefined(validationMsg[0]) && validationMsg[0].indexOf("error code") != -1){ + var tmp = validationMsg[0].split('error code'); + var code = tmp[ tmp.length - 1 ]; + + erroCodeMsg = 'Error Code : '+ code.match(/\d/g).join(''); + } + var reason = str.lastIndexOf("reason") != -1 ? (str.substring(str.lastIndexOf("reason")+7, str.indexOf("field[")-2 )) + : str; + var erroMsg = erroCodeMsg +"
"+XAUtils.capitaliseFirstLetter(reason); + return XAUtils.notifyError('Error', erroMsg); + }); + }; + return XAUtils; }); diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js index 7370ee876eb..b07f9a2fe80 100644 --- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js +++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js @@ -207,10 +207,14 @@ define(function(require){ App.appRouter.navigate("#!/service/"+that.rangerService.id+"/policies",{trigger: true}); console.log("success"); }, - error: function (model, response, options) { - XAUtil.blockUI('unblock'); - XAUtil.notifyError('Error', 'Error creating Policy!'); - console.log("error"); + error : function(model, response, options) { + XAUtil.blockUI('unblock'); + var msg = that.editPolicy ? 'Error updating policy.': 'Error creating policy.'; + if (response && response.responseJSON && response.responseJSON.msgDesc) { + XAUtil.showErrorMsg(response.responseJSON.msgDesc); + } else { + XAUtil.notifyError('Error', msg); + } } }); }, diff --git a/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js b/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js index 01141b642e2..239b61e27a6 100644 --- a/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js +++ b/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js @@ -164,23 +164,12 @@ define(function(require){ }, error: function (model, response, options) { XAUtil.blockUI('unblock'); - if ( response && response.responseJSON && response.responseJSON.msgDesc){ - if(response.responseJSON.msgDesc == "serverMsg.fsDefaultNameValidationError"){ - that.form.fields.fsDefaultName.setError(localization.tt(response.responseJSON.msgDesc)); - XAUtil.scrollToField(that.form.fields.fsDefaultName.$el); - }else if(response.responseJSON.msgDesc == "Repository Name already exists"){ - response.responseJSON.msgDesc = "serverMsg.repositoryNameAlreadyExistsError"; - that.form.fields.name.setError(localization.tt(response.responseJSON.msgDesc)); - XAUtil.scrollToField(that.form.fields.name.$el); - }else if(response.responseJSON.msgDesc == "XUser already exists"){ - response.responseJSON.msgDesc = "serverMsg.userAlreadyExistsError"; - that.form.fields.userName.setError(localization.tt(response.responseJSON.msgDesc)); - XAUtil.scrollToField(that.form.fields.userName.$el); - }else - XAUtil.notifyError('Error', response.responseJSON.msgDesc); - }else - XAUtil.notifyError('Error', 'Error creating Service!'); - console.log("error"); + var msg = that.editService ? 'Error updating Service.': 'Error creating Service.'; + if (response && response.responseJSON && response.responseJSON.msgDesc) { + XAUtil.showErrorMsg(response.responseJSON.msgDesc); + } else { + XAUtil.notifyError('Error', msg); + } } }); }, diff --git a/security-admin/src/main/webapp/styles/xa.css b/security-admin/src/main/webapp/styles/xa.css index ceb1f538532..f0c75307d6a 100644 --- a/security-admin/src/main/webapp/styles/xa.css +++ b/security-admin/src/main/webapp/styles/xa.css @@ -1838,4 +1838,9 @@ td.select-row-cell { #r_topNav .dropdown-menu { margin:0; +} +.pause-play-close{ + margin-left: -5px; + margin-top: -2px; + font-size: 11px; } \ No newline at end of file From 1dbc7a1a25c3d32ebdcbf85398738ad63f9391c1 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Tue, 15 Sep 2015 13:50:35 +0530 Subject: [PATCH 052/202] RANGER-630 : Data consistency across API and UI Signed-off-by: Velmurugan Periasamy --- .../java/org/apache/ranger/biz/UserMgr.java | 73 +-- .../java/org/apache/ranger/biz/XAuditMgr.java | 73 ++- .../java/org/apache/ranger/biz/XUserMgr.java | 278 +++++---- .../org/apache/ranger/db/XXGroupUserDao.java | 21 + .../org/apache/ranger/db/XXModuleDefDao.java | 38 ++ .../org/apache/ranger/rest/AssetREST.java | 15 +- .../org/apache/ranger/rest/PublicAPIsv2.java | 2 +- .../org/apache/ranger/rest/ServiceREST.java | 30 +- .../java/org/apache/ranger/rest/UserREST.java | 13 +- .../org/apache/ranger/rest/XAuditREST.java | 10 +- .../java/org/apache/ranger/rest/XKeyREST.java | 10 +- .../org/apache/ranger/rest/XUserREST.java | 114 +++- .../security/context/RangerAPIList.java | 201 +++++++ .../security/context/RangerAPIMapping.java | 535 ++++++++++++++++++ .../context/RangerPreAuthSecurityHandler.java | 93 +++ .../ranger/service/XAuditMapService.java | 60 ++ .../ranger/service/XPermMapService.java | 60 +- .../ranger/service/XResourceService.java | 31 +- .../resources/META-INF/jpa_named_queries.xml | 19 + .../conf.dist/security-applicationContext.xml | 2 + .../apache/ranger/audit/TestAuditQueue.java | 3 +- .../org/apache/ranger/biz/TestUserMgr.java | 14 +- .../org/apache/ranger/biz/TestXUserMgr.java | 9 +- .../apache/ranger/rest/TestServiceREST.java | 2 +- 24 files changed, 1450 insertions(+), 256 deletions(-) create mode 100644 security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java create mode 100644 security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java create mode 100644 security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java index 939ddc22dc2..ff0ea01682b 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java @@ -139,22 +139,8 @@ public UserMgr() { public XXPortalUser createUser(VXPortalUser userProfile, int userStatus, Collection userRoleList) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("User " - + "creation denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } XXPortalUser user = mapVXPortalUserToXXPortalUser(userProfile); + checkAdminAccess(); user = createUser(user, userStatus, userRoleList); return user; @@ -366,6 +352,7 @@ private boolean updateRoles(Long userId, Collection rolesList) { * @param vStrings */ public void setUserRoles(Long userId, List vStringRolesList) { + checkAccess(userId); List stringRolesList = new ArrayList(); for (VXString vXString : vStringRolesList) { stringRolesList.add(vXString.getValue()); @@ -384,15 +371,7 @@ public VXResponse changePassword(VXPasswordChange pwdChange) { String currentUserLoginId = ContextUtil.getCurrentUserLoginId(); XXPortalUser gjUserCurrent = daoManager.getXXPortalUser() .findByLoginId(currentUserLoginId); - - if (gjUserCurrent == null) { - logger.info("changePassword(). Invalid user login id. userId=" - + currentUserLoginId); - throw restErrorUtil.createRESTException( - "serverMsg.userMgrInvalidUser", - MessageEnums.DATA_NOT_FOUND, null, null, "" - + currentUserLoginId); - } + checkAccess(gjUserCurrent); String encryptedOldPwd = encrypt(gjUserCurrent.getLoginId(), pwdChange.getOldPassword()); @@ -480,7 +459,7 @@ public VXResponse changePassword(VXPasswordChange pwdChange) { */ public VXPortalUser changeEmailAddress(XXPortalUser gjUser, VXPasswordChange changeEmail) { - + checkAccess(gjUser); if (gjUser.getEmailAddress() != null) { throw restErrorUtil.createRESTException( "serverMsg.userMgrEmailChange", @@ -530,21 +509,7 @@ public VXPortalUser changeEmailAddress(XXPortalUser gjUser, * @param userId */ public VXPortalUser deactivateUser(XXPortalUser gjUser) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("deactivation of user" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); if (gjUser != null && gjUser.getStatus() != RangerConstants.ACT_STATUS_DEACTIVATED) { logger.info("Marking user " + gjUser.getLoginId() + " as deleted"); @@ -1121,6 +1086,7 @@ public String encrypt(String loginId, String password) { } public VXPortalUser createUser(VXPortalUser userProfile) { + checkAdminAccess(); XXPortalUser xXPortalUser = this.createUser(userProfile, RangerCommonEnums.STATUS_ENABLED); return mapXXPortalUserVXPortalUser(xXPortalUser); @@ -1132,21 +1098,7 @@ public VXPortalUser createDefaultAccountUser(VXPortalUser userProfile) { userProfile.setUserSource(RangerCommonEnums.USER_EXTERNAL); } // access control - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("User " - + "creation denied. LoggedInUser=" - + session.getXXPortalUser().getId() - + " ,isn't permitted to perform the action."); - - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); logger.info("create:" + userProfile.getEmailAddress()); XXPortalUser xXPortalUser = null; String loginId = userProfile.getLoginId(); @@ -1275,4 +1227,15 @@ public XXPortalUser updatePasswordInSHA256(String userName,String userPassword) return xXPortalUser; } + + public void checkAdminAccess() { + UserSessionBase sess = ContextUtil.getCurrentUserSession(); + if (sess != null) { + if (sess != null && sess.isUserAdmin()) { + return; + } + } + throw restErrorUtil.create403RESTException("Operation not allowed." + " loggedInUser=" + (sess != null ? sess.getXXPortalUser().getId() : "Not Logged In")); + } + } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java index d9812f934fa..02d725f6a8e 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java @@ -19,13 +19,22 @@ package org.apache.ranger.biz; +import javax.servlet.http.HttpServletResponse; + +import org.apache.ranger.common.ContextUtil; import org.apache.ranger.common.SearchCriteria; +import org.apache.ranger.common.UserSessionBase; import org.apache.ranger.solr.SolrAccessAuditsService; import org.apache.ranger.view.VXAccessAudit; import org.apache.ranger.view.VXAccessAuditList; import org.apache.ranger.view.VXLong; +import org.apache.ranger.view.VXResponse; +import org.apache.ranger.view.VXTrxLog; +import org.apache.ranger.view.VXTrxLogList; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; +@Component public class XAuditMgr extends XAuditMgrBase { @Autowired @@ -34,9 +43,68 @@ public class XAuditMgr extends XAuditMgrBase { @Autowired RangerBizUtil rangerBizUtil; + public VXTrxLog getXTrxLog(Long id) { + checkAdminAccess(); + return super.getXTrxLog(id); + } + + public VXTrxLog createXTrxLog(VXTrxLog vXTrxLog) { + checkAdminAccess(); + return super.createXTrxLog(vXTrxLog); + } + + public VXTrxLog updateXTrxLog(VXTrxLog vXTrxLog) { + checkAdminAccess(); + return super.updateXTrxLog(vXTrxLog); + } + + public void deleteXTrxLog(Long id, boolean force) { + checkAdminAccess(); + super.deleteXTrxLog(id, force); + } + + public VXTrxLogList searchXTrxLogs(SearchCriteria searchCriteria) { + checkAdminAccess(); + return super.searchXTrxLogs(searchCriteria); + } + + public VXLong getXTrxLogSearchCount(SearchCriteria searchCriteria) { + checkAdminAccess(); + return super.getXTrxLogSearchCount(searchCriteria); + } + + public VXAccessAudit createXAccessAudit(VXAccessAudit vXAccessAudit) { + checkAdminAccess(); + return super.createXAccessAudit(vXAccessAudit); + } + + public VXAccessAudit updateXAccessAudit(VXAccessAudit vXAccessAudit) { + checkAdminAccess(); + return super.updateXAccessAudit(vXAccessAudit); + } + + public void deleteXAccessAudit(Long id, boolean force) { + checkAdminAccess(); + super.deleteXAccessAudit(id, force); + } + + public void checkAdminAccess() { + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if (!session.isUserAdmin()) { + throw restErrorUtil.create403RESTException("Operation" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In") + + " ,isn't permitted to perform the action."); + } + } else { + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); + } + } + @Override public VXAccessAudit getXAccessAudit(Long id) { - // TODO Auto-generated method stub return super.getXAccessAudit(id); } @@ -52,8 +120,7 @@ public VXAccessAuditList searchXAccessAudits(SearchCriteria searchCriteria) { @Override public VXLong getXAccessAuditSearchCount(SearchCriteria searchCriteria) { if (rangerBizUtil.getAuditDBType().equalsIgnoreCase("solr")) { - return solrAccessAuditsService - .getXAccessAuditSearchCount(searchCriteria); + return solrAccessAuditsService.getXAccessAuditSearchCount(searchCriteria); } else { return super.getXAccessAuditSearchCount(searchCriteria); } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index 700caff74c8..2413afbf8b3 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -20,7 +20,6 @@ package org.apache.ranger.biz; import java.util.ArrayList; -import java.util.Arrays; import java.util.Collection; import java.util.HashMap; import java.util.HashSet; @@ -37,6 +36,7 @@ import org.apache.ranger.service.XGroupPermissionService; import org.apache.ranger.service.XModuleDefService; import org.apache.ranger.service.XPortalUserService; +import org.apache.ranger.service.XResourceService; import org.apache.ranger.service.XUserPermissionService; import org.apache.ranger.view.VXGroupPermission; import org.apache.ranger.view.VXModuleDef; @@ -49,24 +49,31 @@ import org.apache.ranger.common.UserSessionBase; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.db.XXGroupUserDao; +import org.apache.ranger.entity.XXAuditMap; import org.apache.ranger.entity.XXGroup; +import org.apache.ranger.entity.XXPermMap; import org.apache.ranger.entity.XXPortalUser; -import org.apache.ranger.entity.XXPortalUserRole; import org.apache.ranger.entity.XXTrxLog; import org.apache.ranger.entity.XXUser; import org.apache.ranger.service.XGroupService; import org.apache.ranger.service.XUserService; +import org.apache.ranger.view.VXAuditMapList; import org.apache.ranger.view.VXGroup; +import org.apache.ranger.view.VXGroupGroup; import org.apache.ranger.view.VXGroupList; import org.apache.ranger.view.VXGroupUser; import org.apache.ranger.view.VXGroupUserList; +import org.apache.ranger.view.VXLong; +import org.apache.ranger.view.VXPermMapList; import org.apache.ranger.view.VXPortalUser; import org.apache.ranger.view.VXUser; import org.apache.ranger.view.VXUserGroupInfo; import org.apache.ranger.view.VXUserList; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; + import javax.servlet.http.HttpServletResponse; + import org.apache.ranger.view.VXResponse; @Component public class XUserMgr extends XUserMgrBase { @@ -100,25 +107,14 @@ public class XUserMgr extends XUserMgrBase { @Autowired XPortalUserService xPortalUserService; + + @Autowired + XResourceService xResourceService; static final Logger logger = Logger.getLogger(XUserMgr.class); public void deleteXGroup(Long id, boolean force) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("deletion of group" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); if (force) { SearchCriteria searchCriteria = new SearchCriteria(); searchCriteria.addParam("xGroupId", id); @@ -139,21 +135,7 @@ public void deleteXGroup(Long id, boolean force) { } public void deleteXUser(Long id, boolean force) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("deletion of user" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); if (force) { SearchCriteria searchCriteria = new SearchCriteria(); searchCriteria.addParam("xUserId", id); @@ -185,21 +167,7 @@ public VXUser getXUserByUserName(String userName) { } public VXUser createXUser(VXUser vXUser) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("creation of user" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); String userName = vXUser.getName(); if (userName == null || userName.isEmpty()) { throw restErrorUtil.createRESTException("Please provide a valid " @@ -256,7 +224,6 @@ public VXUser createXUser(VXUser vXUser) { } // Assigning Permission - @SuppressWarnings("unused") public void assignPermissionToUser(VXPortalUser vXPortalUser, boolean isCreate) { HashMap moduleNameId = getModelNames(); @@ -336,7 +303,6 @@ private void insertMappingUserPermisson(Long userId, Long moduleId, } - @SuppressWarnings("unused") public HashMap getModelNames() { List xxModuleDefs = daoManager.getXXModuleDef() .findModuleNamesWithIds(); @@ -369,6 +335,10 @@ private VXGroupUser createXGroupUser(Long userId, Long groupId) { } public VXUser updateXUser(VXUser vXUser) { + if (vXUser == null || vXUser.getName() == null || vXUser.getName().trim().isEmpty()) { + throw restErrorUtil.createRESTException("Please provide a valid " + "username.", MessageEnums.INVALID_INPUT_DATA); + } + checkAccess(vXUser.getName()); VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser .getName()); VXPortalUser vXPortalUser = new VXPortalUser(); @@ -522,21 +492,7 @@ public VXUser updateXUser(VXUser vXUser) { public VXUserGroupInfo createXUserGroupFromMap( VXUserGroupInfo vXUserGroupInfo) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("User group " - + "creation denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); VXUserGroupInfo vxUGInfo = new VXUserGroupInfo(); VXUser vXUser = vXUserGroupInfo.getXuserInfo(); @@ -563,41 +519,12 @@ public VXUserGroupInfo createXUserGroupFromMap( } public VXUser createXUserWithOutLogin(VXUser vXUser) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("creation of user" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); return xUserService.createXUserWithOutLogin(vXUser); } public VXGroup createXGroup(VXGroup vXGroup) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("creation of group" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } - // FIXME Just a hack + checkAdminAccess(); if (vXGroup.getDescription() == null) { vXGroup.setDescription(vXGroup.getName()); } @@ -610,40 +537,12 @@ public VXGroup createXGroup(VXGroup vXGroup) { } public VXGroup createXGroupWithoutLogin(VXGroup vXGroup) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("creation of group" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); return xGroupService.createXGroupWithOutLogin(vXGroup); } public VXGroupUser createXGroupUser(VXGroupUser vXGroupUser) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("creation of group" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); vXGroupUser = xGroupUserService .createXGroupUserWithOutLogin(vXGroupUser); return vXGroupUser; @@ -690,21 +589,7 @@ public VXGroup getXGroup(Long id) { */ public void deleteXGroupAndXUser(String groupName, String userName) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("User " - + "deletion denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); VXGroup vxGroup = xGroupService.getGroupByGroupName(groupName); VXUser vxUser = xUserService.getXUserByUserName(userName); SearchCriteria searchCriteria = new SearchCriteria(); @@ -807,6 +692,7 @@ private void setUserDesc(VXUser vXUser) { @Override public VXGroup updateXGroup(VXGroup vXGroup) { + checkAdminAccess(); XXGroup xGroup = daoManager.getXXGroup().getById(vXGroup.getId()); List trxLogList = xGroupService.getTransactionLog(vXGroup, xGroup, "update"); @@ -814,8 +700,77 @@ public VXGroup updateXGroup(VXGroup vXGroup) { vXGroup = (VXGroup) xGroupService.updateResource(vXGroup); return vXGroup; } + public VXGroupUser updateXGroupUser(VXGroupUser vXGroupUser) { + checkAdminAccess(); + return super.updateXGroupUser(vXGroupUser); + } + + public void deleteXGroupUser(Long id, boolean force) { + checkAdminAccess(); + super.deleteXGroupUser(id, force); + } + + public VXGroupGroup createXGroupGroup(VXGroupGroup vXGroupGroup){ + checkAdminAccess(); + return super.createXGroupGroup(vXGroupGroup); + } + + public VXGroupGroup updateXGroupGroup(VXGroupGroup vXGroupGroup) { + checkAdminAccess(); + return super.updateXGroupGroup(vXGroupGroup); + } + + public void deleteXGroupGroup(Long id, boolean force) { + checkAdminAccess(); + super.deleteXGroupGroup(id, force); + } + + public void deleteXPermMap(Long id, boolean force) { + if (force) { + XXPermMap xPermMap = daoManager.getXXPermMap().getById(id); + if (xPermMap != null) { + if (xResourceService.readResource(xPermMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + xPermMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } + } + + xPermMapService.deleteResource(id); + } else { + throw restErrorUtil.createRESTException("serverMsg.modelMgrBaseDeleteModel", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public VXLong getXPermMapSearchCount(SearchCriteria searchCriteria) { + VXPermMapList permMapList = xPermMapService.searchXPermMaps(searchCriteria); + VXLong vXLong = new VXLong(); + vXLong.setValue(permMapList.getListSize()); + return vXLong; + } + + public void deleteXAuditMap(Long id, boolean force) { + if (force) { + XXAuditMap xAuditMap = daoManager.getXXAuditMap().getById(id); + if (xAuditMap != null) { + if (xResourceService.readResource(xAuditMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + xAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } + } + + xAuditMapService.deleteResource(id); + } else { + throw restErrorUtil.createRESTException("serverMsg.modelMgrBaseDeleteModel", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public VXLong getXAuditMapSearchCount(SearchCriteria searchCriteria) { + VXAuditMapList auditMapList = xAuditMapService.searchXAuditMaps(searchCriteria); + VXLong vXLong = new VXLong(); + vXLong.setValue(auditMapList.getListSize()); + return vXLong; + } public void modifyUserVisibility(HashMap visibilityMap) { + checkAdminAccess(); Set> entries = visibilityMap.entrySet(); for (Map.Entry entry : entries) { XXUser xUser = daoManager.getXXUser().getById(entry.getKey()); @@ -826,6 +781,7 @@ public void modifyUserVisibility(HashMap visibilityMap) { } public void modifyGroupsVisibility(HashMap groupVisibilityMap) { + checkAdminAccess(); Set> entries = groupVisibilityMap.entrySet(); for (Map.Entry entry : entries) { XXGroup xGroup = daoManager.getXXGroup().getById(entry.getKey()); @@ -878,6 +834,7 @@ public void modifyGroupsVisibility(HashMap groupVisibilityMap) { // Module permissions public VXModuleDef createXModuleDefPermission(VXModuleDef vXModuleDef) { + checkAdminAccess(); return xModuleDefService.createResource(vXModuleDef); } @@ -886,6 +843,7 @@ public VXModuleDef getXModuleDefPermission(Long id) { } public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { + checkAdminAccess(); List groupPermListNew = vXModuleDef .getGroupPermList(); List userPermListNew = vXModuleDef.getUserPermList(); @@ -970,12 +928,14 @@ public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { } public void deleteXModuleDefPermission(Long id, boolean force) { + checkAdminAccess(); xModuleDefService.deleteResource(id); } // User permission public VXUserPermission createXUserPermission( VXUserPermission vXUserPermission) { + checkAdminAccess(); return xUserPermissionService.createResource(vXUserPermission); } @@ -985,17 +945,19 @@ public VXUserPermission getXUserPermission(Long id) { public VXUserPermission updateXUserPermission( VXUserPermission vXUserPermission) { - + checkAdminAccess(); return xUserPermissionService.updateResource(vXUserPermission); } public void deleteXUserPermission(Long id, boolean force) { + checkAdminAccess(); xUserPermissionService.deleteResource(id); } // Group permission public VXGroupPermission createXGroupPermission( VXGroupPermission vXGroupPermission) { + checkAdminAccess(); return xGroupPermissionService.createResource(vXGroupPermission); } @@ -1005,14 +967,17 @@ public VXGroupPermission getXGroupPermission(Long id) { public VXGroupPermission updateXGroupPermission( VXGroupPermission vXGroupPermission) { + checkAdminAccess(); return xGroupPermissionService.updateResource(vXGroupPermission); } public void deleteXGroupPermission(Long id, boolean force) { + checkAdminAccess(); xGroupPermissionService.deleteResource(id); } public void modifyUserActiveStatus(HashMap statusMap) { + checkAdminAccess(); UserSessionBase session = ContextUtil.getCurrentUserSession(); String currentUser=null; if(session!=null){ @@ -1040,4 +1005,35 @@ public void modifyUserActiveStatus(HashMap statusMap) { } } } + + public void checkAdminAccess() { + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if (!session.isUserAdmin()) { + throw restErrorUtil.create403RESTException("Operation" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In") + + " ,isn't permitted to perform the action."); + } + } else { + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); + } + } + + public void checkAccess(String loginID) { + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if (!session.isUserAdmin() && !session.isKeyAdmin() && !session.getLoginId().equalsIgnoreCase(loginID)) { + throw restErrorUtil.create403RESTException("Operation" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In") + + " ,isn't permitted to perform the action."); + } + } else { + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); + } + } + } diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java index 9f5abfb0cd4..104e1884234 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java @@ -60,4 +60,25 @@ public List findByUserId(Long userId) { } return null; } + + /** + * @param xUserId + * -- Id of X_USER table + * @return + */ + @SuppressWarnings("unchecked") + public List findGroupIdListByUserId(Long xUserId) { + if (xUserId != null) { + try { + return getEntityManager().createNamedQuery("XXGroupUser.findGroupIdListByUserId").setParameter("xUserId", xUserId).getResultList(); + } catch (NoResultException e) { + logger.debug(e.getMessage()); + } + } else { + logger.debug("UserId not provided."); + return new ArrayList(); + } + return null; + } + } diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java index 611eaf869a0..fa2b3d99b75 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java @@ -22,7 +22,9 @@ import javax.persistence.NoResultException; +import org.apache.commons.collections.CollectionUtils; import org.apache.log4j.Logger; +import org.apache.ranger.common.RangerCommonEnums; import org.apache.ranger.common.db.BaseDao; import org.apache.ranger.entity.XXModuleDef; @@ -115,4 +117,40 @@ public List findModuleURLOfPemittedModules(Long userId) { return null; } } + + @SuppressWarnings("unchecked") + public List findAccessibleModulesByGroupIdList(List grpIdList) { + if (CollectionUtils.isEmpty(grpIdList)) { + return new ArrayList(); + } + try { + return getEntityManager().createNamedQuery("XXModuleDef.findAccessibleModulesByGroupId").setParameter("grpIdList", grpIdList) + .setParameter("isAllowed", RangerCommonEnums.ACCESS_RESULT_ALLOWED).getResultList(); + } catch (NoResultException e) { + return new ArrayList(); + } + } + + /** + * @param portalUserId + * @param xUserId + * @return This function will return all the modules accessible for particular user, considering all the groups as well in which that user belongs + */ + @SuppressWarnings("unchecked") + public List findAccessibleModulesByUserId(Long portalUserId, Long xUserId) { + if (portalUserId == null || xUserId == null) { + return new ArrayList(); + } + try { + + List userPermList = getEntityManager().createNamedQuery("XXModuleDef.findAllAccessibleModulesByUserId").setParameter("portalUserId", portalUserId) + .setParameter("xUserId", xUserId).setParameter("isAllowed", RangerCommonEnums.ACCESS_RESULT_ALLOWED).getResultList(); + + return userPermList; + + } catch (NoResultException e) { + return new ArrayList(); + } + } + } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java index e5de160186a..19dbfaacbe6 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java @@ -56,6 +56,7 @@ import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.SearchFilter; import org.apache.ranger.plugin.util.ServicePolicies; +import org.apache.ranger.security.context.RangerAPIList; import org.apache.ranger.service.XAccessAuditService; import org.apache.ranger.service.XAgentService; import org.apache.ranger.service.XAssetService; @@ -137,6 +138,7 @@ public class AssetREST { @GET @Path("/assets/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_ASSET + "\")") public VXAsset getXAsset(@PathParam("id") Long id) { if(logger.isDebugEnabled()) { logger.debug("==> AssetREST.getXAsset(" + id + ")"); @@ -156,6 +158,7 @@ public VXAsset getXAsset(@PathParam("id") Long id) { @POST @Path("/assets") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_ASSET + "\")") public VXAsset createXAsset(VXAsset vXAsset) { if(logger.isDebugEnabled()) { logger.debug("==> AssetREST.createXAsset(" + vXAsset + ")"); @@ -177,6 +180,7 @@ public VXAsset createXAsset(VXAsset vXAsset) { @PUT @Path("/assets/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_ASSET + "\")") public VXAsset updateXAsset(VXAsset vXAsset) { if(logger.isDebugEnabled()) { logger.debug("==> AssetREST.updateXAsset(" + vXAsset + ")"); @@ -197,8 +201,8 @@ public VXAsset updateXAsset(VXAsset vXAsset) { @DELETE @Path("/assets/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") @RangerAnnotationClassName(class_name = VXAsset.class) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_ASSET + "\")") public void deleteXAsset(@PathParam("id") Long id, @Context HttpServletRequest request) { if(logger.isDebugEnabled()) { @@ -215,6 +219,7 @@ public void deleteXAsset(@PathParam("id") Long id, @POST @Path("/assets/testConfig") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.TEST_CONFIG + "\")") public VXResponse testConfig(VXAsset vXAsset) { if(logger.isDebugEnabled()) { logger.debug("==> AssetREST.testConfig(" + vXAsset + ")"); @@ -234,6 +239,7 @@ public VXResponse testConfig(VXAsset vXAsset) { @GET @Path("/assets") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_ASSETS + "\")") public VXAssetList searchXAssets(@Context HttpServletRequest request) { if(logger.isDebugEnabled()) { logger.debug("==> AssetREST.searchXAssets()"); @@ -269,6 +275,7 @@ public VXAssetList searchXAssets(@Context HttpServletRequest request) { @GET @Path("/assets/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_ASSETS + "\")") public VXLong countXAssets(@Context HttpServletRequest request) { if(logger.isDebugEnabled()) { logger.debug("==> AssetREST.countXAssets()"); @@ -547,8 +554,10 @@ public String getResourceJSON(@Context HttpServletRequest request, @GET @Path("/exportAudit") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_POLICY_EXPORT_AUDITS + "\")") public VXPolicyExportAuditList searchXPolicyExportAudits( @Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xPolicyExportAudits.sortFields); searchUtil.extractString(request, searchCriteria, "agentId", @@ -572,7 +581,9 @@ public VXPolicyExportAuditList searchXPolicyExportAudits( @GET @Path("/report") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_REPORT_LOGS + "\")") public VXTrxLogList getReportLogs(@Context HttpServletRequest request){ + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xTrxLogService.sortFields); searchUtil.extractInt(request, searchCriteria, "objectClassType", "Class type for report."); @@ -592,6 +603,7 @@ public VXTrxLogList getReportLogs(@Context HttpServletRequest request){ @GET @Path("/report/{transactionId}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_TRANSACTION_REPORT + "\")") public VXTrxLogList getTransactionReport(@Context HttpServletRequest request, @PathParam("transactionId") String transactionId){ return assetMgr.getTransactionReport(transactionId); @@ -600,6 +612,7 @@ public VXTrxLogList getTransactionReport(@Context HttpServletRequest request, @GET @Path("/accessAudit") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_ACCESS_LOGS + "\")") public VXAccessAuditList getAccessLogs(@Context HttpServletRequest request){ SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xAccessAuditService.sortFields); diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java index 059f787290f..2c30daa149a 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java @@ -312,7 +312,7 @@ public RangerPolicy getPolicyByName(@PathParam("servicename") String serviceName @Produces({ "application/json", "application/xml" }) public List searchPolicies(@PathParam("servicename") String serviceName, @Context HttpServletRequest request) { - return serviceREST.getServicePolicies(serviceName, request).getPolicies(); + return serviceREST.getServicePoliciesByName(serviceName, request).getPolicies(); } @POST diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 3d2e8b08e36..f523d670019 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -49,6 +49,7 @@ import org.apache.ranger.biz.ServiceDBStore; import org.apache.ranger.biz.ServiceMgr; import org.apache.ranger.biz.XUserMgr; +import org.apache.ranger.common.AppConstants; import org.apache.ranger.common.GUIDUtil; import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.RESTErrorUtil; @@ -81,6 +82,8 @@ import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.SearchFilter; import org.apache.ranger.plugin.util.ServicePolicies; +import org.apache.ranger.security.context.RangerAPIList; +import org.apache.ranger.security.context.RangerPreAuthSecurityHandler; import org.apache.ranger.service.RangerPolicyService; import org.apache.ranger.service.RangerServiceDefService; import org.apache.ranger.service.RangerServiceService; @@ -151,11 +154,10 @@ public class ServiceREST { public ServiceREST() { } - @POST @Path("/definitions") @Produces({ "application/json", "application/xml" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_SERVICE_DEF + "\")") public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.createServiceDef(" + serviceDef + ")"); @@ -189,7 +191,7 @@ public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) { @PUT @Path("/definitions/{id}") @Produces({ "application/json", "application/xml" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_SERVICE_DEF + "\")") public RangerServiceDef updateServiceDef(RangerServiceDef serviceDef) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.updateServiceDef(" + serviceDef + ")"); @@ -223,7 +225,7 @@ public RangerServiceDef updateServiceDef(RangerServiceDef serviceDef) { @DELETE @Path("/definitions/{id}") @Produces({ "application/json", "application/xml" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_SERVICE_DEF + "\")") public void deleteServiceDef(@PathParam("id") Long id, @Context HttpServletRequest request) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.deleteServiceDef(" + id + ")"); @@ -260,6 +262,7 @@ public void deleteServiceDef(@PathParam("id") Long id, @Context HttpServletReque @GET @Path("/definitions/{id}") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEF + "\")") public RangerServiceDef getServiceDef(@PathParam("id") Long id) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getServiceDef(" + id + ")"); @@ -298,6 +301,7 @@ public RangerServiceDef getServiceDef(@PathParam("id") Long id) { @GET @Path("/definitions/name/{name}") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEF_BY_NAME + "\")") public RangerServiceDef getServiceDefByName(@PathParam("name") String name) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getServiceDefByName(" + name + ")"); @@ -338,6 +342,7 @@ public RangerServiceDef getServiceDefByName(@PathParam("name") String name) { @GET @Path("/definitions") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEFS + "\")") public RangerServiceDefList getServiceDefs(@Context HttpServletRequest request) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getServiceDefs()"); @@ -366,7 +371,7 @@ public RangerServiceDefList getServiceDefs(@Context HttpServletRequest request) @POST @Path("/services") @Produces({ "application/json", "application/xml" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_SERVICE + "\")") public RangerService createService(RangerService service) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.createService(" + service + ")"); @@ -405,7 +410,7 @@ public RangerService createService(RangerService service) { @PUT @Path("/services/{id}") @Produces({ "application/json", "application/xml" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_SERVICE + "\")") public RangerService updateService(RangerService service) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.updateService(): " + service); @@ -444,7 +449,7 @@ public RangerService updateService(RangerService service) { @DELETE @Path("/services/{id}") @Produces({ "application/json", "application/xml" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_SERVICE + "\")") public void deleteService(@PathParam("id") Long id) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.deleteService(" + id + ")"); @@ -480,6 +485,7 @@ public void deleteService(@PathParam("id") Long id) { @GET @Path("/services/{id}") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE + "\")") public RangerService getService(@PathParam("id") Long id) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getService(" + id + ")"); @@ -511,6 +517,7 @@ public RangerService getService(@PathParam("id") Long id) { @GET @Path("/services/name/{name}") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_BY_NAME + "\")") public RangerService getServiceByName(@PathParam("name") String name) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getServiceByName(" + name + ")"); @@ -542,6 +549,7 @@ public RangerService getServiceByName(@PathParam("name") String name) { @GET @Path("/services") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICES + "\")") public RangerServiceList getServices(@Context HttpServletRequest request) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getServices()"); @@ -595,6 +603,7 @@ public List getServices(SearchFilter filter) { @GET @Path("/services/count") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_SERVICES + "\")") public Long countServices(@Context HttpServletRequest request) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.countServices():"); @@ -624,6 +633,7 @@ public Long countServices(@Context HttpServletRequest request) { @POST @Path("/services/validateConfig") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.VALIDATE_CONFIG + "\")") public VXResponse validateConfig(RangerService service) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.validateConfig(" + service + ")"); @@ -651,6 +661,7 @@ public VXResponse validateConfig(RangerService service) { @POST @Path("/services/lookupResource/{serviceName}") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.LOOKUP_RESOURCE + "\")") public List lookupResource(@PathParam("serviceName") String serviceName, ResourceLookupContext context) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.lookupResource(" + serviceName + ")"); @@ -1196,7 +1207,7 @@ public RangerPolicyList getServicePolicies(@PathParam("id") Long serviceId, @GET @Path("/policies/service/name/{name}") @Produces({ "application/json", "application/xml" }) - public RangerPolicyList getServicePolicies(@PathParam("name") String serviceName, + public RangerPolicyList getServicePoliciesByName(@PathParam("name") String serviceName, @Context HttpServletRequest request) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getServicePolicies(" + serviceName + ")"); @@ -1464,6 +1475,7 @@ private boolean removeUsersAndGroupsFromPolicy(RangerPolicy policy, Set @GET @Path("/policies/eventTime") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_FROM_EVENT_TIME + "\")") public RangerPolicy getPolicyFromEventTime(@Context HttpServletRequest request) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getPolicyFromEventTime()"); @@ -1490,6 +1502,7 @@ public RangerPolicy getPolicyFromEventTime(@Context HttpServletRequest request) @GET @Path("/policy/{policyId}/versionList") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_VERSION_LIST + "\")") public VXString getPolicyVersionList(@PathParam("policyId") Long policyId) { return svcStore.getPolicyVersionList(policyId); } @@ -1497,6 +1510,7 @@ public VXString getPolicyVersionList(@PathParam("policyId") Long policyId) { @GET @Path("/policy/{policyId}/version/{versionNo}") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_FOR_VERSION_NO + "\")") public RangerPolicy getPolicyForVersionNumber(@PathParam("policyId") Long policyId, @PathParam("versionNo") int versionNo) { return svcStore.getPolicyForVersionNumber(policyId, versionNo); diff --git a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java index a9d00595b49..4c5e890fe4b 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java @@ -45,6 +45,8 @@ import org.apache.ranger.common.annotation.RangerAnnotationRestAPI; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.entity.XXPortalUser; +import org.apache.ranger.security.context.RangerAPIList; +import org.apache.ranger.security.context.RangerPreAuthSecurityHandler; import org.apache.ranger.util.RangerRestUtil; import org.apache.ranger.view.VXPasswordChange; import org.apache.ranger.view.VXPortalUser; @@ -99,7 +101,7 @@ public class UserREST { */ @GET @Produces({ "application/xml", "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_USERS + "\")") public VXPortalUserList searchUsers(@Context HttpServletRequest request) { String[] approvedSortByParams = new String[] { "requestDate", "approvedDate", "activationDate", "emailAddress", "firstName", @@ -150,6 +152,7 @@ public VXPortalUserList searchUsers(@Context HttpServletRequest request) { @GET @Path("{userId}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_USER_PROFILE_FOR_USER + "\")") public VXPortalUser getUserProfileForUser(@PathParam("userId") Long userId) { try { VXPortalUser userProfile = userManager.getUserProfile(userId); @@ -171,7 +174,7 @@ public VXPortalUser getUserProfileForUser(@PathParam("userId") Long userId) { @POST @Consumes({ "application/json", "application/xml" }) @Produces({ "application/xml", "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE + "\")") public VXPortalUser create(VXPortalUser userProfile, @Context HttpServletRequest servletRequest) { logger.info("create:" + userProfile.getEmailAddress()); @@ -184,7 +187,7 @@ public VXPortalUser create(VXPortalUser userProfile, @Path("/default") @Consumes({ "application/json", "application/xml" }) @Produces({ "application/xml", "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_DEFAULT_ACCOUNT_USER + "\")") public VXPortalUser createDefaultAccountUser(VXPortalUser userProfile, @Context HttpServletRequest servletRequest) { VXPortalUser vxPortalUser; @@ -201,6 +204,7 @@ public VXPortalUser createDefaultAccountUser(VXPortalUser userProfile, @Consumes({ "application/json", "application/xml" }) @Produces({ "application/xml", "application/json" }) @RangerAnnotationRestAPI(updates_classes = "VUserProfile") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE + "\")") public VXPortalUser update(VXPortalUser userProfile, @Context HttpServletRequest servletRequest) { logger.info("update:" + userProfile.getEmailAddress()); @@ -222,6 +226,7 @@ public VXPortalUser update(VXPortalUser userProfile, @PUT @Path("/{userId}/roles") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SET_USER_ROLES + "\")") public VXResponse setUserRoles(@PathParam("userId") Long userId, VXStringList roleList) { userManager.checkAccess(userId); @@ -240,7 +245,7 @@ public VXResponse setUserRoles(@PathParam("userId") Long userId, @POST @Path("{userId}/deactivate") @Produces({ "application/xml", "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DEACTIVATE_USER + "\")") @RangerAnnotationClassName(class_name = VXPortalUser.class) public VXPortalUser deactivateUser(@PathParam("userId") Long userId) { XXPortalUser gjUser = daoManager.getXXPortalUser().getById(userId); diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java index 531f395032c..cbe486b7646 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java @@ -35,6 +35,7 @@ import org.apache.ranger.common.SearchUtil; import org.apache.ranger.common.annotation.RangerAnnotationClassName; import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName; +import org.apache.ranger.security.context.RangerAPIList; import org.apache.ranger.service.XAccessAuditService; import org.apache.ranger.service.XTrxLogService; import org.apache.ranger.view.VXAccessAuditList; @@ -71,6 +72,7 @@ public class XAuditREST { @GET @Path("/trx_log/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_TRX_LOG + "\")") public VXTrxLog getXTrxLog( @PathParam("id") Long id) { return xAuditMgr.getXTrxLog(id); @@ -79,6 +81,7 @@ public VXTrxLog getXTrxLog( @POST @Path("/trx_log") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_TRX_LOG + "\")") public VXTrxLog createXTrxLog(VXTrxLog vXTrxLog) { return xAuditMgr.createXTrxLog(vXTrxLog); } @@ -86,13 +89,14 @@ public VXTrxLog createXTrxLog(VXTrxLog vXTrxLog) { @PUT @Path("/trx_log") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_TRX_LOG + "\")") public VXTrxLog updateXTrxLog(VXTrxLog vXTrxLog) { return xAuditMgr.updateXTrxLog(vXTrxLog); } @DELETE @Path("/trx_log/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_TRX_LOG + "\")") @RangerAnnotationClassName(class_name = VXTrxLog.class) public void deleteXTrxLog(@PathParam("id") Long id, @Context HttpServletRequest request) { @@ -109,6 +113,7 @@ public void deleteXTrxLog(@PathParam("id") Long id, @GET @Path("/trx_log") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_TRX_LOG + "\")") public VXTrxLogList searchXTrxLogs(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xTrxLogService.sortFields); @@ -118,6 +123,7 @@ public VXTrxLogList searchXTrxLogs(@Context HttpServletRequest request) { @GET @Path("/trx_log/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_TRX_LOGS + "\")") public VXLong countXTrxLogs(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xTrxLogService.sortFields); @@ -135,6 +141,7 @@ public VXLong countXTrxLogs(@Context HttpServletRequest request) { @GET @Path("/access_audit") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_ACCESS_AUDITS + "\")") public VXAccessAuditList searchXAccessAudits(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xAccessAuditService.sortFields); @@ -144,6 +151,7 @@ public VXAccessAuditList searchXAccessAudits(@Context HttpServletRequest request @GET @Path("/access_audit/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_ACCESS_AUDITS + "\")") public VXLong countXAccessAudits(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xAccessAuditService.sortFields); diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java index 1c0f9fc4a19..c374f8eac9a 100755 --- a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java @@ -35,12 +35,15 @@ import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.common.SearchUtil; import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName; +import org.apache.ranger.security.context.RangerAPIList; +import org.apache.ranger.security.context.RangerPreAuthSecurityHandler; import org.apache.ranger.view.VXKmsKey; import org.apache.ranger.view.VXKmsKeyList; import org.codehaus.jettison.json.JSONException; import org.codehaus.jettison.json.JSONObject; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Scope; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.stereotype.Component; import org.springframework.transaction.annotation.Propagation; import org.springframework.transaction.annotation.Transactional; @@ -66,7 +69,7 @@ public class XKeyREST { @Autowired RESTErrorUtil restErrorUtil; - + /** * Implements the traditional search functionalities for Keys * @@ -76,6 +79,7 @@ public class XKeyREST { @GET @Path("/keys") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_KEYS + "\")") public VXKmsKeyList searchKeys(@Context HttpServletRequest request, @QueryParam("provider") String provider) { VXKmsKeyList vxKmsKeyList = new VXKmsKeyList(); try{ @@ -94,6 +98,7 @@ public VXKmsKeyList searchKeys(@Context HttpServletRequest request, @QueryParam( @PUT @Path("/key") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.ROLLOVER_KEYS + "\")") public VXKmsKey rolloverKey(@QueryParam("provider") String provider, VXKmsKey vXKey) { VXKmsKey vxKmsKey = new VXKmsKey(); try{ @@ -120,6 +125,7 @@ public VXKmsKey rolloverKey(@QueryParam("provider") String provider, VXKmsKey vX @DELETE @Path("/key/{alias}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_KEY + "\")") public void deleteKey(@PathParam("alias") String name, @QueryParam("provider") String provider, @Context HttpServletRequest request) { try{ if (name == null || name.isEmpty()) { @@ -140,6 +146,7 @@ public void deleteKey(@PathParam("alias") String name, @QueryParam("provider") S @POST @Path("/key") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_KEY + "\")") public VXKmsKey createKey(@QueryParam("provider") String provider, VXKmsKey vXKey) { VXKmsKey vxKmsKey = new VXKmsKey(); try{ @@ -167,6 +174,7 @@ public VXKmsKey createKey(@QueryParam("provider") String provider, VXKmsKey vXKe @GET @Path("/key/{alias}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_KEY + "\")") public VXKmsKey getKey(@PathParam("alias") String name,@QueryParam("provider") String provider){ VXKmsKey vxKmsKey = new VXKmsKey(); try{ diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java index 93980b49d5e..472dad6bb37 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java @@ -36,6 +36,7 @@ import org.apache.ranger.biz.RangerBizUtil; import org.apache.ranger.biz.SessionMgr; import org.apache.ranger.biz.XUserMgr; +import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.common.SearchCriteria; import org.apache.ranger.common.SearchUtil; @@ -43,6 +44,9 @@ import org.apache.ranger.common.annotation.RangerAnnotationClassName; import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName; import org.apache.ranger.db.RangerDaoManager; +import org.apache.ranger.security.context.RangerAPIList; +import org.apache.ranger.security.context.RangerAPIMapping; +import org.apache.ranger.security.context.RangerPreAuthSecurityHandler; import org.apache.ranger.service.AuthSessionService; import org.apache.ranger.service.XAuditMapService; import org.apache.ranger.service.XGroupGroupService; @@ -51,6 +55,7 @@ import org.apache.ranger.service.XGroupUserService; import org.apache.ranger.service.XModuleDefService; import org.apache.ranger.service.XPermMapService; +import org.apache.ranger.service.XResourceService; import org.apache.ranger.service.XUserPermissionService; import org.apache.ranger.service.XUserService; import org.apache.ranger.view.VXAuditMap; @@ -138,11 +143,15 @@ public class XUserREST { @Autowired RangerBizUtil bizUtil; + + @Autowired + XResourceService xResourceService; // Handle XGroup @GET @Path("/groups/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP + "\")") public VXGroup getXGroup(@PathParam("id") Long id) { return xUserMgr.getXGroup(id); } @@ -150,6 +159,7 @@ public VXGroup getXGroup(@PathParam("id") Long id) { @GET @Path("/secure/groups/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SECURE_GET_X_GROUP + "\")") public VXGroup secureGetXGroup(@PathParam("id") Long id) { return xUserMgr.getXGroup(id); } @@ -187,6 +197,7 @@ public VXGroup secureUpdateXGroup(VXGroup vXGroup) { @PUT @Path("/secure/groups/visibility") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.MODIFY_GROUPS_VISIBILITY + "\")") public void modifyGroupsVisibility(HashMap groupVisibilityMap){ xUserMgr.modifyGroupsVisibility(groupVisibilityMap); } @@ -210,6 +221,7 @@ public void deleteXGroup(@PathParam("id") Long id, @GET @Path("/groups") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUPS + "\")") public VXGroupList searchXGroups(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xGroupService.sortFields); @@ -224,6 +236,7 @@ public VXGroupList searchXGroups(@Context HttpServletRequest request) { @GET @Path("/groups/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUPS + "\")") public VXLong countXGroups(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xGroupService.sortFields); @@ -235,6 +248,7 @@ public VXLong countXGroups(@Context HttpServletRequest request) { @GET @Path("/users/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER + "\")") public VXUser getXUser(@PathParam("id") Long id) { return xUserMgr.getXUser(id); } @@ -242,6 +256,7 @@ public VXUser getXUser(@PathParam("id") Long id) { @GET @Path("/secure/users/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SECURE_GET_X_USER + "\")") public VXUser secureGetXUser(@PathParam("id") Long id) { return xUserMgr.getXUser(id); } @@ -291,6 +306,7 @@ public VXUser secureUpdateXUser(VXUser vXUser) { @PUT @Path("/secure/users/visibility") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.MODIFY_USER_VISIBILITY + "\")") public void modifyUserVisibility(HashMap visibilityMap){ xUserMgr.modifyUserVisibility(visibilityMap); } @@ -314,6 +330,7 @@ public void deleteXUser(@PathParam("id") Long id, @GET @Path("/users") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_USERS + "\")") public VXUserList searchXUsers(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xUserService.sortFields); @@ -334,6 +351,7 @@ public VXUserList searchXUsers(@Context HttpServletRequest request) { @GET @Path("/users/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_USERS + "\")") public VXLong countXUsers(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xUserService.sortFields); @@ -345,6 +363,7 @@ public VXLong countXUsers(@Context HttpServletRequest request) { @GET @Path("/groupusers/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_USER + "\")") public VXGroupUser getXGroupUser(@PathParam("id") Long id) { return xUserMgr.getXGroupUser(id); } @@ -383,6 +402,7 @@ public void deleteXGroupUser(@PathParam("id") Long id, @GET @Path("/groupusers") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUP_USERS + "\")") public VXGroupUserList searchXGroupUsers(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xGroupUserService.sortFields); @@ -392,6 +412,7 @@ public VXGroupUserList searchXGroupUsers(@Context HttpServletRequest request) { @GET @Path("/groupusers/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUP_USERS + "\")") public VXLong countXGroupUsers(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xGroupUserService.sortFields); @@ -403,6 +424,7 @@ public VXLong countXGroupUsers(@Context HttpServletRequest request) { @GET @Path("/groupgroups/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_GROUP + "\")") public VXGroupGroup getXGroupGroup(@PathParam("id") Long id) { return xUserMgr.getXGroupGroup(id); } @@ -440,6 +462,7 @@ public void deleteXGroupGroup(@PathParam("id") Long id, @GET @Path("/groupgroups") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUP_GROUPS + "\")") public VXGroupGroupList searchXGroupGroups( @Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( @@ -450,6 +473,7 @@ public VXGroupGroupList searchXGroupGroups( @GET @Path("/groupgroups/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUP_GROUPS + "\")") public VXLong countXGroupGroups(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xGroupGroupService.sortFields); @@ -461,28 +485,53 @@ public VXLong countXGroupGroups(@Context HttpServletRequest request) { @GET @Path("/permmaps/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_PERM_MAP + "\")") public VXPermMap getXPermMap(@PathParam("id") Long id) { - return xUserMgr.getXPermMap(id); + VXPermMap permMap = xUserMgr.getXPermMap(id); + + if (permMap != null) { + if (xResourceService.readResource(permMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + permMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } + } + + return permMap; } @POST @Path("/permmaps") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_PERM_MAP + "\")") public VXPermMap createXPermMap(VXPermMap vXPermMap) { + + if (vXPermMap != null) { + if (xResourceService.readResource(vXPermMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXPermMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } + } + return xUserMgr.createXPermMap(vXPermMap); } @PUT @Path("/permmaps") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_PERM_MAP + "\")") public VXPermMap updateXPermMap(VXPermMap vXPermMap) { + + if (vXPermMap != null) { + if (xResourceService.readResource(vXPermMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXPermMap.getResourceId()); + } + } + return xUserMgr.updateXPermMap(vXPermMap); } @DELETE @Path("/permmaps/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") @RangerAnnotationClassName(class_name = VXPermMap.class) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_PERM_MAP + "\")") public void deleteXPermMap(@PathParam("id") Long id, @Context HttpServletRequest request) { boolean force = false; @@ -498,6 +547,7 @@ public void deleteXPermMap(@PathParam("id") Long id, @GET @Path("/permmaps") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_PERM_MAPS + "\")") public VXPermMapList searchXPermMaps(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xPermMapService.sortFields); @@ -507,6 +557,7 @@ public VXPermMapList searchXPermMaps(@Context HttpServletRequest request) { @GET @Path("/permmaps/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_PERM_MAPS + "\")") public VXLong countXPermMaps(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xPermMapService.sortFields); @@ -518,28 +569,53 @@ public VXLong countXPermMaps(@Context HttpServletRequest request) { @GET @Path("/auditmaps/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_AUDIT_MAP + "\")") public VXAuditMap getXAuditMap(@PathParam("id") Long id) { - return xUserMgr.getXAuditMap(id); + VXAuditMap vXAuditMap = xUserMgr.getXAuditMap(id); + + if (vXAuditMap != null) { + if (xResourceService.readResource(vXAuditMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } + } + + return vXAuditMap; } @POST @Path("/auditmaps") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_AUDIT_MAP + "\")") public VXAuditMap createXAuditMap(VXAuditMap vXAuditMap) { + + if (vXAuditMap != null) { + if (xResourceService.readResource(vXAuditMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } + } + return xUserMgr.createXAuditMap(vXAuditMap); } @PUT @Path("/auditmaps") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_AUDIT_MAP + "\")") public VXAuditMap updateXAuditMap(VXAuditMap vXAuditMap) { + + if (vXAuditMap != null) { + if (xResourceService.readResource(vXAuditMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } + } + return xUserMgr.updateXAuditMap(vXAuditMap); } @DELETE @Path("/auditmaps/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") @RangerAnnotationClassName(class_name = VXAuditMap.class) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_AUDIT_MAP + "\")") public void deleteXAuditMap(@PathParam("id") Long id, @Context HttpServletRequest request) { boolean force = false; @@ -555,6 +631,7 @@ public void deleteXAuditMap(@PathParam("id") Long id, @GET @Path("/auditmaps") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_AUDIT_MAPS + "\")") public VXAuditMapList searchXAuditMaps(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xAuditMapService.sortFields); @@ -564,6 +641,7 @@ public VXAuditMapList searchXAuditMaps(@Context HttpServletRequest request) { @GET @Path("/auditmaps/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_AUDIT_MAPS + "\")") public VXLong countXAuditMaps(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xAuditMapService.sortFields); @@ -575,6 +653,7 @@ public VXLong countXAuditMaps(@Context HttpServletRequest request) { @GET @Path("/users/userName/{userName}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER_BY_USER_NAME + "\")") public VXUser getXUserByUserName(@Context HttpServletRequest request, @PathParam("userName") String userName) { return xUserMgr.getXUserByUserName(userName); @@ -583,6 +662,7 @@ public VXUser getXUserByUserName(@Context HttpServletRequest request, @GET @Path("/groups/groupName/{groupName}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_BY_GROUP_NAME + "\")") public VXGroup getXGroupByGroupName(@Context HttpServletRequest request, @PathParam("groupName") String groupName) { return xGroupService.getGroupByGroupName(groupName); @@ -629,6 +709,7 @@ public void deleteXGroupAndXUser(@PathParam("groupName") String groupName, @GET @Path("/{userId}/groups") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER_GROUPS + "\")") public VXGroupList getXUserGroups(@Context HttpServletRequest request, @PathParam("userId") Long id){ return xUserMgr.getXUserGroups(id); @@ -637,6 +718,7 @@ public VXGroupList getXUserGroups(@Context HttpServletRequest request, @GET @Path("/{groupId}/users") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_USERS + "\")") public VXUserList getXGroupUsers(@Context HttpServletRequest request, @PathParam("groupId") Long id){ return xUserMgr.getXGroupUsers(id); @@ -645,6 +727,7 @@ public VXUserList getXGroupUsers(@Context HttpServletRequest request, @GET @Path("/authSessions") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_AUTH_SESSIONS + "\")") public VXAuthSessionList getAuthSessions(@Context HttpServletRequest request){ SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, authSessionService.AUTH_SESSION_SORT_FLDS); @@ -666,6 +749,7 @@ public VXAuthSessionList getAuthSessions(@Context HttpServletRequest request){ @GET @Path("/authSessions/info") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_AUTH_SESSION + "\")") public VXAuthSession getAuthSession(@Context HttpServletRequest request){ String authSessionId = request.getParameter("extSessionId"); return sessionMgr.getAuthSessionBySessionId(authSessionId); @@ -675,6 +759,7 @@ public VXAuthSession getAuthSession(@Context HttpServletRequest request){ @POST @Path("/permission") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_MODULE_DEF_PERMISSION + "\")") public VXModuleDef createXModuleDefPermission(VXModuleDef vXModuleDef) { return xUserMgr.createXModuleDefPermission(vXModuleDef); } @@ -682,6 +767,7 @@ public VXModuleDef createXModuleDefPermission(VXModuleDef vXModuleDef) { @GET @Path("/permission/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_MODULE_DEF_PERMISSION + "\")") public VXModuleDef getXModuleDefPermission(@PathParam("id") Long id) { return xUserMgr.getXModuleDefPermission(id); } @@ -689,13 +775,14 @@ public VXModuleDef getXModuleDefPermission(@PathParam("id") Long id) { @PUT @Path("/permission/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_MODULE_DEF_PERMISSION + "\")") public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { return xUserMgr.updateXModuleDefPermission(vXModuleDef); } @DELETE @Path("/permission/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_MODULE_DEF_PERMISSION + "\")") public void deleteXModuleDefPermission(@PathParam("id") Long id, @Context HttpServletRequest request) { boolean force = true; @@ -705,6 +792,7 @@ public void deleteXModuleDefPermission(@PathParam("id") Long id, @GET @Path("/permission") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_MODULE_DEF + "\")") public VXModuleDefList searchXModuleDef(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xModuleDefService.sortFields); @@ -725,6 +813,7 @@ public VXModuleDefList searchXModuleDef(@Context HttpServletRequest request) { @GET @Path("/permission/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_MODULE_DEF + "\")") public VXLong countXModuleDef(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xModuleDefService.sortFields); @@ -735,6 +824,7 @@ public VXLong countXModuleDef(@Context HttpServletRequest request) { @POST @Path("/permission/user") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_USER_PERMISSION + "\")") public VXUserPermission createXUserPermission( VXUserPermission vXUserPermission) { return xUserMgr.createXUserPermission(vXUserPermission); @@ -743,6 +833,7 @@ public VXUserPermission createXUserPermission( @GET @Path("/permission/user/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER_PERMISSION + "\")") public VXUserPermission getXUserPermission(@PathParam("id") Long id) { return xUserMgr.getXUserPermission(id); } @@ -750,6 +841,7 @@ public VXUserPermission getXUserPermission(@PathParam("id") Long id) { @PUT @Path("/permission/user/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_USER_PERMISSION + "\")") public VXUserPermission updateXUserPermission( VXUserPermission vXUserPermission) { return xUserMgr.updateXUserPermission(vXUserPermission); @@ -757,7 +849,7 @@ public VXUserPermission updateXUserPermission( @DELETE @Path("/permission/user/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_USER_PERMISSION + "\")") public void deleteXUserPermission(@PathParam("id") Long id, @Context HttpServletRequest request) { boolean force = true; @@ -767,6 +859,7 @@ public void deleteXUserPermission(@PathParam("id") Long id, @GET @Path("/permission/user") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_USER_PERMISSION + "\")") public VXUserPermissionList searchXUserPermission( @Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( @@ -782,6 +875,7 @@ public VXUserPermissionList searchXUserPermission( @GET @Path("/permission/user/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_USER_PERMISSION + "\")") public VXLong countXUserPermission(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xUserPermissionService.sortFields); @@ -792,6 +886,7 @@ public VXLong countXUserPermission(@Context HttpServletRequest request) { @POST @Path("/permission/group") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_GROUP_PERMISSION + "\")") public VXGroupPermission createXGroupPermission( VXGroupPermission vXGroupPermission) { return xUserMgr.createXGroupPermission(vXGroupPermission); @@ -800,6 +895,7 @@ public VXGroupPermission createXGroupPermission( @GET @Path("/permission/group/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_PERMISSION + "\")") public VXGroupPermission getXGroupPermission(@PathParam("id") Long id) { return xUserMgr.getXGroupPermission(id); } @@ -807,6 +903,7 @@ public VXGroupPermission getXGroupPermission(@PathParam("id") Long id) { @PUT @Path("/permission/group/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_GROUP_PERMISSION + "\")") public VXGroupPermission updateXGroupPermission( VXGroupPermission vXGroupPermission) { return xUserMgr.updateXGroupPermission(vXGroupPermission); @@ -814,7 +911,7 @@ public VXGroupPermission updateXGroupPermission( @DELETE @Path("/permission/group/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_GROUP_PERMISSION + "\")") public void deleteXGroupPermission(@PathParam("id") Long id, @Context HttpServletRequest request) { boolean force = true; @@ -824,6 +921,7 @@ public void deleteXGroupPermission(@PathParam("id") Long id, @GET @Path("/permission/group") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUP_PERMISSION + "\")") public VXGroupPermissionList searchXGroupPermission( @Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( @@ -838,6 +936,7 @@ public VXGroupPermissionList searchXGroupPermission( @GET @Path("/permission/group/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUP_PERMISSION + "\")") public VXLong countXGroupPermission(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xGroupPermissionService.sortFields); @@ -847,6 +946,7 @@ public VXLong countXGroupPermission(@Context HttpServletRequest request) { @PUT @Path("/secure/users/activestatus") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.MODIFY_USER_ACTIVE_STATUS + "\")") public void modifyUserActiveStatus(HashMap statusMap){ xUserMgr.modifyUserActiveStatus(statusMap); } diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java new file mode 100644 index 00000000000..f10453c0449 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java @@ -0,0 +1,201 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.ranger.security.context; + +/** + * This class holds list of APIs available in the system. + * This Class needs to be updated when writing new API in any of the REST. + */ +public class RangerAPIList { + + /** + * List of APIs for AssetREST + */ + public static final String GET_X_ASSET = "AssetREST.getXAsset"; + public static final String CREATE_X_ASSET = "AssetREST.createXAsset"; + public static final String UPDATE_X_ASSET = "AssetREST.updateXAsset"; + public static final String DELETE_X_ASSET = "AssetREST.deleteXAsset"; + public static final String TEST_CONFIG = "AssetREST.testConfig"; + public static final String SEARCH_X_ASSETS = "AssetREST.searchXAssets"; + public static final String COUNT_X_ASSETS = "AssetREST.countXAssets"; + public static final String GET_X_RESOURCE = "AssetREST.getXResource"; + public static final String CREATE_X_RESOURCE = "AssetREST.createXResource"; + public static final String UPDATE_X_RESOURCE = "AssetREST.updateXResource"; + public static final String DELETE_X_RESOURCE = "AssetREST.deleteXResource"; + public static final String SEARCH_X_RESOURCES = "AssetREST.searchXResources"; + public static final String COUNT_X_RESOURCES = "AssetREST.countXResources"; + public static final String GET_X_CRED_STORE = "AssetREST.getXCredentialStore"; + public static final String CREATE_X_CRED_STORE = "AssetREST.createXCredentialStore"; + public static final String UPDATE_X_CRED_STORE = "AssetREST.updateXCredentialStore"; + public static final String DELETE_X_CRED_STORE = "AssetREST.deleteXCredentialStore"; + public static final String SEARCH_X_CRED_STORE = "AssetREST.searchXCredentialStores"; + public static final String COUNT_X_CRED_STORE = "AssetREST.countXCredentialStores"; + public static final String GET_X_RESOURCE_FILE = "AssetREST.getXResourceFile"; + public static final String GET_RESOURCE_JSON = "AssetREST.getResourceJSON"; + public static final String SEARCH_X_POLICY_EXPORT_AUDITS = "AssetREST.searchXPolicyExportAudits"; + public static final String GET_REPORT_LOGS = "AssetREST.getReportLogs"; + public static final String GET_TRANSACTION_REPORT = "AssetREST.getTransactionReport"; + public static final String GET_ACCESS_LOGS = "AssetREST.getAccessLogs"; + public static final String GRANT_PERMISSION = "AssetREST.grantPermission"; + public static final String REVOKE_PERMISSION = "AssetREST.revokePermission"; + + /** + * List of APIs for ServiceREST + */ + public static final String CREATE_SERVICE_DEF = "ServiceREST.createServiceDef"; + public static final String UPDATE_SERVICE_DEF = "ServiceREST.updateServiceDef"; + public static final String DELETE_SERVICE_DEF = "ServiceREST.deleteServiceDef"; + public static final String GET_SERVICE_DEF = "ServiceREST.getServiceDef"; + public static final String GET_SERVICE_DEF_BY_NAME = "ServiceREST.getServiceDefByName"; + public static final String GET_SERVICE_DEFS = "ServiceREST.getServiceDefs"; + public static final String CREATE_SERVICE = "ServiceREST.createService"; + public static final String UPDATE_SERVICE = "ServiceREST.updateService"; + public static final String DELETE_SERVICE = "ServiceREST.deleteService"; + public static final String GET_SERVICE = "ServiceREST.getService"; + public static final String GET_SERVICE_BY_NAME = "ServiceREST.getServiceByName"; + public static final String GET_SERVICES = "ServiceREST.getServices"; + public static final String COUNT_SERVICES = "ServiceREST.countServices"; + public static final String VALIDATE_CONFIG = "ServiceREST.validateConfig"; + public static final String LOOKUP_RESOURCE = "ServiceREST.lookupResource"; + public static final String GRANT_ACCESS = "ServiceREST.grantAccess"; + public static final String REVOKE_ACCESS = "ServiceREST.revokeAccess"; + public static final String CREATE_POLICY = "ServiceREST.createPolicy"; + public static final String UPDATE_POLICY = "ServiceREST.updatePolicy"; + public static final String DELETE_POLICY = "ServiceREST.deletePolicy"; + public static final String GET_POLICY = "ServiceREST.getPolicy"; + public static final String GET_POLICIES = "ServiceREST.getPolicies"; + public static final String COUNT_POLICIES = "ServiceREST.countPolicies"; + public static final String GET_SERVICE_POLICIES = "ServiceREST.getServicePolicies"; + public static final String GET_SERVICE_POLICIES_BY_NAME = "ServiceREST.getServicePoliciesByName"; + public static final String GET_SERVICE_POLICIES_IF_UPDATED = "ServiceREST.getServicePoliciesIfUpdated"; + public static final String GET_POLICY_FROM_EVENT_TIME = "ServiceREST.getPolicyFromEventTime"; + public static final String GET_POLICY_VERSION_LIST = "ServiceREST.getPolicyVersionList"; + public static final String GET_POLICY_FOR_VERSION_NO = "ServiceREST.getPolicyForVersionNumber"; + + /** + * List of APIs for UserREST + */ + public static final String SEARCH_USERS = "UserREST.searchUsers"; + public static final String GET_USER_PROFILE_FOR_USER = "UserREST.getUserProfileForUser"; + public static final String CREATE = "UserREST.create"; + public static final String CREATE_DEFAULT_ACCOUNT_USER = "UserREST.createDefaultAccountUser"; + public static final String UPDATE = "UserREST.update"; + public static final String SET_USER_ROLES = "UserREST.setUserRoles"; + public static final String DEACTIVATE_USER = "UserREST.deactivateUser"; + public static final String GET_USER_PROFILE = "UserREST.getUserProfile"; + public static final String SUGGEST_USER_FIRST_NAME = "UserREST.suggestUserFirstName"; + public static final String CHANGE_PASSWORD = "UserREST.changePassword"; + public static final String CHANGE_EMAIL_ADDRESS = "UserREST.changeEmailAddress"; + + /** + * List of APIs for XAuditREST + */ + public static final String GET_X_TRX_LOG = "XAuditREST.getXTrxLog"; + public static final String CREATE_X_TRX_LOG = "XAuditREST.createXTrxLog"; + public static final String UPDATE_X_TRX_LOG = "XAuditREST.updateXTrxLog"; + public static final String DELETE_X_TRX_LOG = "XAuditREST.deleteXTrxLog"; + public static final String SEARCH_X_TRX_LOG = "XAuditREST.searchXTrxLogs"; + public static final String COUNT_X_TRX_LOGS = "XAuditREST.countXTrxLogs"; + public static final String SEARCH_X_ACCESS_AUDITS = "XAuditREST.searchXAccessAudits"; + public static final String COUNT_X_ACCESS_AUDITS = "XAuditREST.countXAccessAudits"; + + /** + * List of APIs for XKeyREST + */ + public static final String SEARCH_KEYS = "XKeyREST.searchKeys"; + public static final String ROLLOVER_KEYS = "XKeyREST.rolloverKey"; + public static final String DELETE_KEY = "XKeyREST.deleteKey"; + public static final String CREATE_KEY = "XKeyREST.createKey"; + public static final String GET_KEY = "XKeyREST.getKey"; + + /** + * List of APIs for XUserREST + */ + public static final String GET_X_GROUP = "XUserREST.getXGroup"; + public static final String SECURE_GET_X_GROUP = "XUserREST.secureGetXGroup"; + public static final String CREATE_X_GROUP = "XUserREST.createXGroup"; + public static final String SECURE_CREATE_X_GROUP = "XUserREST.secureCreateXGroup"; + public static final String UPDATE_X_GROUP = "XUserREST.updateXGroup"; + public static final String SECURE_UPDATE_X_GROUP = "XUserREST.secureUpdateXGroup"; + public static final String MODIFY_GROUPS_VISIBILITY = "XUserREST.modifyGroupsVisibility"; + public static final String DELETE_X_GROUP = "XUserREST.deleteXGroup"; + public static final String SEARCH_X_GROUPS = "XUserREST.searchXGroups"; + public static final String COUNT_X_GROUPS = "XUserREST.countXGroups"; + public static final String GET_X_USER = "XUserREST.getXUser"; + public static final String SECURE_GET_X_USER = "XUserREST.secureGetXUser"; + public static final String CREATE_X_USER = "XUserREST.createXUser"; + public static final String CREATE_X_USER_GROUP_FROM_MAP = "XUserREST.createXUserGroupFromMap"; + public static final String SECURE_CREATE_X_USER = "XUserREST.secureCreateXUser"; + public static final String UPDATE_X_USER = "XUserREST.updateXUser"; + public static final String SECURE_UPDATE_X_USER = "XUserREST.secureUpdateXUser"; + public static final String MODIFY_USER_VISIBILITY = "XUserREST.modifyUserVisibility"; + public static final String DELETE_X_USER = "XUserREST.deleteXUser"; + public static final String SEARCH_X_USERS = "XUserREST.searchXUsers"; + public static final String COUNT_X_USERS = "XUserREST.countXUsers"; + public static final String GET_X_GROUP_USER = "XUserREST.getXGroupUser"; + public static final String CREATE_X_GROUP_USER = "XUserREST.createXGroupUser"; + public static final String UPDATE_X_GROUP_USER = "XUserREST.updateXGroupUser"; + public static final String DELETE_X_GROUP_USER = "XUserREST.deleteXGroupUser"; + public static final String SEARCH_X_GROUP_USERS = "XUserREST.searchXGroupUsers"; + public static final String COUNT_X_GROUP_USERS = "XUserREST.countXGroupUsers"; + public static final String GET_X_GROUP_GROUP = "XUserREST.getXGroupGroup"; + public static final String CREATE_X_GROUP_GROUP = "XUserREST.createXGroupGroup"; + public static final String UPDATE_X_GROUP_GROUP = "XUserREST.updateXGroupGroup"; + public static final String DELETE_X_GROUP_GROUP = "XUserREST.deleteXGroupGroup"; + public static final String SEARCH_X_GROUP_GROUPS = "XUserREST.searchXGroupGroups"; + public static final String COUNT_X_GROUP_GROUPS = "XUserREST.countXGroupGroups"; + public static final String GET_X_PERM_MAP = "XUserREST.getXPermMap"; + public static final String CREATE_X_PERM_MAP = "XUserREST.createXPermMap"; + public static final String UPDATE_X_PERM_MAP = "XUserREST.updateXPermMap"; + public static final String DELETE_X_PERM_MAP = "XUserREST.deleteXPermMap"; + public static final String SEARCH_X_PERM_MAPS = "XUserREST.searchXPermMaps"; + public static final String COUNT_X_PERM_MAPS = "XUserREST.countXPermMaps"; + public static final String GET_X_AUDIT_MAP = "XUserREST.getXAuditMap"; + public static final String CREATE_X_AUDIT_MAP = "XUserREST.createXAuditMap"; + public static final String UPDATE_X_AUDIT_MAP = "XUserREST.updateXAuditMap"; + public static final String DELETE_X_AUDIT_MAP = "XUserREST.deleteXAuditMap"; + public static final String SEARCH_X_AUDIT_MAPS = "XUserREST.searchXAuditMaps"; + public static final String COUNT_X_AUDIT_MAPS = "XUserREST.countXAuditMaps"; + public static final String GET_X_USER_BY_USER_NAME = "XUserREST.getXUserByUserName"; + public static final String GET_X_GROUP_BY_GROUP_NAME = "XUserREST.getXGroupByGroupName"; + public static final String DELETE_X_USER_BY_USER_NAME = "XUserREST.deleteXUserByUserName"; + public static final String DELETE_X_GROUP_BY_GROUP_NAME = "XUserREST.deleteXGroupByGroupName"; + public static final String DELETE_X_GROUP_AND_X_USER = "XUserREST.deleteXGroupAndXUser"; + public static final String GET_X_USER_GROUPS = "XUserREST.getXUserGroups"; + public static final String GET_X_GROUP_USERS = "XUserREST.getXGroupUsers"; + public static final String GET_AUTH_SESSIONS = "XUserREST.getAuthSessions"; + public static final String GET_AUTH_SESSION = "XUserREST.getAuthSession"; + public static final String CREATE_X_MODULE_DEF_PERMISSION = "XUserREST.createXModuleDefPermission"; + public static final String GET_X_MODULE_DEF_PERMISSION = "XUserREST.getXModuleDefPermission"; + public static final String UPDATE_X_MODULE_DEF_PERMISSION = "XUserREST.updateXModuleDefPermission"; + public static final String DELETE_X_MODULE_DEF_PERMISSION = "XUserREST.deleteXModuleDefPermission"; + public static final String SEARCH_X_MODULE_DEF = "XUserREST.searchXModuleDef"; + public static final String COUNT_X_MODULE_DEF = "XUserREST.countXModuleDef"; + public static final String CREATE_X_USER_PERMISSION = "XUserREST.createXUserPermission"; + public static final String GET_X_USER_PERMISSION = "XUserREST.getXUserPermission"; + public static final String UPDATE_X_USER_PERMISSION = "XUserREST.updateXUserPermission"; + public static final String DELETE_X_USER_PERMISSION = "XUserREST.deleteXUserPermission"; + public static final String SEARCH_X_USER_PERMISSION = "XUserREST.searchXUserPermission"; + public static final String COUNT_X_USER_PERMISSION = "XUserREST.countXUserPermission"; + public static final String CREATE_X_GROUP_PERMISSION = "XUserREST.createXGroupPermission"; + public static final String GET_X_GROUP_PERMISSION = "XUserREST.getXGroupPermission"; + public static final String UPDATE_X_GROUP_PERMISSION = "XUserREST.updateXGroupPermission"; + public static final String DELETE_X_GROUP_PERMISSION = "XUserREST.deleteXGroupPermission"; + public static final String SEARCH_X_GROUP_PERMISSION = "XUserREST.searchXGroupPermission"; + public static final String COUNT_X_GROUP_PERMISSION = "XUserREST.countXGroupPermission"; + public static final String MODIFY_USER_ACTIVE_STATUS = "XUserREST.modifyUserActiveStatus"; +} \ No newline at end of file diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java new file mode 100644 index 00000000000..adc8e2a1cfb --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java @@ -0,0 +1,535 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.ranger.security.context; + +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; + +import org.apache.commons.collections.CollectionUtils; +import org.springframework.stereotype.Component; + +@Component +public class RangerAPIMapping { + + /** + * @NOTE While adding new tab here, please don't forget to update the function: + * org.apache.ranger.security.context.RangerAPIMapping.getAvailableUITabs() + */ + public static final String TAB_RESOURCE_BASED_POLICIES = "Resource Based Policies"; + public static final String TAB_AUDIT = "Audit"; + public static final String TAB_USERS_GROUPS = "Users/Groups"; + public static final String TAB_PERMISSIONS = "Permissions"; + public static final String TAB_KEY_MANAGER = "Key Manager"; + public static final String TAB_TAG_BASED_POLICIES = "Tag Based Policies"; + public static final String TAB_REPORTS = "Reports"; + + private static HashMap> rangerAPIMappingWithUI = null; + private static Set tabList = new HashSet(); + private static Map> mapApiToTabs = null; + + public RangerAPIMapping() { + init(); + } + + private void init() { + if (rangerAPIMappingWithUI == null) { + rangerAPIMappingWithUI = new HashMap>(); + } + if (mapApiToTabs == null) { + mapApiToTabs = new HashMap>(); + } + + mapResourceBasedPoliciesWithAPIs(); + mapAuditWithAPIs(); + mapUGWithAPIs(); + mapPermissionsWithAPIs(); + mapKeyManagerWithAPIs(); + mapTagBasedPoliciesWithAPIs(); + mapReportsWithAPIs(); + + if (CollectionUtils.isEmpty(tabList)) { + populateAvailableUITabs(); + } + + } + + private void populateAvailableUITabs() { + tabList = new HashSet(); + tabList.add(TAB_RESOURCE_BASED_POLICIES); + tabList.add(TAB_TAG_BASED_POLICIES); + tabList.add(TAB_AUDIT); + tabList.add(TAB_REPORTS); + tabList.add(TAB_KEY_MANAGER); + tabList.add(TAB_PERMISSIONS); + tabList.add(TAB_USERS_GROUPS); + } + + private void mapReportsWithAPIs() { + Set apiAssociatedWithReports = new HashSet(); + + apiAssociatedWithReports.add(RangerAPIList.COUNT_X_ASSETS); + apiAssociatedWithReports.add(RangerAPIList.GET_X_ASSET); + apiAssociatedWithReports.add(RangerAPIList.SEARCH_X_ASSETS); + + apiAssociatedWithReports.add(RangerAPIList.COUNT_SERVICES); + apiAssociatedWithReports.add(RangerAPIList.GET_POLICY_FOR_VERSION_NO); + apiAssociatedWithReports.add(RangerAPIList.GET_POLICY_FROM_EVENT_TIME); + apiAssociatedWithReports.add(RangerAPIList.GET_POLICY_VERSION_LIST); + apiAssociatedWithReports.add(RangerAPIList.GET_SERVICE); + apiAssociatedWithReports.add(RangerAPIList.GET_SERVICE_BY_NAME); + apiAssociatedWithReports.add(RangerAPIList.GET_SERVICE_DEF); + apiAssociatedWithReports.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME); + apiAssociatedWithReports.add(RangerAPIList.GET_SERVICE_DEFS); + apiAssociatedWithReports.add(RangerAPIList.GET_SERVICES); + apiAssociatedWithReports.add(RangerAPIList.LOOKUP_RESOURCE); + + apiAssociatedWithReports.add(RangerAPIList.GET_USER_PROFILE_FOR_USER); + apiAssociatedWithReports.add(RangerAPIList.SEARCH_USERS); + + apiAssociatedWithReports.add(RangerAPIList.COUNT_X_AUDIT_MAPS); + apiAssociatedWithReports.add(RangerAPIList.COUNT_X_GROUP_GROUPS); + apiAssociatedWithReports.add(RangerAPIList.COUNT_X_GROUPS); + apiAssociatedWithReports.add(RangerAPIList.COUNT_X_GROUP_USERS); + apiAssociatedWithReports.add(RangerAPIList.COUNT_X_PERM_MAPS); + apiAssociatedWithReports.add(RangerAPIList.COUNT_X_USERS); + apiAssociatedWithReports.add(RangerAPIList.GET_X_AUDIT_MAP); + apiAssociatedWithReports.add(RangerAPIList.GET_X_GROUP); + apiAssociatedWithReports.add(RangerAPIList.GET_X_GROUP_BY_GROUP_NAME); + apiAssociatedWithReports.add(RangerAPIList.GET_X_GROUP_GROUP); + apiAssociatedWithReports.add(RangerAPIList.GET_X_GROUP_USER); + apiAssociatedWithReports.add(RangerAPIList.GET_X_GROUP_USERS); + apiAssociatedWithReports.add(RangerAPIList.GET_X_PERM_MAP); + apiAssociatedWithReports.add(RangerAPIList.GET_X_USER); + apiAssociatedWithReports.add(RangerAPIList.GET_X_USER_BY_USER_NAME); + apiAssociatedWithReports.add(RangerAPIList.GET_X_USER_GROUPS); + apiAssociatedWithReports.add(RangerAPIList.SEARCH_X_AUDIT_MAPS); + apiAssociatedWithReports.add(RangerAPIList.SEARCH_X_GROUP_GROUPS); + apiAssociatedWithReports.add(RangerAPIList.SEARCH_X_GROUPS); + apiAssociatedWithReports.add(RangerAPIList.SEARCH_X_GROUP_USERS); + apiAssociatedWithReports.add(RangerAPIList.SEARCH_X_PERM_MAPS); + apiAssociatedWithReports.add(RangerAPIList.SEARCH_X_USERS); + apiAssociatedWithReports.add(RangerAPIList.SECURE_GET_X_GROUP); + apiAssociatedWithReports.add(RangerAPIList.SECURE_GET_X_USER); + + rangerAPIMappingWithUI.put(TAB_REPORTS, apiAssociatedWithReports); + + for (String api : apiAssociatedWithReports) { + if (mapApiToTabs.get(api) == null) { + mapApiToTabs.put(api, new HashSet()); + } + mapApiToTabs.get(api).add(TAB_REPORTS); + } + } + + private void mapTagBasedPoliciesWithAPIs() { + Set apiAssociatedWithTagBasedPolicy = new HashSet(); + + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.COUNT_X_ASSETS); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.CREATE_X_ASSET); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.DELETE_X_ASSET); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_X_ASSET); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.SEARCH_X_ASSETS); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.TEST_CONFIG); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.UPDATE_X_ASSET); + + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.COUNT_SERVICES); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.CREATE_SERVICE); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.CREATE_SERVICE_DEF); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.DELETE_SERVICE); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.DELETE_SERVICE_DEF); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_POLICY_FOR_VERSION_NO); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_POLICY_FROM_EVENT_TIME); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_POLICY_VERSION_LIST); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_SERVICE); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_SERVICE_BY_NAME); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_SERVICE_DEF); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_SERVICE_DEFS); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_SERVICES); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.LOOKUP_RESOURCE); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.UPDATE_SERVICE); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.UPDATE_SERVICE_DEF); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.VALIDATE_CONFIG); + + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_USER_PROFILE_FOR_USER); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.SEARCH_USERS); + + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.COUNT_X_AUDIT_MAPS); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.COUNT_X_GROUP_GROUPS); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.COUNT_X_GROUPS); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.COUNT_X_GROUP_USERS); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.COUNT_X_PERM_MAPS); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.COUNT_X_USERS); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.CREATE_X_AUDIT_MAP); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.CREATE_X_PERM_MAP); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.DELETE_X_AUDIT_MAP); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.DELETE_X_PERM_MAP); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_X_AUDIT_MAP); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_X_GROUP); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_X_GROUP_BY_GROUP_NAME); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_X_GROUP_GROUP); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_X_GROUP_USER); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_X_GROUP_USERS); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_X_PERM_MAP); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_X_USER); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_X_USER_BY_USER_NAME); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_X_USER_GROUPS); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.MODIFY_GROUPS_VISIBILITY); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.MODIFY_USER_ACTIVE_STATUS); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.MODIFY_USER_VISIBILITY); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.SEARCH_X_AUDIT_MAPS); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.SEARCH_X_GROUP_GROUPS); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.SEARCH_X_GROUPS); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.SEARCH_X_GROUP_USERS); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.SEARCH_X_PERM_MAPS); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.SEARCH_X_USERS); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.SECURE_GET_X_GROUP); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.SECURE_GET_X_USER); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.UPDATE_X_AUDIT_MAP); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.UPDATE_X_PERM_MAP); + + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.CREATE); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.CREATE_DEFAULT_ACCOUNT_USER); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.UPDATE); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.SET_USER_ROLES); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.DEACTIVATE_USER); + + rangerAPIMappingWithUI.put(TAB_TAG_BASED_POLICIES, apiAssociatedWithTagBasedPolicy); + + for (String api : apiAssociatedWithTagBasedPolicy) { + if (mapApiToTabs.get(api) == null) { + mapApiToTabs.put(api, new HashSet()); + } + mapApiToTabs.get(api).add(TAB_TAG_BASED_POLICIES); + } + } + + private void mapKeyManagerWithAPIs() { + + Set apiAssociatedWithKeyManager = new HashSet(); + + apiAssociatedWithKeyManager.add(RangerAPIList.COUNT_X_ASSETS); + apiAssociatedWithKeyManager.add(RangerAPIList.CREATE_X_ASSET); + apiAssociatedWithKeyManager.add(RangerAPIList.DELETE_X_ASSET); + apiAssociatedWithKeyManager.add(RangerAPIList.GET_X_ASSET); + apiAssociatedWithKeyManager.add(RangerAPIList.SEARCH_X_ASSETS); + apiAssociatedWithKeyManager.add(RangerAPIList.TEST_CONFIG); + apiAssociatedWithKeyManager.add(RangerAPIList.UPDATE_X_ASSET); + + apiAssociatedWithKeyManager.add(RangerAPIList.COUNT_SERVICES); + apiAssociatedWithKeyManager.add(RangerAPIList.CREATE_SERVICE); + apiAssociatedWithKeyManager.add(RangerAPIList.CREATE_SERVICE_DEF); + apiAssociatedWithKeyManager.add(RangerAPIList.DELETE_SERVICE); + apiAssociatedWithKeyManager.add(RangerAPIList.DELETE_SERVICE_DEF); + apiAssociatedWithKeyManager.add(RangerAPIList.GET_POLICY_FOR_VERSION_NO); + apiAssociatedWithKeyManager.add(RangerAPIList.GET_POLICY_FROM_EVENT_TIME); + apiAssociatedWithKeyManager.add(RangerAPIList.GET_POLICY_VERSION_LIST); + apiAssociatedWithKeyManager.add(RangerAPIList.GET_SERVICE); + apiAssociatedWithKeyManager.add(RangerAPIList.GET_SERVICE_BY_NAME); + apiAssociatedWithKeyManager.add(RangerAPIList.GET_SERVICE_DEF); + apiAssociatedWithKeyManager.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME); + apiAssociatedWithKeyManager.add(RangerAPIList.GET_SERVICE_DEFS); + apiAssociatedWithKeyManager.add(RangerAPIList.GET_SERVICES); + apiAssociatedWithKeyManager.add(RangerAPIList.LOOKUP_RESOURCE); + apiAssociatedWithKeyManager.add(RangerAPIList.UPDATE_SERVICE); + apiAssociatedWithKeyManager.add(RangerAPIList.UPDATE_SERVICE_DEF); + apiAssociatedWithKeyManager.add(RangerAPIList.VALIDATE_CONFIG); + + apiAssociatedWithKeyManager.add(RangerAPIList.CREATE_KEY); + apiAssociatedWithKeyManager.add(RangerAPIList.DELETE_KEY); + apiAssociatedWithKeyManager.add(RangerAPIList.GET_KEY); + apiAssociatedWithKeyManager.add(RangerAPIList.ROLLOVER_KEYS); + apiAssociatedWithKeyManager.add(RangerAPIList.SEARCH_KEYS); + + rangerAPIMappingWithUI.put(TAB_KEY_MANAGER, apiAssociatedWithKeyManager); + + for (String api : apiAssociatedWithKeyManager) { + if (mapApiToTabs.get(api) == null) { + mapApiToTabs.put(api, new HashSet()); + } + mapApiToTabs.get(api).add(TAB_KEY_MANAGER); + } + } + + private void mapPermissionsWithAPIs() { + + Set apiAssociatedWithPermissions = new HashSet(); + + apiAssociatedWithPermissions.add(RangerAPIList.COUNT_X_GROUP_PERMISSION); + apiAssociatedWithPermissions.add(RangerAPIList.COUNT_X_MODULE_DEF); + apiAssociatedWithPermissions.add(RangerAPIList.COUNT_X_USER_PERMISSION); + apiAssociatedWithPermissions.add(RangerAPIList.CREATE_X_GROUP_PERMISSION); + apiAssociatedWithPermissions.add(RangerAPIList.CREATE_X_MODULE_DEF_PERMISSION); + apiAssociatedWithPermissions.add(RangerAPIList.CREATE_X_USER_PERMISSION); + apiAssociatedWithPermissions.add(RangerAPIList.DELETE_X_GROUP_PERMISSION); + apiAssociatedWithPermissions.add(RangerAPIList.DELETE_X_MODULE_DEF_PERMISSION); + apiAssociatedWithPermissions.add(RangerAPIList.DELETE_X_USER_PERMISSION); + apiAssociatedWithPermissions.add(RangerAPIList.GET_X_GROUP_PERMISSION); + apiAssociatedWithPermissions.add(RangerAPIList.GET_X_MODULE_DEF_PERMISSION); + apiAssociatedWithPermissions.add(RangerAPIList.GET_X_USER_PERMISSION); + apiAssociatedWithPermissions.add(RangerAPIList.SEARCH_X_GROUP_PERMISSION); + apiAssociatedWithPermissions.add(RangerAPIList.SEARCH_X_MODULE_DEF); + apiAssociatedWithPermissions.add(RangerAPIList.SEARCH_X_USER_PERMISSION); + apiAssociatedWithPermissions.add(RangerAPIList.UPDATE_X_GROUP_PERMISSION); + apiAssociatedWithPermissions.add(RangerAPIList.UPDATE_X_MODULE_DEF_PERMISSION); + apiAssociatedWithPermissions.add(RangerAPIList.UPDATE_X_USER_PERMISSION); + + rangerAPIMappingWithUI.put(TAB_PERMISSIONS, apiAssociatedWithPermissions); + + for (String api : apiAssociatedWithPermissions) { + if (mapApiToTabs.get(api) == null) { + mapApiToTabs.put(api, new HashSet()); + } + mapApiToTabs.get(api).add(TAB_PERMISSIONS); + } + } + + private void mapUGWithAPIs() { + Set apiAssociatedWithUserAndGroups = new HashSet(); + + apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_USER_PROFILE_FOR_USER); + apiAssociatedWithUserAndGroups.add(RangerAPIList.SEARCH_USERS); + + apiAssociatedWithUserAndGroups.add(RangerAPIList.COUNT_X_AUDIT_MAPS); + apiAssociatedWithUserAndGroups.add(RangerAPIList.COUNT_X_GROUP_GROUPS); + apiAssociatedWithUserAndGroups.add(RangerAPIList.COUNT_X_GROUPS); + apiAssociatedWithUserAndGroups.add(RangerAPIList.COUNT_X_GROUP_USERS); + apiAssociatedWithUserAndGroups.add(RangerAPIList.COUNT_X_PERM_MAPS); + apiAssociatedWithUserAndGroups.add(RangerAPIList.COUNT_X_USERS); + apiAssociatedWithUserAndGroups.add(RangerAPIList.CREATE_X_AUDIT_MAP); + apiAssociatedWithUserAndGroups.add(RangerAPIList.CREATE_X_PERM_MAP); + apiAssociatedWithUserAndGroups.add(RangerAPIList.DELETE_X_AUDIT_MAP); + apiAssociatedWithUserAndGroups.add(RangerAPIList.DELETE_X_PERM_MAP); + apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_X_AUDIT_MAP); + apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_X_GROUP); + apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_X_GROUP_BY_GROUP_NAME); + apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_X_GROUP_GROUP); + apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_X_GROUP_USER); + apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_X_GROUP_USERS); + apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_X_PERM_MAP); + apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_X_USER); + apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_X_USER_BY_USER_NAME); + apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_X_USER_GROUPS); + apiAssociatedWithUserAndGroups.add(RangerAPIList.MODIFY_GROUPS_VISIBILITY); + apiAssociatedWithUserAndGroups.add(RangerAPIList.MODIFY_USER_ACTIVE_STATUS); + apiAssociatedWithUserAndGroups.add(RangerAPIList.MODIFY_USER_VISIBILITY); + apiAssociatedWithUserAndGroups.add(RangerAPIList.SEARCH_X_AUDIT_MAPS); + apiAssociatedWithUserAndGroups.add(RangerAPIList.SEARCH_X_GROUP_GROUPS); + apiAssociatedWithUserAndGroups.add(RangerAPIList.SEARCH_X_GROUPS); + apiAssociatedWithUserAndGroups.add(RangerAPIList.SEARCH_X_GROUP_USERS); + apiAssociatedWithUserAndGroups.add(RangerAPIList.SEARCH_X_PERM_MAPS); + apiAssociatedWithUserAndGroups.add(RangerAPIList.SEARCH_X_USERS); + apiAssociatedWithUserAndGroups.add(RangerAPIList.SECURE_GET_X_GROUP); + apiAssociatedWithUserAndGroups.add(RangerAPIList.SECURE_GET_X_USER); + apiAssociatedWithUserAndGroups.add(RangerAPIList.UPDATE_X_AUDIT_MAP); + apiAssociatedWithUserAndGroups.add(RangerAPIList.UPDATE_X_PERM_MAP); + + apiAssociatedWithUserAndGroups.add(RangerAPIList.CREATE); + apiAssociatedWithUserAndGroups.add(RangerAPIList.CREATE_DEFAULT_ACCOUNT_USER); + apiAssociatedWithUserAndGroups.add(RangerAPIList.UPDATE); + apiAssociatedWithUserAndGroups.add(RangerAPIList.SET_USER_ROLES); + apiAssociatedWithUserAndGroups.add(RangerAPIList.DEACTIVATE_USER); + + rangerAPIMappingWithUI.put(TAB_USERS_GROUPS, apiAssociatedWithUserAndGroups); + + for (String api : apiAssociatedWithUserAndGroups) { + if (mapApiToTabs.get(api) == null) { + mapApiToTabs.put(api, new HashSet()); + } + mapApiToTabs.get(api).add(TAB_USERS_GROUPS); + } + } + + private void mapAuditWithAPIs() { + + Set apiAssociatedWithAudit = new HashSet(); + + apiAssociatedWithAudit.add(RangerAPIList.COUNT_X_ASSETS); + apiAssociatedWithAudit.add(RangerAPIList.GET_X_ASSET); + apiAssociatedWithAudit.add(RangerAPIList.SEARCH_X_ASSETS); + + apiAssociatedWithAudit.add(RangerAPIList.COUNT_SERVICES); + apiAssociatedWithAudit.add(RangerAPIList.GET_POLICY_FOR_VERSION_NO); + apiAssociatedWithAudit.add(RangerAPIList.GET_POLICY_FROM_EVENT_TIME); + apiAssociatedWithAudit.add(RangerAPIList.GET_POLICY_VERSION_LIST); + apiAssociatedWithAudit.add(RangerAPIList.GET_SERVICE); + apiAssociatedWithAudit.add(RangerAPIList.GET_SERVICE_BY_NAME); + apiAssociatedWithAudit.add(RangerAPIList.GET_SERVICE_DEF); + apiAssociatedWithAudit.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME); + apiAssociatedWithAudit.add(RangerAPIList.GET_SERVICE_DEFS); + apiAssociatedWithAudit.add(RangerAPIList.GET_SERVICES); + apiAssociatedWithAudit.add(RangerAPIList.LOOKUP_RESOURCE); + + apiAssociatedWithAudit.add(RangerAPIList.GET_USER_PROFILE_FOR_USER); + apiAssociatedWithAudit.add(RangerAPIList.SEARCH_USERS); + + apiAssociatedWithAudit.add(RangerAPIList.COUNT_X_AUDIT_MAPS); + apiAssociatedWithAudit.add(RangerAPIList.COUNT_X_GROUP_GROUPS); + apiAssociatedWithAudit.add(RangerAPIList.COUNT_X_GROUPS); + apiAssociatedWithAudit.add(RangerAPIList.COUNT_X_GROUP_USERS); + apiAssociatedWithAudit.add(RangerAPIList.COUNT_X_PERM_MAPS); + apiAssociatedWithAudit.add(RangerAPIList.COUNT_X_USERS); + apiAssociatedWithAudit.add(RangerAPIList.GET_X_AUDIT_MAP); + apiAssociatedWithAudit.add(RangerAPIList.GET_X_GROUP); + apiAssociatedWithAudit.add(RangerAPIList.GET_X_GROUP_BY_GROUP_NAME); + apiAssociatedWithAudit.add(RangerAPIList.GET_X_GROUP_GROUP); + apiAssociatedWithAudit.add(RangerAPIList.GET_X_GROUP_USER); + apiAssociatedWithAudit.add(RangerAPIList.GET_X_GROUP_USERS); + apiAssociatedWithAudit.add(RangerAPIList.GET_X_PERM_MAP); + apiAssociatedWithAudit.add(RangerAPIList.GET_X_USER); + apiAssociatedWithAudit.add(RangerAPIList.GET_X_USER_BY_USER_NAME); + apiAssociatedWithAudit.add(RangerAPIList.GET_X_USER_GROUPS); + apiAssociatedWithAudit.add(RangerAPIList.SEARCH_X_AUDIT_MAPS); + apiAssociatedWithAudit.add(RangerAPIList.SEARCH_X_GROUP_GROUPS); + apiAssociatedWithAudit.add(RangerAPIList.SEARCH_X_GROUPS); + apiAssociatedWithAudit.add(RangerAPIList.SEARCH_X_GROUP_USERS); + apiAssociatedWithAudit.add(RangerAPIList.SEARCH_X_PERM_MAPS); + apiAssociatedWithAudit.add(RangerAPIList.SEARCH_X_USERS); + apiAssociatedWithAudit.add(RangerAPIList.SECURE_GET_X_GROUP); + apiAssociatedWithAudit.add(RangerAPIList.SECURE_GET_X_USER); + + apiAssociatedWithAudit.add(RangerAPIList.GET_X_TRX_LOG); + apiAssociatedWithAudit.add(RangerAPIList.CREATE_X_TRX_LOG); + apiAssociatedWithAudit.add(RangerAPIList.UPDATE_X_TRX_LOG); + apiAssociatedWithAudit.add(RangerAPIList.DELETE_X_TRX_LOG); + apiAssociatedWithAudit.add(RangerAPIList.SEARCH_X_TRX_LOG); + apiAssociatedWithAudit.add(RangerAPIList.COUNT_X_TRX_LOGS); + apiAssociatedWithAudit.add(RangerAPIList.SEARCH_X_ACCESS_AUDITS); + apiAssociatedWithAudit.add(RangerAPIList.COUNT_X_ACCESS_AUDITS); + apiAssociatedWithAudit.add(RangerAPIList.SEARCH_X_POLICY_EXPORT_AUDITS); + apiAssociatedWithAudit.add(RangerAPIList.GET_REPORT_LOGS); + apiAssociatedWithAudit.add(RangerAPIList.GET_TRANSACTION_REPORT); + apiAssociatedWithAudit.add(RangerAPIList.GET_ACCESS_LOGS); + apiAssociatedWithAudit.add(RangerAPIList.GET_AUTH_SESSION); + apiAssociatedWithAudit.add(RangerAPIList.GET_AUTH_SESSIONS); + + rangerAPIMappingWithUI.put(TAB_AUDIT, apiAssociatedWithAudit); + + for (String api : apiAssociatedWithAudit) { + if (mapApiToTabs.get(api) == null) { + mapApiToTabs.put(api, new HashSet()); + } + mapApiToTabs.get(api).add(TAB_AUDIT); + } + } + + private void mapResourceBasedPoliciesWithAPIs() { + Set apiAssociatedWithRBPolicies = new HashSet(); + + apiAssociatedWithRBPolicies.add(RangerAPIList.COUNT_X_ASSETS); + apiAssociatedWithRBPolicies.add(RangerAPIList.CREATE_X_ASSET); + apiAssociatedWithRBPolicies.add(RangerAPIList.DELETE_X_ASSET); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_X_ASSET); + apiAssociatedWithRBPolicies.add(RangerAPIList.SEARCH_X_ASSETS); + apiAssociatedWithRBPolicies.add(RangerAPIList.TEST_CONFIG); + apiAssociatedWithRBPolicies.add(RangerAPIList.UPDATE_X_ASSET); + + apiAssociatedWithRBPolicies.add(RangerAPIList.COUNT_SERVICES); + apiAssociatedWithRBPolicies.add(RangerAPIList.CREATE_SERVICE); + apiAssociatedWithRBPolicies.add(RangerAPIList.CREATE_SERVICE_DEF); + apiAssociatedWithRBPolicies.add(RangerAPIList.DELETE_SERVICE); + apiAssociatedWithRBPolicies.add(RangerAPIList.DELETE_SERVICE_DEF); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_POLICY_FOR_VERSION_NO); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_POLICY_FROM_EVENT_TIME); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_POLICY_VERSION_LIST); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_SERVICE); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_SERVICE_BY_NAME); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_SERVICE_DEF); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_SERVICE_DEFS); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_SERVICES); + apiAssociatedWithRBPolicies.add(RangerAPIList.LOOKUP_RESOURCE); + apiAssociatedWithRBPolicies.add(RangerAPIList.UPDATE_SERVICE); + apiAssociatedWithRBPolicies.add(RangerAPIList.UPDATE_SERVICE_DEF); + apiAssociatedWithRBPolicies.add(RangerAPIList.VALIDATE_CONFIG); + + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_USER_PROFILE_FOR_USER); + apiAssociatedWithRBPolicies.add(RangerAPIList.SEARCH_USERS); + + apiAssociatedWithRBPolicies.add(RangerAPIList.COUNT_X_AUDIT_MAPS); + apiAssociatedWithRBPolicies.add(RangerAPIList.COUNT_X_GROUP_GROUPS); + apiAssociatedWithRBPolicies.add(RangerAPIList.COUNT_X_GROUPS); + apiAssociatedWithRBPolicies.add(RangerAPIList.COUNT_X_GROUP_USERS); + apiAssociatedWithRBPolicies.add(RangerAPIList.COUNT_X_PERM_MAPS); + apiAssociatedWithRBPolicies.add(RangerAPIList.COUNT_X_USERS); + apiAssociatedWithRBPolicies.add(RangerAPIList.CREATE_X_AUDIT_MAP); + apiAssociatedWithRBPolicies.add(RangerAPIList.CREATE_X_PERM_MAP); + apiAssociatedWithRBPolicies.add(RangerAPIList.DELETE_X_AUDIT_MAP); + apiAssociatedWithRBPolicies.add(RangerAPIList.DELETE_X_PERM_MAP); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_X_AUDIT_MAP); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_X_GROUP); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_X_GROUP_BY_GROUP_NAME); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_X_GROUP_GROUP); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_X_GROUP_USER); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_X_GROUP_USERS); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_X_PERM_MAP); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_X_USER); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_X_USER_BY_USER_NAME); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_X_USER_GROUPS); + apiAssociatedWithRBPolicies.add(RangerAPIList.MODIFY_GROUPS_VISIBILITY); + apiAssociatedWithRBPolicies.add(RangerAPIList.MODIFY_USER_ACTIVE_STATUS); + apiAssociatedWithRBPolicies.add(RangerAPIList.MODIFY_USER_VISIBILITY); + apiAssociatedWithRBPolicies.add(RangerAPIList.SEARCH_X_AUDIT_MAPS); + apiAssociatedWithRBPolicies.add(RangerAPIList.SEARCH_X_GROUP_GROUPS); + apiAssociatedWithRBPolicies.add(RangerAPIList.SEARCH_X_GROUPS); + apiAssociatedWithRBPolicies.add(RangerAPIList.SEARCH_X_GROUP_USERS); + apiAssociatedWithRBPolicies.add(RangerAPIList.SEARCH_X_PERM_MAPS); + apiAssociatedWithRBPolicies.add(RangerAPIList.SEARCH_X_USERS); + apiAssociatedWithRBPolicies.add(RangerAPIList.SECURE_GET_X_GROUP); + apiAssociatedWithRBPolicies.add(RangerAPIList.SECURE_GET_X_USER); + apiAssociatedWithRBPolicies.add(RangerAPIList.UPDATE_X_AUDIT_MAP); + apiAssociatedWithRBPolicies.add(RangerAPIList.UPDATE_X_PERM_MAP); + + apiAssociatedWithRBPolicies.add(RangerAPIList.CREATE); + apiAssociatedWithRBPolicies.add(RangerAPIList.CREATE_DEFAULT_ACCOUNT_USER); + apiAssociatedWithRBPolicies.add(RangerAPIList.UPDATE); + apiAssociatedWithRBPolicies.add(RangerAPIList.SET_USER_ROLES); + apiAssociatedWithRBPolicies.add(RangerAPIList.DEACTIVATE_USER); + + rangerAPIMappingWithUI.put(TAB_RESOURCE_BASED_POLICIES, apiAssociatedWithRBPolicies); + + for (String api : apiAssociatedWithRBPolicies) { + if (mapApiToTabs.get(api) == null) { + mapApiToTabs.put(api, new HashSet()); + } + mapApiToTabs.get(api).add(TAB_RESOURCE_BASED_POLICIES); + } + } + + // * Utility methods starts from here, to retrieve API-UItab mapping information * + + public Set getAvailableUITabs() { + if (CollectionUtils.isEmpty(tabList)) { + populateAvailableUITabs(); + } + return tabList; + } + + /** + * @param apiName + * @return + * + * @Note: apiName being passed to this function should strictly follow this format: {ClassName}.{apiMethodName} and also API should be listed into + * RangerAPIList and should be mapped properly with UI tabs in the current class. + */ + public Set getAssociatedTabsWithAPI(String apiName) { + Set associatedTabs = mapApiToTabs.get(apiName); + return associatedTabs; + } +} diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java new file mode 100644 index 00000000000..6d132e6c751 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java @@ -0,0 +1,93 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.security.context; + +import java.util.List; +import java.util.Set; + +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.collections.CollectionUtils; +import org.apache.log4j.Logger; +import org.apache.ranger.common.ContextUtil; +import org.apache.ranger.common.MessageEnums; +import org.apache.ranger.common.RESTErrorUtil; +import org.apache.ranger.common.UserSessionBase; +import org.apache.ranger.db.RangerDaoManager; +import org.apache.ranger.entity.XXUser; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +@Component("rangerPreAuthSecurityHandler") +public class RangerPreAuthSecurityHandler { + Logger logger = Logger.getLogger(RangerPreAuthSecurityHandler.class); + + @Autowired + RangerDaoManager daoManager; + + @Autowired + RESTErrorUtil restErrorUtil; + + @Autowired + RangerAPIMapping rangerAPIMapping; + + public boolean isAPIAccessible(String methodName) throws Exception { + + if (methodName == null) { + return false; + } + + UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + if (userSession == null) { + logger.warn("WARNING: UserSession found null. Some non-authorized user might be trying to access the API."); + return false; + } + + if (userSession.isUserAdmin()) { + if (logger.isDebugEnabled()) { + logger.debug("WARNING: Logged in user is System Admin, System Admin is allowed to access all the tabs except Key Manager." + + "Reason for returning true is, In few cases system admin needs to have access on Key Manager tabs as well."); + } + return true; + } + + Set associatedTabs = rangerAPIMapping.getAssociatedTabsWithAPI(methodName); + if (CollectionUtils.isEmpty(associatedTabs)) { + return true; + } + return isAPIAccessible(associatedTabs); + } + + public boolean isAPIAccessible(Set associatedTabs) throws Exception { + + XXUser xUser = daoManager.getXXUser().findByUserName(ContextUtil.getCurrentUserLoginId()); + if (xUser == null) { + restErrorUtil.createRESTException("x_user cannot be null.", MessageEnums.ERROR_SYSTEM); + } + + List accessibleModules = daoManager.getXXModuleDef().findAccessibleModulesByUserId(ContextUtil.getCurrentUserId(), xUser.getId()); + if (CollectionUtils.containsAny(accessibleModules, associatedTabs)) { + return true; + } + + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not allowed to access the API", true); + } + +} diff --git a/security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java b/security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java index 1f48c8636cd..349ddbd6c90 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java @@ -24,16 +24,23 @@ import java.util.HashMap; import java.util.List; +import org.apache.ranger.biz.RangerBizUtil; import org.apache.ranger.common.AppConstants; +import org.apache.ranger.common.ContextUtil; +import org.apache.ranger.common.SearchCriteria; import org.apache.ranger.common.SearchField; +import org.apache.ranger.common.UserSessionBase; import org.apache.ranger.common.view.VTrxLogAttr; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.entity.XXAuditMap; import org.apache.ranger.entity.XXPortalUser; +import org.apache.ranger.entity.XXResource; import org.apache.ranger.entity.XXTrxLog; import org.apache.ranger.entity.XXUser; import org.apache.ranger.util.RangerEnumUtil; import org.apache.ranger.view.VXAuditMap; +import org.apache.ranger.view.VXAuditMapList; +import org.apache.ranger.view.VXResponse; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Scope; import org.springframework.stereotype.Service; @@ -48,6 +55,12 @@ public class XAuditMapService extends @Autowired RangerDaoManager rangerDaoManager; + + @Autowired + RangerBizUtil rangerBizUtil; + + @Autowired + XResourceService xResourceService; static HashMap trxLogAttrs = new HashMap(); static { @@ -186,4 +199,51 @@ protected VXAuditMap mapEntityToViewBean(VXAuditMap vObj, XXAuditMap mObj) { } return vObj; } + + @Override + public VXAuditMapList searchXAuditMaps(SearchCriteria searchCriteria) { + + VXAuditMapList returnList; + UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + // If user is system admin + if (currentUserSession.isUserAdmin()) { + returnList = super.searchXAuditMaps(searchCriteria); + } else { + returnList = new VXAuditMapList(); + int startIndex = searchCriteria.getStartIndex(); + int pageSize = searchCriteria.getMaxRows(); + searchCriteria.setStartIndex(0); + searchCriteria.setMaxRows(Integer.MAX_VALUE); + List resultList = (List) searchResources(searchCriteria, searchFields, sortFields, returnList); + + List adminAuditResourceList = new ArrayList(); + for (XXAuditMap xXAuditMap : resultList) { + XXResource xRes = daoManager.getXXResource().getById(xXAuditMap.getResourceId()); + VXResponse vXResponse = rangerBizUtil.hasPermission(xResourceService.populateViewBean(xRes), AppConstants.XA_PERM_TYPE_ADMIN); + if (vXResponse.getStatusCode() == VXResponse.STATUS_SUCCESS) { + adminAuditResourceList.add(xXAuditMap); + } + } + + if (adminAuditResourceList.size() > 0) { + populatePageList(adminAuditResourceList, startIndex, pageSize, returnList); + } + } + + return returnList; + } + + private void populatePageList(List auditMapList, int startIndex, int pageSize, VXAuditMapList vxAuditMapList) { + List onePageList = new ArrayList(); + for (int i = startIndex; i < pageSize + startIndex && i < auditMapList.size(); i++) { + VXAuditMap vXAuditMap = populateViewBean(auditMapList.get(i)); + onePageList.add(vXAuditMap); + } + vxAuditMapList.setVXAuditMaps(onePageList); + vxAuditMapList.setStartIndex(startIndex); + vxAuditMapList.setPageSize(pageSize); + vxAuditMapList.setResultSize(onePageList.size()); + vxAuditMapList.setTotalCount(auditMapList.size()); + } + } diff --git a/security-admin/src/main/java/org/apache/ranger/service/XPermMapService.java b/security-admin/src/main/java/org/apache/ranger/service/XPermMapService.java index 7e5eb10612d..6d961070b9d 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XPermMapService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XPermMapService.java @@ -24,20 +24,25 @@ import java.util.HashMap; import java.util.List; +import org.apache.ranger.biz.RangerBizUtil; import org.apache.ranger.common.AppConstants; +import org.apache.ranger.common.ContextUtil; import org.apache.ranger.common.SearchCriteria; import org.apache.ranger.common.SearchField; +import org.apache.ranger.common.UserSessionBase; import org.apache.ranger.common.view.VTrxLogAttr; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.entity.XXGroup; import org.apache.ranger.entity.XXPermMap; import org.apache.ranger.entity.XXPortalUser; +import org.apache.ranger.entity.XXResource; import org.apache.ranger.entity.XXTrxLog; import org.apache.ranger.entity.XXUser; import org.apache.ranger.util.RangerEnumUtil; import org.apache.ranger.view.VXGroup; import org.apache.ranger.view.VXPermMap; import org.apache.ranger.view.VXPermMapList; +import org.apache.ranger.view.VXResponse; import org.apache.ranger.view.VXUser; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Scope; @@ -59,6 +64,12 @@ public class XPermMapService extends XPermMapServiceBase { @Autowired RangerDaoManager rangerDaoManager; + @Autowired + RangerBizUtil rangerBizUtil; + + @Autowired + XResourceService xResourceService; + static HashMap trxLogAttrs = new HashMap(); static { // trxLogAttrs.put("groupId", new VTrxLogAttr("groupId", "Group Permission", false)); @@ -112,19 +123,48 @@ public VXPermMap populateViewBean(XXPermMap xXPermMap){ @Override public VXPermMapList searchXPermMaps(SearchCriteria searchCriteria) { - VXPermMapList vXPermMapList = super.searchXPermMaps(searchCriteria); - if(vXPermMapList != null && vXPermMapList.getResultSize() != 0){ - for(VXPermMap vXPermMap : vXPermMapList.getVXPermMaps()){ - if(vXPermMap.getPermFor() == AppConstants.XA_PERM_FOR_GROUP) { - String groupName = getGroupName(vXPermMap.getGroupId()); - vXPermMap.setGroupName(groupName); - } else if(vXPermMap.getPermFor() == AppConstants.XA_PERM_FOR_USER) { - String username = getUserName(vXPermMap.getUserId()); - vXPermMap.setUserName(username); + + + VXPermMapList returnList; + UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + // If user is system admin + if (currentUserSession.isUserAdmin()) { + returnList = super.searchXPermMaps(searchCriteria); + } else { + returnList = new VXPermMapList(); + int startIndex = searchCriteria.getStartIndex(); + int pageSize = searchCriteria.getMaxRows(); + searchCriteria.setStartIndex(0); + searchCriteria.setMaxRows(Integer.MAX_VALUE); + List resultList = (List) searchResources(searchCriteria, searchFields, sortFields, returnList); + + List adminPermResourceList = new ArrayList(); + for (XXPermMap xXPermMap : resultList) { + XXResource xRes = daoManager.getXXResource().getById(xXPermMap.getResourceId()); + VXResponse vXResponse = rangerBizUtil.hasPermission(xResourceService.populateViewBean(xRes), AppConstants.XA_PERM_TYPE_ADMIN); + if (vXResponse.getStatusCode() == VXResponse.STATUS_SUCCESS) { + adminPermResourceList.add(xXPermMap); } } + + if (adminPermResourceList.size() > 0) { + populatePageList(adminPermResourceList, startIndex, pageSize, returnList); + } + } + return returnList; + } + + private void populatePageList(List permMapList, int startIndex, int pageSize, VXPermMapList vxPermMapList) { + List onePageList = new ArrayList(); + for (int i = startIndex; i < pageSize + startIndex && i < permMapList.size(); i++) { + VXPermMap vXPermMap = populateViewBean(permMapList.get(i)); + onePageList.add(vXPermMap); } - return vXPermMapList; + vxPermMapList.setVXPermMaps(onePageList); + vxPermMapList.setStartIndex(startIndex); + vxPermMapList.setPageSize(pageSize); + vxPermMapList.setResultSize(onePageList.size()); + vxPermMapList.setTotalCount(permMapList.size()); } public String getGroupName(Long groupId){ diff --git a/security-admin/src/main/java/org/apache/ranger/service/XResourceService.java b/security-admin/src/main/java/org/apache/ranger/service/XResourceService.java index fa6679a1214..28e92820ea1 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XResourceService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XResourceService.java @@ -43,6 +43,7 @@ import org.apache.ranger.common.view.VTrxLogAttr; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.entity.XXAsset; +import org.apache.ranger.entity.XXAuditMap; import org.apache.ranger.entity.XXGroup; import org.apache.ranger.entity.XXPermMap; import org.apache.ranger.entity.XXPortalUser; @@ -345,25 +346,25 @@ private void populateAssetProperties(VXResource vXResource) { } private void populateAuditList(VXResource vXResource) { - SearchCriteria searchCriteria = new SearchCriteria(); - searchCriteria.addParam("resourceId", vXResource.getId()); - VXAuditMapList vXAuditMapList = xAuditMapService - .searchXAuditMaps(searchCriteria); - if (vXAuditMapList != null && vXAuditMapList.getResultSize() != 0) { - List auditMapList = vXAuditMapList.getList(); - vXResource.setAuditList(auditMapList); + + List xAuditMapList = daoManager.getXXAuditMap().findByResourceId(vXResource.getId()); + List vXAuditMapList = new ArrayList(); + + for (XXAuditMap xAuditMap : xAuditMapList) { + vXAuditMapList.add(xAuditMapService.populateViewBean(xAuditMap)); } + vXResource.setAuditList(vXAuditMapList); } private void populatePermList(VXResource vXResource) { - SearchCriteria searchCriteria = new SearchCriteria(); - searchCriteria.addParam("resourceId", vXResource.getId()); - VXPermMapList vXPermMapList = xPermMapService - .searchXPermMaps(searchCriteria); - if (vXPermMapList != null && vXPermMapList.getResultSize() != 0) { - List permMapList = vXPermMapList.getList(); - vXResource.setPermMapList(permMapList); - } + + List xPermMapList = daoManager.getXXPermMap().findByResourceId(vXResource.getId()); + List vXPermMapList = new ArrayList(); + + for (XXPermMap xPermMap : xPermMapList) { + vXPermMapList.add(xPermMapService.populateViewBean(xPermMap)); + } + vXResource.setPermMapList(vXPermMapList); } @Override diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml index 7761756493a..ac4c753853b 100644 --- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml +++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml @@ -172,6 +172,11 @@ + + SELECT obj.parentGroupId FROM XXGroupUser obj WHERE obj.userId=:xUserId + + + SELECT obj FROM XXTrxLog obj WHERE obj.transactionId = :transactionId @@ -522,6 +527,20 @@ + + SELECT obj.module FROM XXModuleDef obj + WHERE obj.id in (SELECT userPerm.moduleId FROM XXUserPermission userPerm WHERE userPerm.userId=:portalUserId and userPerm.isAllowed=:isAllowed) + OR obj.id in (SELECT grpPerm.moduleId FROM XXGroupPermission grpPerm WHERE + grpPerm.groupId IN (SELECT grpUser.parentGroupId FROM XXGroupUser grpUser WHERE grpUser.userId=:xUserId) and grpPerm.isAllowed=:isAllowed) + + + + + select obj.module from XXModuleDef obj, XXGroupPermission grpPerm where + grpPerm.groupId IN :grpIdList and grpPerm.moduleId = obj.id and grpPerm.isAllowed = :isAllowed + + + SELECT distinct gmp FROM XXGroupUser xgu,XXUser xu,XXGroupPermission gmp, XXPortalUser xpu WHERE xu.name=xpu.loginId and xu.id=xgu.userId and xgu.parentGroupId=gmp.groupId and diff --git a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml index a64880979f2..480e6cd391f 100644 --- a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml +++ b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml @@ -155,6 +155,8 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd"> + + diff --git a/security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java b/security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java index 021c49aca7b..f09da53283a 100644 --- a/security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java +++ b/security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java @@ -44,6 +44,7 @@ import org.apache.ranger.audit.queue.AuditSummaryQueue; import org.junit.AfterClass; import org.junit.BeforeClass; +import org.junit.Ignore; import org.junit.Test; public class TestAuditQueue { @@ -173,7 +174,7 @@ private void commonTestSummary(TestConsumer testConsumer, assertEquals(messageToSend, testConsumer.getSumTotal()); assertEquals(countToCheck, testConsumer.getCountTotal()); } - + @Ignore("Junit breakage: RANGER-630") // TODO @Test public void testAuditSummaryByInfra() { logger.debug("testAuditSummaryByInfra()..."); diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java index e18e51c7fa3..479dfde7696 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java @@ -167,9 +167,9 @@ public void test11CreateUser() { XXPortalUser dbxxPortalUser = userMgr.createUser(userProfile, 1, userRoleList); + Assert.assertNotNull(dbxxPortalUser); userId = dbxxPortalUser.getId(); - Assert.assertNotNull(dbxxPortalUser); Assert.assertEquals(userId, dbxxPortalUser.getId()); Assert.assertEquals(userProfile.getFirstName(), dbxxPortalUser.getFirstName()); @@ -243,7 +243,7 @@ public void test12CreateUser() { @Test public void test15ChangePassword() { - + setup(); XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class); VXPortalUser userProfile = userProfile(); @@ -282,7 +282,7 @@ public void test15ChangePassword() { @Test public void test16GetEmailAddress() { - + setup(); VXPortalUser userProfile = userProfile(); XXPortalUser user = new XXPortalUser(); @@ -326,7 +326,7 @@ public void test16GetEmailAddress() { @Test public void test17ValidateEmailAddress() { - + setup(); VXPortalUser userProfile = userProfile(); XXPortalUser user = new XXPortalUser(); @@ -447,6 +447,7 @@ public void test21CreateUser() { @Test public void test22CreateDefaultAccountUser() { + setup(); XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class); XXPortalUserRoleDao roleDao = Mockito.mock(XXPortalUserRoleDao.class); VXPortalUser userProfile = userProfile(); @@ -505,6 +506,7 @@ public void test23IsUserInRole() { @Test public void test24UpdateUserWithPass() { + setup(); XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class); VXPortalUser userProfile = userProfile(); @@ -615,6 +617,7 @@ public void test27GetRolesForUser() { @Test public void test28DeleteUserRole() { + setup(); XXPortalUserRoleDao roleDao = Mockito.mock(XXPortalUserRoleDao.class); XXPortalUserRole XXPortalUserRole = new XXPortalUserRole(); @@ -634,6 +637,7 @@ public void test28DeleteUserRole() { @Test public void test29DeactivateUser() { + setup(); XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class); XXPortalUserRoleDao roleDao = Mockito.mock(XXPortalUserRoleDao.class); XXUserPermissionDao xUserPermissionDao = Mockito @@ -832,7 +836,7 @@ public void test32getUserProfileByLoginId() { Mockito.verify(daoManager).getXXPortalUser(); } - + @Ignore("Junit breakage: RANGER-526") // TODO @Test public void test33setUserRoles() { XXPortalUserRoleDao xPortalUserRoleDao = Mockito.mock(XXPortalUserRoleDao.class); diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java index bb74bb87d2f..ab149ad1b53 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java @@ -480,6 +480,7 @@ public void test20ModifyGroupsVisibilitySetEmpty() { @Test public void test21createXGroupUser() { + setup(); VXGroupUser vxGroupUser = new VXGroupUser(); vxGroupUser.setId(userId); vxGroupUser.setName("group user test"); @@ -557,6 +558,7 @@ public void test24GetXUserByUserName() { @Test public void test25CreateXUserWithOutLogin() { + setup(); VXUser vxUser = vxUser(); Mockito.when(xUserService.createXUserWithOutLogin(vxUser)).thenReturn( @@ -576,7 +578,7 @@ public void test25CreateXUserWithOutLogin() { @Test public void test26CreateXGroupWithoutLogin() { - + setup(); VXGroup vXGroup = new VXGroup(); vXGroup.setId(userId); vXGroup.setDescription("group test"); @@ -597,6 +599,7 @@ public void test26CreateXGroupWithoutLogin() { @Test public void test27DeleteXGroup() { + setup(); XXGroupDao xxGroupDao = Mockito.mock(XXGroupDao.class); VXGroupUserList vxGroupUserList = new VXGroupUserList(); @@ -616,6 +619,7 @@ public void test27DeleteXGroup() { @Test public void test28DeleteXUser() { + setup(); XXGroupUserDao xxGroupDao = Mockito.mock(XXGroupUserDao.class); XXUserDao xxUserDao = Mockito.mock(XXUserDao.class); VXGroupUserList vxGroupUserList = new VXGroupUserList(); @@ -637,6 +641,7 @@ public void test28DeleteXUser() { @Test public void test29deleteXGroupAndXUser() { + setup(); VXUser vxUser = vxUser(); VXGroup vxGroup = new VXGroup(); VXGroupUserList vxGroupUserList = new VXGroupUserList(); @@ -661,7 +666,7 @@ public void test29deleteXGroupAndXUser() { @Test public void test30CreateVXUserGroupInfo() { - + setup(); VXUserGroupInfo vXUserGroupInfo = new VXUserGroupInfo(); VXUser vXUser = new VXUser(); vXUser.setName("user1"); diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java index e7324a12a1b..f728c58dbee 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java @@ -927,7 +927,7 @@ public void test23getServicePoliciesByName() throws Exception { svcStore.getPaginatedServicePolicies(rangerPolicy.getName(), filter)).thenReturn(ret); - RangerPolicyList dbRangerPolicy = serviceREST.getServicePolicies( + RangerPolicyList dbRangerPolicy = serviceREST.getServicePoliciesByName( rangerPolicy.getName(), request); Assert.assertNotNull(dbRangerPolicy); } From b82ff28f153cc339c90ed0e696e745d8367ac176 Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Tue, 15 Sep 2015 23:02:23 -0700 Subject: [PATCH 053/202] Revert "RANGER-632 Added validation error msg on Ranger UI in service/policy create page and also added pause option in bootstrap-notify plugin." This reverts commit 97453ff07cad0b7e73f645e22fb543b427680973. --- .../bootstrap-notify/js/bootstrap-notify.js | 44 +++---------------- .../src/main/webapp/scripts/utils/XAUtils.js | 26 +---------- .../views/policies/RangerPolicyCreate.js | 12 ++--- .../scripts/views/service/ServiceCreate.js | 23 +++++++--- security-admin/src/main/webapp/styles/xa.css | 5 --- 5 files changed, 30 insertions(+), 80 deletions(-) diff --git a/security-admin/src/main/webapp/libs/bower/bootstrap-notify/js/bootstrap-notify.js b/security-admin/src/main/webapp/libs/bower/bootstrap-notify/js/bootstrap-notify.js index ba309e210bc..e58c6c50ab0 100644 --- a/security-admin/src/main/webapp/libs/bower/bootstrap-notify/js/bootstrap-notify.js +++ b/security-admin/src/main/webapp/libs/bower/bootstrap-notify/js/bootstrap-notify.js @@ -47,21 +47,13 @@ this.$note.text(this.options.message.text); } else this.$note.html(this.options.message); - - var style = this.options.type == 'error' ? 'color:#a94442' : 'color:#3c763d'; - + if(this.options.closable) { - var link = $('×'); + var link = $('×'); $(link).on('click', $.proxy(onClose, this)); this.$note.prepend(link); } - if(this.options.pausable) { - var pauseLink = $(''); - $(pauseLink).on('click', $.proxy(onPause, this)); - this.$note.prepend(pauseLink); - - } return this; }; @@ -72,31 +64,10 @@ return false; }; - var onPause = function() { - if(this.$note.find('.pause').is(':visible')){ - clearInterval(this.clearNotifyInterval) - this.$note.find('.pause').hide() - this.$note.find('.play').show() - }else{ - setFadeOut(this) - this.$note.find('.pause').show() - this.$note.find('.play').hide() - } - return false; - }; - var setFadeOut = function(self){ - var that = self; - self.clearNotifyInterval = setTimeout(function() { - that.$note.fadeOut('slow', $.proxy(that.onClose, that)); - }, self.options.fadeOut.delay || 7000); - }; - Notification.prototype.show = function () { - var that = this; - if(this.options.fadeOut.enabled){ - setFadeOut(this) - } -// this.$note.delay(this.options.fadeOut.delay || 3000).fadeOut('slow', $.proxy(onClose, this)); + if(this.options.fadeOut.enabled) + this.$note.delay(this.options.fadeOut.delay || 3000).fadeOut('slow', $.proxy(onClose, this)); + this.$element.append(this.$note); this.$note.alert(); }; @@ -117,11 +88,10 @@ transition: 'fade', fadeOut: { enabled: true, - delay: 7000 + delay: 3000 }, message: null, onClose: function () {}, - onClosed: function () {}, - pausable: false + onClosed: function () {} } })(window.jQuery); diff --git a/security-admin/src/main/webapp/scripts/utils/XAUtils.js b/security-admin/src/main/webapp/scripts/utils/XAUtils.js index 3f52fb2990a..6d84d1cf7d9 100644 --- a/security-admin/src/main/webapp/scripts/utils/XAUtils.js +++ b/security-admin/src/main/webapp/scripts/utils/XAUtils.js @@ -194,8 +194,7 @@ define(function(require) { html : html, text : text }, - type : 'info', - pausable: true + type : 'info' }; } $('.top-right').notify(options).show(); @@ -221,8 +220,7 @@ define(function(require) { html : html, text : text }, - type : 'error', - pausable: true + type : 'error' }; } $('.top-right').notify(options).show(); @@ -248,7 +246,6 @@ define(function(require) { html : html }, type : 'success', - pausable: true }; } $('.top-right').notify(options).show(); @@ -1099,24 +1096,5 @@ define(function(require) { }) return {'userRoleList' : userRoleList }; }; - XAUtils.showErrorMsg = function(respMsg){ - var respArr = respMsg.split(/\([0-9]*\)/); - respArr.shift(); - _.each(respArr, function(str){ - var validationMsg = str.split(','), erroCodeMsg = ''; - //get code from string - if(!_.isUndefined(validationMsg[0]) && validationMsg[0].indexOf("error code") != -1){ - var tmp = validationMsg[0].split('error code'); - var code = tmp[ tmp.length - 1 ]; - - erroCodeMsg = 'Error Code : '+ code.match(/\d/g).join(''); - } - var reason = str.lastIndexOf("reason") != -1 ? (str.substring(str.lastIndexOf("reason")+7, str.indexOf("field[")-2 )) - : str; - var erroMsg = erroCodeMsg +"
"+XAUtils.capitaliseFirstLetter(reason); - return XAUtils.notifyError('Error', erroMsg); - }); - }; - return XAUtils; }); diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js index b07f9a2fe80..7370ee876eb 100644 --- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js +++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js @@ -207,14 +207,10 @@ define(function(require){ App.appRouter.navigate("#!/service/"+that.rangerService.id+"/policies",{trigger: true}); console.log("success"); }, - error : function(model, response, options) { - XAUtil.blockUI('unblock'); - var msg = that.editPolicy ? 'Error updating policy.': 'Error creating policy.'; - if (response && response.responseJSON && response.responseJSON.msgDesc) { - XAUtil.showErrorMsg(response.responseJSON.msgDesc); - } else { - XAUtil.notifyError('Error', msg); - } + error: function (model, response, options) { + XAUtil.blockUI('unblock'); + XAUtil.notifyError('Error', 'Error creating Policy!'); + console.log("error"); } }); }, diff --git a/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js b/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js index 239b61e27a6..01141b642e2 100644 --- a/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js +++ b/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js @@ -164,12 +164,23 @@ define(function(require){ }, error: function (model, response, options) { XAUtil.blockUI('unblock'); - var msg = that.editService ? 'Error updating Service.': 'Error creating Service.'; - if (response && response.responseJSON && response.responseJSON.msgDesc) { - XAUtil.showErrorMsg(response.responseJSON.msgDesc); - } else { - XAUtil.notifyError('Error', msg); - } + if ( response && response.responseJSON && response.responseJSON.msgDesc){ + if(response.responseJSON.msgDesc == "serverMsg.fsDefaultNameValidationError"){ + that.form.fields.fsDefaultName.setError(localization.tt(response.responseJSON.msgDesc)); + XAUtil.scrollToField(that.form.fields.fsDefaultName.$el); + }else if(response.responseJSON.msgDesc == "Repository Name already exists"){ + response.responseJSON.msgDesc = "serverMsg.repositoryNameAlreadyExistsError"; + that.form.fields.name.setError(localization.tt(response.responseJSON.msgDesc)); + XAUtil.scrollToField(that.form.fields.name.$el); + }else if(response.responseJSON.msgDesc == "XUser already exists"){ + response.responseJSON.msgDesc = "serverMsg.userAlreadyExistsError"; + that.form.fields.userName.setError(localization.tt(response.responseJSON.msgDesc)); + XAUtil.scrollToField(that.form.fields.userName.$el); + }else + XAUtil.notifyError('Error', response.responseJSON.msgDesc); + }else + XAUtil.notifyError('Error', 'Error creating Service!'); + console.log("error"); } }); }, diff --git a/security-admin/src/main/webapp/styles/xa.css b/security-admin/src/main/webapp/styles/xa.css index f0c75307d6a..ceb1f538532 100644 --- a/security-admin/src/main/webapp/styles/xa.css +++ b/security-admin/src/main/webapp/styles/xa.css @@ -1838,9 +1838,4 @@ td.select-row-cell { #r_topNav .dropdown-menu { margin:0; -} -.pause-play-close{ - margin-left: -5px; - margin-top: -2px; - font-size: 11px; } \ No newline at end of file From 4f4be95a0eb0c3c922b6d2d2c28356c8e015160a Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Wed, 16 Sep 2015 13:53:50 +0530 Subject: [PATCH 054/202] RANGER-632 : Added validation error msg on Ranger UI in service/policy create page and also added pause option in bootstrap-notify plugin. Signed-off-by: Velmurugan Periasamy --- .../bootstrap-notify/js/bootstrap-notify.js | 44 ++++++++++++++++--- .../src/main/webapp/scripts/utils/XAUtils.js | 26 ++++++++++- .../views/policies/RangerPolicyCreate.js | 12 +++-- .../scripts/views/service/ServiceCreate.js | 23 +++------- security-admin/src/main/webapp/styles/xa.css | 5 +++ 5 files changed, 80 insertions(+), 30 deletions(-) diff --git a/security-admin/src/main/webapp/libs/bower/bootstrap-notify/js/bootstrap-notify.js b/security-admin/src/main/webapp/libs/bower/bootstrap-notify/js/bootstrap-notify.js index e58c6c50ab0..ba309e210bc 100644 --- a/security-admin/src/main/webapp/libs/bower/bootstrap-notify/js/bootstrap-notify.js +++ b/security-admin/src/main/webapp/libs/bower/bootstrap-notify/js/bootstrap-notify.js @@ -47,13 +47,21 @@ this.$note.text(this.options.message.text); } else this.$note.html(this.options.message); - + + var style = this.options.type == 'error' ? 'color:#a94442' : 'color:#3c763d'; + if(this.options.closable) { - var link = $('×'); + var link = $('×'); $(link).on('click', $.proxy(onClose, this)); this.$note.prepend(link); } + if(this.options.pausable) { + var pauseLink = $(''); + $(pauseLink).on('click', $.proxy(onPause, this)); + this.$note.prepend(pauseLink); + + } return this; }; @@ -64,10 +72,31 @@ return false; }; + var onPause = function() { + if(this.$note.find('.pause').is(':visible')){ + clearInterval(this.clearNotifyInterval) + this.$note.find('.pause').hide() + this.$note.find('.play').show() + }else{ + setFadeOut(this) + this.$note.find('.pause').show() + this.$note.find('.play').hide() + } + return false; + }; + var setFadeOut = function(self){ + var that = self; + self.clearNotifyInterval = setTimeout(function() { + that.$note.fadeOut('slow', $.proxy(that.onClose, that)); + }, self.options.fadeOut.delay || 7000); + }; + Notification.prototype.show = function () { - if(this.options.fadeOut.enabled) - this.$note.delay(this.options.fadeOut.delay || 3000).fadeOut('slow', $.proxy(onClose, this)); - + var that = this; + if(this.options.fadeOut.enabled){ + setFadeOut(this) + } +// this.$note.delay(this.options.fadeOut.delay || 3000).fadeOut('slow', $.proxy(onClose, this)); this.$element.append(this.$note); this.$note.alert(); }; @@ -88,10 +117,11 @@ transition: 'fade', fadeOut: { enabled: true, - delay: 3000 + delay: 7000 }, message: null, onClose: function () {}, - onClosed: function () {} + onClosed: function () {}, + pausable: false } })(window.jQuery); diff --git a/security-admin/src/main/webapp/scripts/utils/XAUtils.js b/security-admin/src/main/webapp/scripts/utils/XAUtils.js index 6d84d1cf7d9..b8a061fda29 100644 --- a/security-admin/src/main/webapp/scripts/utils/XAUtils.js +++ b/security-admin/src/main/webapp/scripts/utils/XAUtils.js @@ -194,7 +194,8 @@ define(function(require) { html : html, text : text }, - type : 'info' + type : 'info', + pausable: true }; } $('.top-right').notify(options).show(); @@ -220,7 +221,8 @@ define(function(require) { html : html, text : text }, - type : 'error' + type : 'error', + pausable: true }; } $('.top-right').notify(options).show(); @@ -246,6 +248,7 @@ define(function(require) { html : html }, type : 'success', + pausable: true }; } $('.top-right').notify(options).show(); @@ -1096,5 +1099,24 @@ define(function(require) { }) return {'userRoleList' : userRoleList }; }; + XAUtils.showErrorMsg = function(respMsg){ + var respArr = respMsg.split(/\([0-9]*\)/); + respArr.shift(); + _.each(respArr, function(str){ + var validationMsg = str.split(','), erroCodeMsg = ''; + //get code from string + if(!_.isUndefined(validationMsg[0]) && validationMsg[0].indexOf("error code") != -1){ + var tmp = validationMsg[0].split('error code'); + var code = tmp[ tmp.length - 1 ]; + + erroCodeMsg = 'Error Code : '+ code.match(/\d/g).join(''); + } + var reason = str.lastIndexOf("reason") != -1 ? (str.substring(str.lastIndexOf("reason")+7, str.indexOf("field[")-3 )) + : str; + var erroMsg = erroCodeMsg +"
"+XAUtils.capitaliseFirstLetter(reason); + return XAUtils.notifyError('Error', erroMsg); + }); + }; + return XAUtils; }); diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js index 7370ee876eb..b07f9a2fe80 100644 --- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js +++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js @@ -207,10 +207,14 @@ define(function(require){ App.appRouter.navigate("#!/service/"+that.rangerService.id+"/policies",{trigger: true}); console.log("success"); }, - error: function (model, response, options) { - XAUtil.blockUI('unblock'); - XAUtil.notifyError('Error', 'Error creating Policy!'); - console.log("error"); + error : function(model, response, options) { + XAUtil.blockUI('unblock'); + var msg = that.editPolicy ? 'Error updating policy.': 'Error creating policy.'; + if (response && response.responseJSON && response.responseJSON.msgDesc) { + XAUtil.showErrorMsg(response.responseJSON.msgDesc); + } else { + XAUtil.notifyError('Error', msg); + } } }); }, diff --git a/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js b/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js index 01141b642e2..239b61e27a6 100644 --- a/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js +++ b/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js @@ -164,23 +164,12 @@ define(function(require){ }, error: function (model, response, options) { XAUtil.blockUI('unblock'); - if ( response && response.responseJSON && response.responseJSON.msgDesc){ - if(response.responseJSON.msgDesc == "serverMsg.fsDefaultNameValidationError"){ - that.form.fields.fsDefaultName.setError(localization.tt(response.responseJSON.msgDesc)); - XAUtil.scrollToField(that.form.fields.fsDefaultName.$el); - }else if(response.responseJSON.msgDesc == "Repository Name already exists"){ - response.responseJSON.msgDesc = "serverMsg.repositoryNameAlreadyExistsError"; - that.form.fields.name.setError(localization.tt(response.responseJSON.msgDesc)); - XAUtil.scrollToField(that.form.fields.name.$el); - }else if(response.responseJSON.msgDesc == "XUser already exists"){ - response.responseJSON.msgDesc = "serverMsg.userAlreadyExistsError"; - that.form.fields.userName.setError(localization.tt(response.responseJSON.msgDesc)); - XAUtil.scrollToField(that.form.fields.userName.$el); - }else - XAUtil.notifyError('Error', response.responseJSON.msgDesc); - }else - XAUtil.notifyError('Error', 'Error creating Service!'); - console.log("error"); + var msg = that.editService ? 'Error updating Service.': 'Error creating Service.'; + if (response && response.responseJSON && response.responseJSON.msgDesc) { + XAUtil.showErrorMsg(response.responseJSON.msgDesc); + } else { + XAUtil.notifyError('Error', msg); + } } }); }, diff --git a/security-admin/src/main/webapp/styles/xa.css b/security-admin/src/main/webapp/styles/xa.css index ceb1f538532..f0c75307d6a 100644 --- a/security-admin/src/main/webapp/styles/xa.css +++ b/security-admin/src/main/webapp/styles/xa.css @@ -1838,4 +1838,9 @@ td.select-row-cell { #r_topNav .dropdown-menu { margin:0; +} +.pause-play-close{ + margin-left: -5px; + margin-top: -2px; + font-size: 11px; } \ No newline at end of file From bcd8ca10df60ca29e385ec050f3abd1237859fe3 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Fri, 18 Sep 2015 11:54:26 +0530 Subject: [PATCH 055/202] RANGER-653 : Delegated Admin check has been moved to Mgr level Signed-off-by: Velmurugan Periasamy --- .../java/org/apache/ranger/biz/XUserMgr.java | 106 ++++++++++++++++++ .../ranger/service/XAuditMapService.java | 43 +------ .../ranger/service/XPermMapService.java | 47 +------- 3 files changed, 108 insertions(+), 88 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index 2413afbf8b3..41bc6f84a8a 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -42,6 +42,7 @@ import org.apache.ranger.view.VXModuleDef; import org.apache.ranger.view.VXUserPermission; import org.apache.log4j.Logger; +import org.apache.ranger.common.AppConstants; import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.PropertiesUtil; import org.apache.ranger.common.RangerConstants; @@ -53,10 +54,12 @@ import org.apache.ranger.entity.XXGroup; import org.apache.ranger.entity.XXPermMap; import org.apache.ranger.entity.XXPortalUser; +import org.apache.ranger.entity.XXResource; import org.apache.ranger.entity.XXTrxLog; import org.apache.ranger.entity.XXUser; import org.apache.ranger.service.XGroupService; import org.apache.ranger.service.XUserService; +import org.apache.ranger.view.VXAuditMap; import org.apache.ranger.view.VXAuditMapList; import org.apache.ranger.view.VXGroup; import org.apache.ranger.view.VXGroupGroup; @@ -64,6 +67,7 @@ import org.apache.ranger.view.VXGroupUser; import org.apache.ranger.view.VXGroupUserList; import org.apache.ranger.view.VXLong; +import org.apache.ranger.view.VXPermMap; import org.apache.ranger.view.VXPermMapList; import org.apache.ranger.view.VXPortalUser; import org.apache.ranger.view.VXUser; @@ -1036,4 +1040,106 @@ public void checkAccess(String loginID) { } } + public VXPermMapList searchXPermMaps(SearchCriteria searchCriteria) { + VXPermMapList vXPermMapList = super.searchXPermMaps(searchCriteria); + return applyDelegatedAdminAccess(vXPermMapList, searchCriteria); + } + + private VXPermMapList applyDelegatedAdminAccess(VXPermMapList vXPermMapList, SearchCriteria searchCriteria) { + + VXPermMapList returnList; + UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + // If user is system admin + if (currentUserSession != null && currentUserSession.isUserAdmin()) { + returnList = super.searchXPermMaps(searchCriteria); + } else { + returnList = new VXPermMapList(); + int startIndex = searchCriteria.getStartIndex(); + int pageSize = searchCriteria.getMaxRows(); + searchCriteria.setStartIndex(0); + searchCriteria.setMaxRows(Integer.MAX_VALUE); + List resultList = xPermMapService.searchXPermMaps(searchCriteria).getVXPermMaps(); + + List adminPermResourceList = new ArrayList(); + for (VXPermMap xXPermMap : resultList) { + XXResource xRes = daoManager.getXXResource().getById(xXPermMap.getResourceId()); + VXResponse vXResponse = msBizUtil.hasPermission(xResourceService.populateViewBean(xRes), + AppConstants.XA_PERM_TYPE_ADMIN); + if (vXResponse.getStatusCode() == VXResponse.STATUS_SUCCESS) { + adminPermResourceList.add(xXPermMap); + } + } + + if (adminPermResourceList.size() > 0) { + populatePageList(adminPermResourceList, startIndex, pageSize, returnList); + } + } + return returnList; + } + + private void populatePageList(List permMapList, int startIndex, int pageSize, VXPermMapList vxPermMapList) { + List onePageList = new ArrayList(); + for (int i = startIndex; i < pageSize + startIndex && i < permMapList.size(); i++) { + VXPermMap vXPermMap = permMapList.get(i); + onePageList.add(vXPermMap); + } + vxPermMapList.setVXPermMaps(onePageList); + vxPermMapList.setStartIndex(startIndex); + vxPermMapList.setPageSize(pageSize); + vxPermMapList.setResultSize(onePageList.size()); + vxPermMapList.setTotalCount(permMapList.size()); + } + + public VXAuditMapList searchXAuditMaps(SearchCriteria searchCriteria) { + VXAuditMapList vXAuditMapList = xAuditMapService.searchXAuditMaps(searchCriteria); + return applyDelegatedAdminAccess(vXAuditMapList, searchCriteria); + } + + private VXAuditMapList applyDelegatedAdminAccess(VXAuditMapList vXAuditMapList, SearchCriteria searchCriteria) { + + VXAuditMapList returnList; + UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + // If user is system admin + if (currentUserSession != null && currentUserSession.isUserAdmin()) { + returnList = super.searchXAuditMaps(searchCriteria); + } else { + returnList = new VXAuditMapList(); + int startIndex = searchCriteria.getStartIndex(); + int pageSize = searchCriteria.getMaxRows(); + searchCriteria.setStartIndex(0); + searchCriteria.setMaxRows(Integer.MAX_VALUE); + List resultList = xAuditMapService.searchXAuditMaps(searchCriteria).getVXAuditMaps(); + + List adminAuditResourceList = new ArrayList(); + for (VXAuditMap xXAuditMap : resultList) { + XXResource xRes = daoManager.getXXResource().getById(xXAuditMap.getResourceId()); + VXResponse vXResponse = msBizUtil.hasPermission(xResourceService.populateViewBean(xRes), + AppConstants.XA_PERM_TYPE_ADMIN); + if (vXResponse.getStatusCode() == VXResponse.STATUS_SUCCESS) { + adminAuditResourceList.add(xXAuditMap); + } + } + + if (adminAuditResourceList.size() > 0) { + populatePageList(adminAuditResourceList, startIndex, pageSize, returnList); + } + } + + return returnList; + } + + private void populatePageList(List auditMapList, int startIndex, int pageSize, + VXAuditMapList vxAuditMapList) { + List onePageList = new ArrayList(); + for (int i = startIndex; i < pageSize + startIndex && i < auditMapList.size(); i++) { + VXAuditMap vXAuditMap = auditMapList.get(i); + onePageList.add(vXAuditMap); + } + vxAuditMapList.setVXAuditMaps(onePageList); + vxAuditMapList.setStartIndex(startIndex); + vxAuditMapList.setPageSize(pageSize); + vxAuditMapList.setResultSize(onePageList.size()); + vxAuditMapList.setTotalCount(auditMapList.size()); + } + } diff --git a/security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java b/security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java index 349ddbd6c90..462b81acc17 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java @@ -202,48 +202,7 @@ protected VXAuditMap mapEntityToViewBean(VXAuditMap vObj, XXAuditMap mObj) { @Override public VXAuditMapList searchXAuditMaps(SearchCriteria searchCriteria) { - - VXAuditMapList returnList; - UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); - // If user is system admin - if (currentUserSession.isUserAdmin()) { - returnList = super.searchXAuditMaps(searchCriteria); - } else { - returnList = new VXAuditMapList(); - int startIndex = searchCriteria.getStartIndex(); - int pageSize = searchCriteria.getMaxRows(); - searchCriteria.setStartIndex(0); - searchCriteria.setMaxRows(Integer.MAX_VALUE); - List resultList = (List) searchResources(searchCriteria, searchFields, sortFields, returnList); - - List adminAuditResourceList = new ArrayList(); - for (XXAuditMap xXAuditMap : resultList) { - XXResource xRes = daoManager.getXXResource().getById(xXAuditMap.getResourceId()); - VXResponse vXResponse = rangerBizUtil.hasPermission(xResourceService.populateViewBean(xRes), AppConstants.XA_PERM_TYPE_ADMIN); - if (vXResponse.getStatusCode() == VXResponse.STATUS_SUCCESS) { - adminAuditResourceList.add(xXAuditMap); - } - } - - if (adminAuditResourceList.size() > 0) { - populatePageList(adminAuditResourceList, startIndex, pageSize, returnList); - } - } - - return returnList; - } - - private void populatePageList(List auditMapList, int startIndex, int pageSize, VXAuditMapList vxAuditMapList) { - List onePageList = new ArrayList(); - for (int i = startIndex; i < pageSize + startIndex && i < auditMapList.size(); i++) { - VXAuditMap vXAuditMap = populateViewBean(auditMapList.get(i)); - onePageList.add(vXAuditMap); - } - vxAuditMapList.setVXAuditMaps(onePageList); - vxAuditMapList.setStartIndex(startIndex); - vxAuditMapList.setPageSize(pageSize); - vxAuditMapList.setResultSize(onePageList.size()); - vxAuditMapList.setTotalCount(auditMapList.size()); + return super.searchXAuditMaps(searchCriteria); } } diff --git a/security-admin/src/main/java/org/apache/ranger/service/XPermMapService.java b/security-admin/src/main/java/org/apache/ranger/service/XPermMapService.java index 6d961070b9d..c20373d7a98 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XPermMapService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XPermMapService.java @@ -26,23 +26,19 @@ import org.apache.ranger.biz.RangerBizUtil; import org.apache.ranger.common.AppConstants; -import org.apache.ranger.common.ContextUtil; import org.apache.ranger.common.SearchCriteria; import org.apache.ranger.common.SearchField; -import org.apache.ranger.common.UserSessionBase; import org.apache.ranger.common.view.VTrxLogAttr; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.entity.XXGroup; import org.apache.ranger.entity.XXPermMap; import org.apache.ranger.entity.XXPortalUser; -import org.apache.ranger.entity.XXResource; import org.apache.ranger.entity.XXTrxLog; import org.apache.ranger.entity.XXUser; import org.apache.ranger.util.RangerEnumUtil; import org.apache.ranger.view.VXGroup; import org.apache.ranger.view.VXPermMap; import org.apache.ranger.view.VXPermMapList; -import org.apache.ranger.view.VXResponse; import org.apache.ranger.view.VXUser; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Scope; @@ -123,48 +119,7 @@ public VXPermMap populateViewBean(XXPermMap xXPermMap){ @Override public VXPermMapList searchXPermMaps(SearchCriteria searchCriteria) { - - - VXPermMapList returnList; - UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); - // If user is system admin - if (currentUserSession.isUserAdmin()) { - returnList = super.searchXPermMaps(searchCriteria); - } else { - returnList = new VXPermMapList(); - int startIndex = searchCriteria.getStartIndex(); - int pageSize = searchCriteria.getMaxRows(); - searchCriteria.setStartIndex(0); - searchCriteria.setMaxRows(Integer.MAX_VALUE); - List resultList = (List) searchResources(searchCriteria, searchFields, sortFields, returnList); - - List adminPermResourceList = new ArrayList(); - for (XXPermMap xXPermMap : resultList) { - XXResource xRes = daoManager.getXXResource().getById(xXPermMap.getResourceId()); - VXResponse vXResponse = rangerBizUtil.hasPermission(xResourceService.populateViewBean(xRes), AppConstants.XA_PERM_TYPE_ADMIN); - if (vXResponse.getStatusCode() == VXResponse.STATUS_SUCCESS) { - adminPermResourceList.add(xXPermMap); - } - } - - if (adminPermResourceList.size() > 0) { - populatePageList(adminPermResourceList, startIndex, pageSize, returnList); - } - } - return returnList; - } - - private void populatePageList(List permMapList, int startIndex, int pageSize, VXPermMapList vxPermMapList) { - List onePageList = new ArrayList(); - for (int i = startIndex; i < pageSize + startIndex && i < permMapList.size(); i++) { - VXPermMap vXPermMap = populateViewBean(permMapList.get(i)); - onePageList.add(vXPermMap); - } - vxPermMapList.setVXPermMaps(onePageList); - vxPermMapList.setStartIndex(startIndex); - vxPermMapList.setPageSize(pageSize); - vxPermMapList.setResultSize(onePageList.size()); - vxPermMapList.setTotalCount(permMapList.size()); + return super.searchXPermMaps(searchCriteria); } public String getGroupName(Long groupId){ From a551995e743156fc2fa2fe868a0d6aa85f5269cd Mon Sep 17 00:00:00 2001 From: Don Bosco Durai Date: Fri, 18 Sep 2015 21:26:54 -0400 Subject: [PATCH 056/202] RANGER-654: Component process goes in a tight loop if audit destination is down --- .../apache/ranger/audit/queue/AuditBatchQueue.java | 2 +- .../apache/ranger/audit/queue/AuditFileSpool.java | 12 ++++++++++-- .../org/apache/ranger/audit/queue/AuditQueue.java | 2 +- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java index e625d16f1f2..f3a38dc1980 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java @@ -241,7 +241,7 @@ public void runDoAs() { boolean fileSpoolDrain = false; try { if (fileSpoolerEnabled && fileSpooler.isPending()) { - int percentUsed = (getMaxQueueSize() - queue.size()) * 100 + int percentUsed = queue.size() * 100 / getMaxQueueSize(); long lastAttemptDelta = fileSpooler .getLastAttemptTimeDelta(); diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileSpool.java b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileSpool.java index b83329a956a..bab496ce51d 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileSpool.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileSpool.java @@ -306,8 +306,8 @@ public void start() { + consumerProvider.getName()); // Let's start the thread to read - destinationThread = new Thread(this, queueProvider.getName() - + "_destWriter"); + destinationThread = new Thread(this, queueProvider.getName() + "_" + + consumerProvider.getName() + "_destWriter"); destinationThread.setDaemon(true); destinationThread.start(); } @@ -776,6 +776,14 @@ public void runDoAs() { // boolean isResumed = false; while (true) { try { + if (isDestDown) { + logger.info("Destination is down. sleeping for " + + retryDestinationMS + + " milli seconds. indexQueue=" + indexQueue.size() + + ", queueName=" + queueProvider.getName() + + ", consumer=" + consumerProvider.getName()); + Thread.sleep(retryDestinationMS); + } // Let's pause between each iteration if (currentConsumerIndexRecord == null) { diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java index 88c98314b96..c5eb3da2688 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java @@ -32,7 +32,7 @@ public abstract class AuditQueue extends BaseAuditHandler { private static final Log LOG = LogFactory.getLog(AuditQueue.class); public static final int AUDIT_MAX_QUEUE_SIZE_DEFAULT = 1024 * 1024; - public static final int AUDIT_BATCH_INTERVAL_DEFAULT_MS = 1000; + public static final int AUDIT_BATCH_INTERVAL_DEFAULT_MS = 3000; public static final int AUDIT_BATCH_SIZE_DEFAULT = 1000; // This is the max time the consumer thread will wait before exiting the From 46e28d52965f3c338b035414b96e970029d319d5 Mon Sep 17 00:00:00 2001 From: Don Bosco Durai Date: Sat, 19 Sep 2015 20:08:43 -0400 Subject: [PATCH 057/202] RANGER-654: Increasing interval time to fix junit error --- .../src/test/java/org/apache/ranger/audit/TestAuditQueue.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java b/security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java index f09da53283a..3fe62464e76 100644 --- a/security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java +++ b/security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java @@ -409,7 +409,7 @@ public void testAuditBatchQueueDestDownFlipFlop() { + MiscUtil.generateUniqueId(); int batchSize = messageToSend / 3; int queueSize = messageToSend * 2; - int intervalMS = 3000; // Deliberately big interval + int intervalMS = 5000; // Deliberately big interval Properties props = new Properties(); props.put( basePropName + "." + BaseAuditHandler.PROP_NAME, From 9a6dc0c1dba33486cd45cbbd368620a53a13a434 Mon Sep 17 00:00:00 2001 From: rmani Date: Tue, 22 Sep 2015 14:33:24 -0700 Subject: [PATCH 058/202] RANGER-659:Package commons-io, which is a required dependency, as part of storm plugin --- src/main/assembly/storm-agent.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main/assembly/storm-agent.xml b/src/main/assembly/storm-agent.xml index 22a75a7ed87..12ec0523d03 100644 --- a/src/main/assembly/storm-agent.xml +++ b/src/main/assembly/storm-agent.xml @@ -57,6 +57,7 @@ org.apache.htrace:htrace-core:jar:${htrace-core.version} commons-cli:commons-cli:jar:${commons.cli.version} commons-lang:commons-lang:jar:${commons.lang.version} + commons-io:commons-io:jar:${commons.io.version} From 3a86171624358a7904ec0a21fa6de93b66acba7f Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Tue, 29 Sep 2015 17:01:08 -0700 Subject: [PATCH 059/202] RANGER-672 v0.4 plugins are unable to download policies from 0.5 server Signed-off-by: Alok Lal --- .../org/apache/ranger/common/ServiceUtil.java | 30 +++++++++++++++++++ .../org/apache/ranger/rest/AssetREST.java | 2 +- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java b/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java index 8a637a0cd85..861240b9350 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java @@ -32,6 +32,8 @@ import javax.naming.ldap.Rdn; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.PathParam; +import javax.ws.rs.WebApplicationException; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; @@ -123,6 +125,34 @@ public class ServiceUtil { version = "0"; } + public RangerService getServiceByName(@PathParam("name") String name) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> ServiceUtil.getServiceByName(" + name + ")"); + } + + RangerService ret = null; + + try { + ret = svcStore.getServiceByName(name); + } catch(WebApplicationException excp) { + throw excp; + } catch(Throwable excp) { + LOG.error("getServiceByName(" + name + ") failed", excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } + + if(ret == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== ServiceUtil.getServiceByName(" + name + "): " + ret); + } + + return ret; + } + public RangerService toRangerService(VXAsset asset) { if(asset == null) { return null; diff --git a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java index 19dbfaacbe6..79cea029766 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java @@ -533,7 +533,7 @@ public String getResourceJSON(@Context HttpServletRequest request, logger.error("failed to retrieve policies for repository " + repository, excp); } - RangerService service = serviceREST.getServiceByName(repository); + RangerService service = serviceUtil.getServiceByName(repository); List policies = servicePolicies != null ? servicePolicies.getPolicies() : null; long policyUpdTime = (servicePolicies != null && servicePolicies.getPolicyUpdateTime() != null) ? servicePolicies.getPolicyUpdateTime().getTime() : 0l; VXAsset vAsset = serviceUtil.toVXAsset(service); From 076145247fc334310f532495db94c18caec2b178 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Wed, 23 Sep 2015 11:50:33 +0530 Subject: [PATCH 060/202] RANGER-658 : Make ranger_credential_helper.py available in usersync path Signed-off-by: Velmurugan Periasamy --- src/main/assembly/usersync.xml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/main/assembly/usersync.xml b/src/main/assembly/usersync.xml index a4bc87c4271..8c2600eba17 100644 --- a/src/main/assembly/usersync.xml +++ b/src/main/assembly/usersync.xml @@ -126,6 +126,14 @@ 444 + + / + security-admin/scripts + + ranger_credential_helper.py + + 544 + From e2bb41aa45cd3da303deca509ec2b96c9a39389c Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Fri, 25 Sep 2015 09:51:36 +0530 Subject: [PATCH 061/202] RANGER-656 : Ranger UI - KMS Need to handle 404 error when clicked on breadcrumb Signed-off-by: Velmurugan Periasamy --- .../main/webapp/scripts/modules/XALinks.js | 42 +++---------------- .../webapp/scripts/views/kms/KmsKeyCreate.js | 9 ++-- .../scripts/views/service/ServiceCreate.js | 2 +- 3 files changed, 11 insertions(+), 42 deletions(-) diff --git a/security-admin/src/main/webapp/scripts/modules/XALinks.js b/security-admin/src/main/webapp/scripts/modules/XALinks.js index efa3454ee50..e15b45d00c1 100755 --- a/security-admin/src/main/webapp/scripts/modules/XALinks.js +++ b/security-admin/src/main/webapp/scripts/modules/XALinks.js @@ -70,7 +70,7 @@ define(function(require) { title: 'h.kms' }, KmsKeyCreate : { - href : '#!/kms/keys/create', + href : 'javascript:void(0);', text : 'h.keyCreate', title: 'h.keyCreate' }, @@ -177,42 +177,10 @@ define(function(require) { href : '#!/reports/audit/loginSession', text : 'lbl.sessionDetail' }, - AssetCreate : function(options){ - var href = '#!/asset/create'; - if(_.has(options,'model')){ - href = '#!/asset/create/'+options.model.get('assetType'); - } - return { - href : href, - text : 'lbl.createAsset', - title: 'lbl.createAsset' - }; - }, - AssetEdit : function(options){ - var href = "javascript:void(0);"; - if(_.has(options,'model')){ - href = '#!/asset/'+options.model.get('id'); - } - if(_.has(options,'id')){ - href = '#!/asset/'+options.id; - } - return { - href : href, - text : 'lbl.editService', - title: 'lbl.editService' - }; - }, - - ServiceCreate : function(options){ - var href = '#!/service/create'; - if(_.has(options,'model')){ - href = '#!/service/create/'+options.model.get('assetType'); - } - return { - href : href, - text : 'lbl.createService', - title: 'lbl.createService' - }; + ServiceCreate : { + href : "javascript:void(0);", + text : 'lbl.createService', + title: 'lbl.createService' }, ServiceEdit : function(options){ var href = "javascript:void(0);"; diff --git a/security-admin/src/main/webapp/scripts/views/kms/KmsKeyCreate.js b/security-admin/src/main/webapp/scripts/views/kms/KmsKeyCreate.js index 1ee0b3d6508..0bc62b65494 100644 --- a/security-admin/src/main/webapp/scripts/views/kms/KmsKeyCreate.js +++ b/security-admin/src/main/webapp/scripts/views/kms/KmsKeyCreate.js @@ -166,13 +166,14 @@ define(function(require){ }); }, getKmsInfoFromServiceName : function() { - var KmsServiceDef = require('models/RangerServiceDef'); - var KmsService = require('models/RangerService'); + var KmsServiceDef = require('models/RangerServiceDef'); + var KmsService = require('models/RangerService'); this.kmsService = new KmsService(); this.kmsService.url = XAUtil.getRangerServiceByName(this.kmsServiceName); this.kmsService.fetch({ cache : false, async : false }); - this.kmsServiceDefModel = new KmsServiceDef({id : this.kmsService.id}); - this.kmsServiceDefModel.fetch({ cache : false, async : false }) + this.kmsServiceDefModel = new KmsServiceDef(); + this.kmsServiceDefModel.url = XAUtil.getRangerServiceDef(this.kmsService.get('type')); + this.kmsServiceDefModel.fetch({ cache : false, async : false }); }, /** on close */ onClose: function(){ diff --git a/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js b/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js index 239b61e27a6..f3b8d701479 100644 --- a/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js +++ b/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js @@ -51,7 +51,7 @@ define(function(require){ if(this.model.isNew()) return [XALinks.get('ServiceManager'), XALinks.get('ServiceCreate', {model:this.model})]; else - return [XALinks.get('ServiceManager'), XALinks.get('ServiceEdit',{model:this.model})]; + return [XALinks.get('ServiceManager'), XALinks.get('ServiceEdit')]; }, /** Layout sub regions */ From 18d1abfc469a5d7d3f5c653d589d6a0982489b93 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Fri, 25 Sep 2015 10:09:46 +0530 Subject: [PATCH 062/202] RANGER-665 : ranger.ldap.ad.referral property is not getting updated in ranger-admin-site.xml Signed-off-by: Velmurugan Periasamy --- security-admin/src/bin/ranger_install.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-admin/src/bin/ranger_install.py b/security-admin/src/bin/ranger_install.py index 99c8ab831b5..294f0da13e0 100644 --- a/security-admin/src/bin/ranger_install.py +++ b/security-admin/src/bin/ranger_install.py @@ -974,7 +974,7 @@ def update_properties(): newPropertyValue="_" updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) - propertyName="ranger.ad.referral" + propertyName="ranger.ldap.ad.referral" newPropertyValue=os.getenv("RANGER_LDAP_AD_REFERRAL") updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) From 04d1da2f2b5d6ad2ac15e280ee07536c74d982af Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Mon, 28 Sep 2015 09:08:35 +0530 Subject: [PATCH 063/202] RANGER-666 : Add support for Azure SQL Database Signed-off-by: Velmurugan Periasamy --- kms/scripts/dba_script.py | 35 +++++++------------ security-admin/scripts/dba_script.py | 50 +++++++++++----------------- security-admin/scripts/setup.sh | 4 +-- 3 files changed, 33 insertions(+), 56 deletions(-) diff --git a/kms/scripts/dba_script.py b/kms/scripts/dba_script.py index b2aa80a550d..950b8c36031 100755 --- a/kms/scripts/dba_script.py +++ b/kms/scripts/dba_script.py @@ -708,11 +708,11 @@ def get_jisql_cmd(self, user, password, db_name): def verify_user(self, root_user, db_root_password, db_user,dryMode): if dryMode == False: log("[I] Verifying user " + db_user , "info") - get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb') + get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'master') if os_name == "LINUX": - query = get_cmd + " -c \; -query \"select loginname from master.dbo.syslogins where loginname = '%s';\"" %(db_user) + query = get_cmd + " -c \; -query \"select name from sys.sql_logins where name = '%s';\"" %(db_user) elif os_name == "WINDOWS": - query = get_cmd + " -query \"select loginname from master.dbo.syslogins where loginname = '%s';\" -c ;" %(db_user) + query = get_cmd + " -query \"select name from sys.sql_logins where name = '%s';\" -c ;" %(db_user) output = check_output(query) if output.strip(db_user + " |"): return True @@ -735,13 +735,13 @@ def check_connection(self, db_name, db_user, db_password): sys.exit(1) def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password,dryMode): - if self.check_connection('msdb', root_user, db_root_password): + if self.check_connection('master', root_user, db_root_password): if self.verify_user(root_user, db_root_password, db_user,dryMode): if dryMode == False: log("[I] SQL Server user " + db_user + " already exists.", "info") else: if dryMode == False: - get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb') + get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'master') log("[I] User does not exists, Creating Login user " + db_user, "info") if os_name == "LINUX": query = get_cmd + " -c \; -query \"CREATE LOGIN %s WITH PASSWORD = '%s';\"" %(db_user,db_password) @@ -764,7 +764,7 @@ def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password def verify_db(self, root_user, db_root_password, db_name,dryMode): if dryMode == False: log("[I] Verifying database " + db_name, "info") - get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb') + get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'master') if os_name == "LINUX": query = get_cmd + " -c \; -query \"SELECT name from sys.databases where name='%s';\"" %(db_name) elif os_name == "WINDOWS": @@ -782,7 +782,7 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d else: if dryMode == False: log("[I] Database does not exist. Creating database : " + db_name,"info") - get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb') + get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'master') if os_name == "LINUX": query = get_cmd + " -c \; -query \"create database %s;\"" %(db_name) ret = subprocess.call(shlex.split(query)) @@ -805,7 +805,7 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d logFile("create database %s;" %(db_name)) def create_user(self, root_user, db_name ,db_user, db_password, db_root_password,dryMode): - get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb') + get_cmd = self.get_jisql_cmd(root_user, db_root_password, db_name) if os_name == "LINUX": query = get_cmd + " -c \; -query \"USE %s SELECT name FROM sys.database_principals WHERE name = N'%s';\"" %(db_name, db_user) elif os_name == "WINDOWS": @@ -842,28 +842,17 @@ def create_user(self, root_user, db_name ,db_user, db_password, db_root_password def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_password, is_revoke,dryMode): if dryMode == False: log("[I] Granting permission to admin user '" + db_user + "' on db '" + db_name + "'" , "info") - get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb') - if os_name == "LINUX": - query = get_cmd + " -c \; -query \"ALTER LOGIN [%s] WITH DEFAULT_DATABASE=[%s];\"" %(db_user, db_name) - ret = subprocess.call(shlex.split(query)) - elif os_name == "WINDOWS": - query = get_cmd + " -query \"ALTER LOGIN [%s] WITH DEFAULT_DATABASE=[%s];\" -c ;" %(db_user, db_name) - ret = subprocess.call(query) - if ret != 0: - sys.exit(1) + get_cmd = self.get_jisql_cmd(root_user, db_root_password, db_name) if os_name == "LINUX": - query = get_cmd + " -c \; -query \" USE %s EXEC sp_addrolemember N'db_owner', N'%s';\"" %(db_name, db_user) -# query = get_cmd + " -c \; -query \" USE %s GRANT ALL PRIVILEGES to %s;\"" %(db_name , db_user) + query = get_cmd + " -c \; -query \" EXEC sp_addrolemember N'db_owner', N'%s';\"" %(db_user) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": - query = get_cmd + " -query \" USE %s EXEC sp_addrolemember N'db_owner', N'%s';\" -c ;" %(db_name, db_user) -# query = get_cmd + " -c \; -query \" USE %s GRANT ALL PRIVILEGES to %s;\"" %(db_name , db_user) + query = get_cmd + " -query \" EXEC sp_addrolemember N'db_owner', N'%s';\" -c ;" %(db_user) ret = subprocess.call(query) if ret != 0: sys.exit(1) else: - logFile("ALTER LOGIN [%s] WITH DEFAULT_DATABASE=[%s];" %(db_user, db_name)) - logFile("USE %s EXEC sp_addrolemember N'db_owner', N'%s';" %(db_name, db_user)) + logFile("EXEC sp_addrolemember N'db_owner', N'%s';" %(db_user)) class SqlAnywhereConf(BaseDB): # Constructor diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py index 90ae5615e71..4fd55938941 100644 --- a/security-admin/scripts/dba_script.py +++ b/security-admin/scripts/dba_script.py @@ -917,11 +917,11 @@ def get_jisql_cmd(self, user, password, db_name): def verify_user(self, root_user, db_root_password, db_user,dryMode): if dryMode == False: log("[I] Verifying user " + db_user , "info") - get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb') + get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'master') if os_name == "LINUX": - query = get_cmd + " -c \; -query \"select loginname from master.dbo.syslogins where loginname = '%s';\"" %(db_user) + query = get_cmd + " -c \; -query \"select name from sys.sql_logins where name = '%s';\"" %(db_user) elif os_name == "WINDOWS": - query = get_cmd + " -query \"select loginname from master.dbo.syslogins where loginname = '%s';\" -c ;" %(db_user) + query = get_cmd + " -query \"select name from sys.sql_logins where name = '%s';\" -c ;" %(db_user) output = check_output(query) if output.strip(db_user + " |"): return True @@ -944,13 +944,13 @@ def check_connection(self, db_name, db_user, db_password): sys.exit(1) def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password,dryMode): - if self.check_connection('msdb', root_user, db_root_password): + if self.check_connection('master', root_user, db_root_password): if self.verify_user(root_user, db_root_password, db_user,dryMode): if dryMode == False: log("[I] SQL Server user " + db_user + " already exists.", "info") else: if dryMode == False: - get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb') + get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'master') log("[I] User does not exists, Creating Login user " + db_user, "info") if os_name == "LINUX": query = get_cmd + " -c \; -query \"CREATE LOGIN %s WITH PASSWORD = '%s';\"" %(db_user,db_password) @@ -973,7 +973,7 @@ def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password def verify_db(self, root_user, db_root_password, db_name,dryMode): if dryMode == False: log("[I] Verifying database " + db_name, "info") - get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb') + get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'master') if os_name == "LINUX": query = get_cmd + " -c \; -query \"SELECT name from sys.databases where name='%s';\"" %(db_name) elif os_name == "WINDOWS": @@ -991,7 +991,7 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d else: if dryMode == False: log("[I] Database does not exist. Creating database : " + db_name,"info") - get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb') + get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'master') if os_name == "LINUX": query = get_cmd + " -c \; -query \"create database %s;\"" %(db_name) ret = subprocess.call(shlex.split(query)) @@ -1006,7 +1006,6 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d self.create_user(root_user, db_name ,db_user, db_password, db_root_password,dryMode) log("[I] Creating database " + db_name + " succeeded", "info") return True - # self.import_db_file(db_name, root_user, db_user, db_password, db_root_password, file_name) else: log("[E] Database creation failed..","error") sys.exit(1) @@ -1014,11 +1013,11 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d logFile("create database %s;" %(db_name)) def create_user(self, root_user, db_name ,db_user, db_password, db_root_password,dryMode): - get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb') + get_cmd = self.get_jisql_cmd(root_user, db_root_password, db_name) if os_name == "LINUX": - query = get_cmd + " -c \; -query \"USE %s SELECT name FROM sys.database_principals WHERE name = N'%s';\"" %(db_name, db_user) + query = get_cmd + " -c \; -query \"SELECT name FROM sys.database_principals WHERE name = N'%s';\"" %(db_user) elif os_name == "WINDOWS": - query = get_cmd + " -query \"USE %s SELECT name FROM sys.database_principals WHERE name = N'%s';\" -c ;" %(db_name, db_user) + query = get_cmd + " -query \"SELECT name FROM sys.database_principals WHERE name = N'%s';\" -c ;" %(db_user) output = check_output(query) if output.strip(db_user + " |"): if dryMode == False: @@ -1026,16 +1025,16 @@ def create_user(self, root_user, db_name ,db_user, db_password, db_root_password else: if dryMode == False: if os_name == "LINUX": - query = get_cmd + " -c \; -query \"USE %s CREATE USER %s for LOGIN %s;\"" %(db_name ,db_user, db_user) + query = get_cmd + " -c \; -query \"CREATE USER %s for LOGIN %s;\"" %(db_user, db_user) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": - query = get_cmd + " -query \"USE %s CREATE USER %s for LOGIN %s;\" -c ;" %(db_name ,db_user, db_user) + query = get_cmd + " -query \"CREATE USER %s for LOGIN %s;\" -c ;" %(db_user, db_user) ret = subprocess.call(query) if ret == 0: if os_name == "LINUX": - query = get_cmd + " -c \; -query \"USE %s SELECT name FROM sys.database_principals WHERE name = N'%s';\"" %(db_name ,db_user) + query = get_cmd + " -c \; -query \"SELECT name FROM sys.database_principals WHERE name = N'%s';\"" %(db_user) elif os_name == "WINDOWS": - query = get_cmd + " -query \"USE %s SELECT name FROM sys.database_principals WHERE name = N'%s';\" -c ;" %(db_name ,db_user) + query = get_cmd + " -query \"SELECT name FROM sys.database_principals WHERE name = N'%s';\" -c ;" %(db_user) output = check_output(query) if output.strip(db_user + " |"): log("[I] User "+db_user+" exist ","info") @@ -1046,33 +1045,22 @@ def create_user(self, root_user, db_name ,db_user, db_password, db_root_password log("[E] Database creation failed..","error") sys.exit(1) else: - logFile("USE %s CREATE USER %s for LOGIN %s;" %(db_name ,db_user, db_user)) + logFile("CREATE USER %s for LOGIN %s;" %(db_user, db_user)) def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_password, is_revoke,dryMode): if dryMode == False: log("[I] Granting permission to admin user '" + db_user + "' on db '" + db_name + "'" , "info") - get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb') - if os_name == "LINUX": - query = get_cmd + " -c \; -query \"ALTER LOGIN [%s] WITH DEFAULT_DATABASE=[%s];\"" %(db_user, db_name) - ret = subprocess.call(shlex.split(query)) - elif os_name == "WINDOWS": - query = get_cmd + " -query \"ALTER LOGIN [%s] WITH DEFAULT_DATABASE=[%s];\" -c ;" %(db_user, db_name) - ret = subprocess.call(query) - if ret != 0: - sys.exit(1) + get_cmd = self.get_jisql_cmd(root_user, db_root_password, db_name) if os_name == "LINUX": - query = get_cmd + " -c \; -query \" USE %s EXEC sp_addrolemember N'db_owner', N'%s';\"" %(db_name, db_user) -# query = get_cmd + " -c \; -query \" USE %s GRANT ALL PRIVILEGES to %s;\"" %(db_name , db_user) + query = get_cmd + " -c \; -query \" EXEC sp_addrolemember N'db_owner', N'%s';\"" %(db_user) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": - query = get_cmd + " -query \" USE %s EXEC sp_addrolemember N'db_owner', N'%s';\" -c ;" %(db_name, db_user) -# query = get_cmd + " -c \; -query \" USE %s GRANT ALL PRIVILEGES to %s;\"" %(db_name , db_user) + query = get_cmd + " -query \" EXEC sp_addrolemember N'db_owner', N'%s';\" -c ;" %(db_user) ret = subprocess.call(query) if ret != 0: sys.exit(1) else: - logFile("ALTER LOGIN [%s] WITH DEFAULT_DATABASE=[%s];" %(db_user, db_name)) - logFile("USE %s EXEC sp_addrolemember N'db_owner', N'%s';" %(db_name, db_user)) + logFile("EXEC sp_addrolemember N'db_owner', N'%s';" %(db_user)) def create_auditdb_user(self, xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode): is_revoke=False diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index bae62986a66..71c424c28a0 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -874,7 +874,7 @@ update_properties() { newPropertyValue="org.eclipse.persistence.platform.database.SQLServerPlatform" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default - propertyName=ranger.jpa.jdbc.dialect + propertyName=ranger.jpa.audit.jdbc.dialect newPropertyValue="org.eclipse.persistence.platform.database.SQLServerPlatform" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default @@ -901,7 +901,7 @@ update_properties() { newPropertyValue="org.eclipse.persistence.platform.database.SQLAnywherePlatform" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default - propertyName=ranger.jpa.jdbc.dialect + propertyName=ranger.jpa.audit.jdbc.dialect newPropertyValue="org.eclipse.persistence.platform.database.SQLAnywherePlatform" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default From eb4c5e2c45c410b66ba1266e5f7e8fe8eee207c0 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Thu, 8 Oct 2015 12:14:35 +0530 Subject: [PATCH 064/202] RANGER-671 : Add support to retrieve permissions for the logged in user from UserSession rather going to database every time --- .../org/apache/ranger/biz/SessionMgr.java | 102 ++++++ .../java/org/apache/ranger/biz/XUserMgr.java | 335 +++++++++--------- .../apache/ranger/common/UserSessionBase.java | 63 +++- .../ranger/db/XXGroupPermissionDao.java | 16 +- .../org/apache/ranger/db/XXGroupUserDao.java | 11 + .../org/apache/ranger/db/XXModuleDefDao.java | 10 - .../apache/ranger/db/XXUserPermissionDao.java | 9 +- .../patch/PatchPersmissionModel_J10003.java | 22 +- .../org/apache/ranger/rest/XUserREST.java | 9 + .../context/RangerPreAuthSecurityHandler.java | 25 +- .../listener/RangerHttpSessionListener.java | 48 +++ .../service/XGroupPermissionService.java | 13 +- .../service/XUserPermissionService.java | 20 +- .../resources/META-INF/jpa_named_queries.xml | 12 +- .../org/apache/ranger/biz/TestXUserMgr.java | 51 ++- 15 files changed, 503 insertions(+), 243 deletions(-) create mode 100644 security-admin/src/main/java/org/apache/ranger/security/listener/RangerHttpSessionListener.java diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java index ccb18550dcc..adae1d643d7 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java @@ -21,10 +21,17 @@ import java.util.ArrayList; import java.util.Calendar; +import java.util.HashSet; import java.util.List; +import java.util.Set; +import java.util.concurrent.CopyOnWriteArrayList; +import java.util.concurrent.CopyOnWriteArraySet; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpSession; +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.lang.time.DateUtils; import org.apache.log4j.Logger; import org.apache.ranger.common.DateUtil; import org.apache.ranger.common.HTTPUtil; @@ -39,8 +46,11 @@ import org.apache.ranger.entity.XXAuthSession; import org.apache.ranger.entity.XXPortalUser; import org.apache.ranger.entity.XXPortalUserRole; +import org.apache.ranger.entity.XXUser; import org.apache.ranger.security.context.RangerContextHolder; import org.apache.ranger.security.context.RangerSecurityContext; +import org.apache.ranger.security.listener.RangerHttpSessionListener; +import org.apache.ranger.security.web.filter.RangerSecurityContextFormationFilter; import org.apache.ranger.service.AuthSessionService; import org.apache.ranger.util.RestUtil; import org.apache.ranger.view.VXAuthSession; @@ -79,6 +89,8 @@ public SessionMgr() { logger.debug("SessionManager created"); } + private static final Long SESSION_UPDATE_INTERVAL_IN_MILLIS = 30 * DateUtils.MILLIS_PER_MINUTE; + public UserSessionBase processSuccessLogin(int authType, String userAgent) { return processSuccessLogin(authType, userAgent, null); } @@ -135,7 +147,10 @@ public UserSessionBase processSuccessLogin(int authType, String userAgent, userSession = new UserSessionBase(); userSession.setXXPortalUser(gjUser); userSession.setXXAuthSession(gjAuthSession); + resetUserSessionForProfiles(userSession); + resetUserModulePermission(userSession); + Calendar cal = Calendar.getInstance(); if (details != null) { logger.info("Login Success: loginId=" + currentLoginId @@ -155,6 +170,28 @@ public UserSessionBase processSuccessLogin(int authType, String userAgent, return userSession; } + public void resetUserModulePermission(UserSessionBase userSession) { + + XXUser xUser = daoManager.getXXUser().findByUserName(userSession.getLoginId()); + if (xUser != null) { + List permissionList = daoManager.getXXModuleDef().findAccessibleModulesByUserId(userSession.getUserId(), xUser.getId()); + CopyOnWriteArraySet userPermissions = new CopyOnWriteArraySet(permissionList); + + UserSessionBase.RangerUserPermission rangerUserPermission = userSession.getRangerUserPermission(); + + if (rangerUserPermission == null) { + rangerUserPermission = new UserSessionBase.RangerUserPermission(); + } + + rangerUserPermission.setUserPermissions(userPermissions); + rangerUserPermission.setLastUpdatedTime(Calendar.getInstance().getTimeInMillis()); + userSession.setRangerUserPermission(rangerUserPermission); + logger.info("UserSession Updated to set new Permissions to User: " + userSession.getLoginId()); + } else { + logger.error("No XUser found with username: " + userSession.getLoginId() + "So Permission is not set for the user"); + } + } + public void resetUserSessionForProfiles(UserSessionBase userSession) { if (userSession == null) { // Nothing to reset @@ -274,6 +311,7 @@ public UserSessionBase processStandaloneSuccessLogin(int authType, RangerContextHolder.setSecurityContext(context); resetUserSessionForProfiles(userSession); + resetUserModulePermission(userSession); return userSession; } @@ -351,4 +389,68 @@ public boolean isValidXAUser(String loginId) { } + public CopyOnWriteArrayList getActiveSessionsOnServer() { + + CopyOnWriteArrayList activeHttpUserSessions = RangerHttpSessionListener.getActiveSessionOnServer(); + CopyOnWriteArrayList activeRangerUserSessions = new CopyOnWriteArrayList(); + + if (CollectionUtils.isEmpty(activeHttpUserSessions)) { + return activeRangerUserSessions; + } + + for (HttpSession httpSession : activeHttpUserSessions) { + + if (httpSession.getAttribute(RangerSecurityContextFormationFilter.AKA_SC_SESSION_KEY) == null) { + continue; + } + + RangerSecurityContext securityContext = (RangerSecurityContext) httpSession.getAttribute(RangerSecurityContextFormationFilter.AKA_SC_SESSION_KEY); + if (securityContext.getUserSession() != null) { + activeRangerUserSessions.add(securityContext.getUserSession()); + } + } + + return activeRangerUserSessions; + } + + public Set getActiveUserSessionsForPortalUserId(Long portalUserId) { + CopyOnWriteArrayList activeSessions = getActiveSessionsOnServer(); + + if (CollectionUtils.isEmpty(activeSessions)) { + return null; + } + + Set activeUserSessions = new HashSet(); + for (UserSessionBase session : activeSessions) { + if (session.getUserId().equals(portalUserId)) { + activeUserSessions.add(session); + } + } + if (logger.isDebugEnabled()) { + logger.debug("No Session Found with portalUserId: " + portalUserId); + } + return activeUserSessions; + } + + public Set getActiveUserSessionsForXUserId(Long xUserId) { + XXPortalUser portalUser = daoManager.getXXPortalUser().findByXUserId(xUserId); + if (portalUser != null) { + return getActiveUserSessionsForPortalUserId(portalUser.getId()); + } else { + if (logger.isDebugEnabled()) { + logger.debug("Could not find corresponding portalUser for xUserId" + xUserId); + } + return null; + } + } + + public synchronized void refreshPermissionsIfNeeded(UserSessionBase userSession) { + if (userSession != null) { + Long lastUpdatedTime = (userSession.getRangerUserPermission() != null) ? userSession.getRangerUserPermission().getLastUpdatedTime() : null; + if (lastUpdatedTime == null || (Calendar.getInstance().getTimeInMillis() - lastUpdatedTime) > SESSION_UPDATE_INTERVAL_IN_MILLIS) { + this.resetUserModulePermission(userSession); + } + } + } + } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index 41bc6f84a8a..5f43bc020df 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -52,6 +52,7 @@ import org.apache.ranger.db.XXGroupUserDao; import org.apache.ranger.entity.XXAuditMap; import org.apache.ranger.entity.XXGroup; +import org.apache.ranger.entity.XXGroupUser; import org.apache.ranger.entity.XXPermMap; import org.apache.ranger.entity.XXPortalUser; import org.apache.ranger.entity.XXResource; @@ -115,6 +116,9 @@ public class XUserMgr extends XUserMgrBase { @Autowired XResourceService xResourceService; + @Autowired + SessionMgr sessionMgr; + static final Logger logger = Logger.getLogger(XUserMgr.class); public void deleteXGroup(Long id, boolean force) { @@ -227,101 +231,64 @@ public VXUser createXUser(VXUser vXUser) { return createdXUser; } - // Assigning Permission - public void assignPermissionToUser(VXPortalUser vXPortalUser, - boolean isCreate) { - HashMap moduleNameId = getModelNames(); + public void assignPermissionToUser(VXPortalUser vXPortalUser, boolean isCreate) { + HashMap moduleNameId = getAllModuleNameAndIdMap(); for (String role : vXPortalUser.getUserRoleList()) { if (role.equals(RangerConstants.ROLE_USER)) { - insertMappingUserPermisson(vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), - isCreate); - insertMappingUserPermisson( - vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_REPORTS), - isCreate); + createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate); + createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate); } else if (role.equals(RangerConstants.ROLE_SYS_ADMIN)) { - insertMappingUserPermisson(vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_REPORTS), - isCreate); - insertMappingUserPermisson( - vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), - isCreate); - insertMappingUserPermisson(vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_AUDIT), - isCreate); - /*insertMappingUserPermisson(vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_KMS), - isCreate);*/ - /*insertMappingUserPermisson(vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_PERMISSION), - isCreate);*/ - insertMappingUserPermisson(vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_USER_GROUPS), - isCreate); + createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate); + createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate); + createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_AUDIT), isCreate); + createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_USER_GROUPS), isCreate); } else if (role.equals(RangerConstants.ROLE_KEY_ADMIN)) { - insertMappingUserPermisson(vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_KEY_MANAGER), isCreate); - insertMappingUserPermisson(vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_REPORTS), - isCreate); - insertMappingUserPermisson( - vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), - isCreate); + + createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_KEY_MANAGER), isCreate); + createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate); + createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate); } } } - // Insert or Updating Mapping permissons depending upon roles - private void insertMappingUserPermisson(Long userId, Long moduleId, - boolean isCreate) { - VXUserPermission vXuserPermission; - List xuserPermissionList = daoManager - .getXXUserPermission() - .findByModuleIdAndUserId(userId, moduleId); - if (xuserPermissionList == null || xuserPermissionList.isEmpty()) { - vXuserPermission = new VXUserPermission(); - vXuserPermission.setUserId(userId); - vXuserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED); - vXuserPermission.setModuleId(moduleId); + // Insert or Updating Mapping permissions depending upon roles + private void createOrUpdateUserPermisson(Long portalUserId, Long moduleId, boolean isCreate) { + VXUserPermission vXUserPermission; + XXUserPermission xUserPermission = daoManager.getXXUserPermission().findByModuleIdAndUserId(portalUserId, moduleId); + if (xUserPermission == null) { + vXUserPermission = new VXUserPermission(); + vXUserPermission.setUserId(portalUserId); + vXUserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED); + vXUserPermission.setModuleId(moduleId); try { - xUserPermissionService.createResource(vXuserPermission); + vXUserPermission = this.createXUserPermission(vXUserPermission); + logger.info("Permission assigned to user: [" + vXUserPermission.getUserName() + "] For Module: [" + vXUserPermission.getModuleName() + "]"); } catch (Exception e) { - logger.error(e); + logger.error("Error while assigning permission to user: [" + portalUserId + "] for module: [" + moduleId + "]", e); } } else if (isCreate) { - for (XXUserPermission xUserPermission : xuserPermissionList) { - vXuserPermission = xUserPermissionService - .populateViewBean(xUserPermission); - vXuserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED); - xUserPermissionService.updateResource(vXuserPermission); - } + vXUserPermission = xUserPermissionService.populateViewBean(xUserPermission); + vXUserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED); + vXUserPermission = this.updateXUserPermission(vXUserPermission); + logger.info("Permission Updated for user: [" + vXUserPermission.getUserName() + "] For Module: [" + vXUserPermission.getModuleName() + "]"); } - } - public HashMap getModelNames() { - List xxModuleDefs = daoManager.getXXModuleDef() - .findModuleNamesWithIds(); - if (xxModuleDefs.isEmpty() || xxModuleDefs != null) { - HashMap moduleNameId = new HashMap(); - try { + public HashMap getAllModuleNameAndIdMap() { - for (XXModuleDef xxModuleDef : xxModuleDefs) { - moduleNameId.put(xxModuleDef.getModule(), - xxModuleDef.getId()); - } - return moduleNameId; - } catch (Exception e) { - logger.error(e); + List xXModuleDefs = daoManager.getXXModuleDef().getAll(); + + if (!CollectionUtils.isEmpty(xXModuleDefs)) { + HashMap moduleNameAndIdMap = new HashMap(); + for (XXModuleDef xXModuleDef : xXModuleDefs) { + moduleNameAndIdMap.put(xXModuleDef.getModule(), xXModuleDef.getId()); } + return moduleNameAndIdMap; } return null; @@ -795,50 +762,15 @@ public void modifyGroupsVisibility(HashMap groupVisibilityMap) { } } - /*public void checkPermissionRoleByGivenUrls(String enteredURL, String method) { - Long currentUserId = ContextUtil.getCurrentUserId(); - List notPermittedUrls = daoManager.getXXModuleDef() - .findModuleURLOfPemittedModules(currentUserId); - if (notPermittedUrls != null) { - List xPortalUserRoles = daoManager - .getXXPortalUserRole().findByUserId(currentUserId); - for (XXPortalUserRole xPortalUserRole : xPortalUserRoles) { - if (xPortalUserRole.getUserRole().equalsIgnoreCase( - RangerConstants.ROLE_USER)) { - notPermittedUrls.add("/permission"); - notPermittedUrls.add("/kms"); - } - } - boolean flag = false; - for (String notPermittedUrl : notPermittedUrls) { - if (enteredURL.toLowerCase().contains( - notPermittedUrl.toLowerCase())) - flag = true; - } - if (flag) { - throw restErrorUtil.create403RESTException("Access Denied"); - } - } - boolean flag = false; - List xPortalUserRoles = daoManager - .getXXPortalUserRole().findByUserId(currentUserId); - for (XXPortalUserRole xPortalUserRole : xPortalUserRoles) { - if (xPortalUserRole.getUserRole().equalsIgnoreCase( - RangerConstants.ROLE_USER) - && enteredURL.contains("/permission") - && !enteredURL.contains("/templates")) { - flag = true; - } - } - if (flag) { - throw restErrorUtil.create403RESTException("Access Denied"); - } - - }*/ - // Module permissions public VXModuleDef createXModuleDefPermission(VXModuleDef vXModuleDef) { - checkAdminAccess(); + + XXModuleDef xModDef = daoManager.getXXModuleDef().findByModuleName(vXModuleDef.getModule()); + + if (xModDef != null) { + throw restErrorUtil.createRESTException("Module Def with same name already exists.", MessageEnums.ERROR_DUPLICATE_OBJECT); + } + return xModuleDefService.createResource(vXModuleDef); } @@ -847,36 +779,28 @@ public VXModuleDef getXModuleDefPermission(Long id) { } public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { - checkAdminAccess(); - List groupPermListNew = vXModuleDef - .getGroupPermList(); + + List groupPermListNew = vXModuleDef.getGroupPermList(); List userPermListNew = vXModuleDef.getUserPermList(); List groupPermListOld = new ArrayList(); List userPermListOld = new ArrayList(); - XXModuleDef xModuleDef = daoManager.getXXModuleDef().getById( - vXModuleDef.getId()); - VXModuleDef vModuleDefPopulateOld = xModuleDefService - .populateViewBean(xModuleDef); - List xgroupPermissionList = daoManager - .getXXGroupPermission().findByModuleId(vXModuleDef.getId(), - true); + XXModuleDef xModuleDef = daoManager.getXXModuleDef().getById(vXModuleDef.getId()); + VXModuleDef vModuleDefPopulateOld = xModuleDefService.populateViewBean(xModuleDef); + + List xgroupPermissionList = daoManager.getXXGroupPermission().findByModuleId(vXModuleDef.getId(), true); for (XXGroupPermission xGrpPerm : xgroupPermissionList) { - VXGroupPermission vXGrpPerm = xGroupPermissionService - .populateViewBean(xGrpPerm); + VXGroupPermission vXGrpPerm = xGroupPermissionService.populateViewBean(xGrpPerm); groupPermListOld.add(vXGrpPerm); } vModuleDefPopulateOld.setGroupPermList(groupPermListOld); - List xuserPermissionList = daoManager - .getXXUserPermission() - .findByModuleId(vXModuleDef.getId(), true); + List xuserPermissionList = daoManager.getXXUserPermission().findByModuleId(vXModuleDef.getId(), true); for (XXUserPermission xUserPerm : xuserPermissionList) { - VXUserPermission vUserPerm = xUserPermissionService - .populateViewBean(xUserPerm); + VXUserPermission vUserPerm = xUserPermissionService.populateViewBean(xUserPerm); userPermListOld.add(vUserPerm); } vModuleDefPopulateOld.setUserPermList(userPermListOld); @@ -887,20 +811,16 @@ public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { boolean isExist = false; for (VXGroupPermission oldVXGroupPerm : groupPermListOld) { - if (newVXGroupPerm.getModuleId().equals( - oldVXGroupPerm.getModuleId()) - && newVXGroupPerm.getGroupId().equals( - oldVXGroupPerm.getGroupId())) { - oldVXGroupPerm.setIsAllowed(newVXGroupPerm - .getIsAllowed()); - oldVXGroupPerm = xGroupPermissionService - .updateResource(oldVXGroupPerm); + if (newVXGroupPerm.getModuleId().equals(oldVXGroupPerm.getModuleId()) && newVXGroupPerm.getGroupId().equals(oldVXGroupPerm.getGroupId())) { + if (newVXGroupPerm.getIsAllowed() != oldVXGroupPerm.getIsAllowed()) { + oldVXGroupPerm.setIsAllowed(newVXGroupPerm.getIsAllowed()); + oldVXGroupPerm = this.updateXGroupPermission(oldVXGroupPerm); + } isExist = true; } } if (!isExist) { - newVXGroupPerm = xGroupPermissionService - .createResource(newVXGroupPerm); + newVXGroupPerm = this.createXGroupPermission(newVXGroupPerm); } } } @@ -910,74 +830,143 @@ public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { boolean isExist = false; for (VXUserPermission oldVXUserPerm : userPermListOld) { - if (newVXUserPerm.getModuleId().equals( - oldVXUserPerm.getModuleId()) - && newVXUserPerm.getUserId().equals( - oldVXUserPerm.getUserId())) { - oldVXUserPerm - .setIsAllowed(newVXUserPerm.getIsAllowed()); - oldVXUserPerm = xUserPermissionService - .updateResource(oldVXUserPerm); + if (newVXUserPerm.getModuleId().equals(oldVXUserPerm.getModuleId()) && newVXUserPerm.getUserId().equals(oldVXUserPerm.getUserId())) { + if (newVXUserPerm.getIsAllowed() != oldVXUserPerm.getIsAllowed()) { + oldVXUserPerm.setIsAllowed(newVXUserPerm.getIsAllowed()); + oldVXUserPerm = this.updateXUserPermission(oldVXUserPerm); + } isExist = true; } } if (!isExist) { - newVXUserPerm = xUserPermissionService - .createResource(newVXUserPerm); - + newVXUserPerm = this.createXUserPermission(newVXUserPerm); } } } - return xModuleDefService.updateResource(vXModuleDef); + vXModuleDef = xModuleDefService.updateResource(vXModuleDef); + + return vXModuleDef; } public void deleteXModuleDefPermission(Long id, boolean force) { - checkAdminAccess(); xModuleDefService.deleteResource(id); } // User permission - public VXUserPermission createXUserPermission( - VXUserPermission vXUserPermission) { - checkAdminAccess(); - return xUserPermissionService.createResource(vXUserPermission); + public VXUserPermission createXUserPermission(VXUserPermission vXUserPermission) { + + vXUserPermission = xUserPermissionService.createResource(vXUserPermission); + + Set userSessions = sessionMgr.getActiveUserSessionsForPortalUserId(vXUserPermission.getUserId()); + if (!CollectionUtils.isEmpty(userSessions)) { + for (UserSessionBase userSession : userSessions) { + logger.info("Assigning permission to user who's found logged in into system, so updating permission in session of that user: [" + vXUserPermission.getUserName() + + "]"); + sessionMgr.resetUserModulePermission(userSession); + } + } + + return vXUserPermission; } public VXUserPermission getXUserPermission(Long id) { return xUserPermissionService.readResource(id); } - public VXUserPermission updateXUserPermission( - VXUserPermission vXUserPermission) { - checkAdminAccess(); - return xUserPermissionService.updateResource(vXUserPermission); + public VXUserPermission updateXUserPermission(VXUserPermission vXUserPermission) { + + vXUserPermission = xUserPermissionService.updateResource(vXUserPermission); + + Set userSessions = sessionMgr.getActiveUserSessionsForPortalUserId(vXUserPermission.getUserId()); + if (!CollectionUtils.isEmpty(userSessions)) { + for (UserSessionBase userSession : userSessions) { + logger.info("Updating permission of user who's found logged in into system, so updating permission in session of user: [" + vXUserPermission.getUserName() + "]"); + sessionMgr.resetUserModulePermission(userSession); + } + } + + return vXUserPermission; } public void deleteXUserPermission(Long id, boolean force) { - checkAdminAccess(); + + XXUserPermission xUserPermission = daoManager.getXXUserPermission().getById(id); + if (xUserPermission == null) { + throw restErrorUtil.createRESTException("No UserPermission found to delete, ID: " + id, MessageEnums.DATA_NOT_FOUND); + } + xUserPermissionService.deleteResource(id); + + Set userSessions = sessionMgr.getActiveUserSessionsForPortalUserId(xUserPermission.getUserId()); + if (!CollectionUtils.isEmpty(userSessions)) { + for (UserSessionBase userSession : userSessions) { + logger.info("deleting permission of user who's found logged in into system, so updating permission in session of that user"); + sessionMgr.resetUserModulePermission(userSession); + } + } } // Group permission - public VXGroupPermission createXGroupPermission( - VXGroupPermission vXGroupPermission) { - checkAdminAccess(); - return xGroupPermissionService.createResource(vXGroupPermission); + public VXGroupPermission createXGroupPermission(VXGroupPermission vXGroupPermission) { + + vXGroupPermission = xGroupPermissionService.createResource(vXGroupPermission); + + List grpUsers = daoManager.getXXGroupUser().findByGroupId(vXGroupPermission.getGroupId()); + for (XXGroupUser xGrpUser : grpUsers) { + Set userSessions = sessionMgr.getActiveUserSessionsForXUserId(xGrpUser.getUserId()); + if (!CollectionUtils.isEmpty(userSessions)) { + for (UserSessionBase userSession : userSessions) { + logger.info("Assigning permission to group, one of the user belongs to that group found logged in into system, so updating permission in session of that user"); + sessionMgr.resetUserModulePermission(userSession); + } + } + } + + return vXGroupPermission; } public VXGroupPermission getXGroupPermission(Long id) { return xGroupPermissionService.readResource(id); } - public VXGroupPermission updateXGroupPermission( - VXGroupPermission vXGroupPermission) { - checkAdminAccess(); - return xGroupPermissionService.updateResource(vXGroupPermission); + public VXGroupPermission updateXGroupPermission(VXGroupPermission vXGroupPermission) { + + vXGroupPermission = xGroupPermissionService.updateResource(vXGroupPermission); + + List grpUsers = daoManager.getXXGroupUser().findByGroupId(vXGroupPermission.getGroupId()); + for (XXGroupUser xGrpUser : grpUsers) { + Set userSessions = sessionMgr.getActiveUserSessionsForXUserId(xGrpUser.getUserId()); + if (!CollectionUtils.isEmpty(userSessions)) { + for (UserSessionBase userSession : userSessions) { + logger.info("Assigning permission to group whose one of the user found logged in into system, so updating permission in session of that user"); + sessionMgr.resetUserModulePermission(userSession); + } + } + } + + return vXGroupPermission; } public void deleteXGroupPermission(Long id, boolean force) { - checkAdminAccess(); + + XXGroupPermission xGrpPerm = daoManager.getXXGroupPermission().getById(id); + + if (xGrpPerm == null) { + throw restErrorUtil.createRESTException("No GroupPermission object with ID: [" + id + "found.", MessageEnums.DATA_NOT_FOUND); + } + xGroupPermissionService.deleteResource(id); + + List grpUsers = daoManager.getXXGroupUser().findByGroupId(xGrpPerm.getGroupId()); + for (XXGroupUser xGrpUser : grpUsers) { + Set userSessions = sessionMgr.getActiveUserSessionsForXUserId(xGrpUser.getUserId()); + if (!CollectionUtils.isEmpty(userSessions)) { + for (UserSessionBase userSession : userSessions) { + logger.info("deleting permission of the group whose one of the user found logged in into system, so updating permission in session of that user"); + sessionMgr.resetUserModulePermission(userSession); + } + } + } } public void modifyUserActiveStatus(HashMap statusMap) { diff --git a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java index 37b2049afe4..59e55f3e1db 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java +++ b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java @@ -22,6 +22,7 @@ import java.io.Serializable; import java.util.ArrayList; import java.util.List; +import java.util.concurrent.CopyOnWriteArraySet; import org.apache.ranger.entity.XXAuthSession; import org.apache.ranger.entity.XXPortalUser; @@ -36,7 +37,9 @@ public class UserSessionBase implements Serializable { private boolean keyAdmin = false; private int authProvider = RangerConstants.USER_APP; private List userRoleList = new ArrayList(); + private RangerUserPermission rangerUserPermission; int clientTimeOffsetInMinute = 0; + public Long getUserId() { if (xXPortalUser != null) { return xXPortalUser.getId(); @@ -58,14 +61,9 @@ public Long getSessionId() { return null; } - - public boolean isUserAdmin() { return userAdmin; } - - - public void setUserAdmin(boolean userAdmin) { this.userAdmin = userAdmin; @@ -75,13 +73,6 @@ public XXPortalUser getXXPortalUser() { return xXPortalUser; } - public String getUserName() { - if (xXPortalUser != null) { - return xXPortalUser.getFirstName() + " " + xXPortalUser.getLastName(); - } - return null; - } - public void setXXAuthSession(XXAuthSession gjAuthSession) { this.xXAuthSession = gjAuthSession; } @@ -121,4 +112,52 @@ public void setKeyAdmin(boolean keyAdmin) { this.keyAdmin = keyAdmin; } + /** + * @return the rangerUserPermission + */ + public RangerUserPermission getRangerUserPermission() { + return rangerUserPermission; + } + + /** + * @param rangerUserPermission the rangerUserPermission to set + */ + public void setRangerUserPermission(RangerUserPermission rangerUserPermission) { + this.rangerUserPermission = rangerUserPermission; + } + + + + public static class RangerUserPermission { + + protected CopyOnWriteArraySet userPermissions; + protected Long lastUpdatedTime; + + /** + * @return the userPermissions + */ + public CopyOnWriteArraySet getUserPermissions() { + return userPermissions; + } + /** + * @param userPermissions the userPermissions to set + */ + public void setUserPermissions(CopyOnWriteArraySet userPermissions) { + this.userPermissions = userPermissions; + } + /** + * @return the lastUpdatedTime + */ + public Long getLastUpdatedTime() { + return lastUpdatedTime; + } + /** + * @param lastUpdatedTime the lastUpdatedTime to set + */ + public void setLastUpdatedTime(Long lastUpdatedTime) { + this.lastUpdatedTime = lastUpdatedTime; + } + + } + } diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java index 3121e7a5912..db69ceadfe5 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java @@ -26,7 +26,6 @@ import org.apache.ranger.common.RangerCommonEnums; import org.apache.ranger.common.db.BaseDao; import org.apache.ranger.entity.XXGroupPermission; -import org.apache.ranger.entity.XXUserPermission; public class XXGroupPermissionDao extends BaseDao { @@ -100,4 +99,19 @@ public List findbyVXPoratUserId(Long userId) { } return null; } + + public XXGroupPermission findByModuleIdAndGroupId(Long groupId, Long moduleId) { + if (groupId != null && moduleId != null) { + try { + return getEntityManager().createNamedQuery("XXGroupPermission.findByModuleIdAndGroupId", tClass).setParameter("groupId", groupId).setParameter("moduleId", moduleId) + .getSingleResult(); + } catch (NoResultException e) { + logger.debug(e.getMessage()); + } + } else { + return null; + } + return null; + } + } diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java index 104e1884234..ffc3c328b33 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java @@ -81,4 +81,15 @@ public List findGroupIdListByUserId(Long xUserId) { return null; } + public List findByGroupId(Long groupId) { + if (groupId == null) { + return new ArrayList(); + } + try { + return getEntityManager().createNamedQuery("XXGroupUser.findByGroupId", tClass).setParameter("groupId", groupId).getResultList(); + } catch (NoResultException e) { + return new ArrayList(); + } + } + } diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java index fa2b3d99b75..dd9ae5fc090 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java @@ -66,16 +66,6 @@ public XXModuleDef findByModuleId(Long id) { return new XXModuleDef(); } } - @SuppressWarnings("unchecked") - public List findModuleNamesWithIds() { - try { - return getEntityManager() - .createNamedQuery("XXModuleDef.findModuleNamesWithIds") - .getResultList(); - } catch (NoResultException e) { - return null; - } - } @SuppressWarnings("unchecked") public List findModuleURLOfPemittedModules(Long userId) { diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java index 1956b30abef..e10dc14fdcb 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java @@ -99,20 +99,19 @@ public List findByUserPermissionId(Long userId) { return null; } - public List findByModuleIdAndUserId(Long userId,Long moduleId) { + public XXUserPermission findByModuleIdAndUserId(Long userId, Long moduleId) { if (userId != null) { try { - return getEntityManager() - .createNamedQuery("XXUserPermission.findByModuleIdAndUserId", XXUserPermission.class) + return getEntityManager().createNamedQuery("XXUserPermission.findByModuleIdAndUserId", XXUserPermission.class) .setParameter("userId", userId) .setParameter("moduleId", moduleId) - .getResultList(); + .getSingleResult(); } catch (NoResultException e) { logger.debug(e.getMessage()); } } else { logger.debug("ResourceUserId not provided."); - return new ArrayList(); + return null; } return null; } diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java index 841e3864084..f0aa938dd91 100644 --- a/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java +++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java @@ -70,27 +70,27 @@ public void init() throws Exception { @Override public void execLoad() { logger.info("==> PermissionPatch.execLoad()"); - printStats(); + assignPermissionToExistingUsers(); logger.info("<== PermissionPatch.execLoad()"); } - @Override - public void printStats() { + public void assignPermissionToExistingUsers() { int countUserPermissionUpdated = 1; - List allPortalUser = daoManager.getXXPortalUser() - .findAllXPortalUser(); + List allPortalUser = daoManager.getXXPortalUser().findAllXPortalUser(); List vPortalUsers = new ArrayList(); for (XXPortalUser xPortalUser : allPortalUser) { - VXPortalUser vPortalUser = xPortalUserService - .populateViewBean(xPortalUser); + VXPortalUser vPortalUser = xPortalUserService.populateViewBean(xPortalUser); vPortalUsers.add(vPortalUser); - vPortalUser.setUserRoleList(daoManager.getXXPortalUser() - .findXPortalUserRolebyXPortalUserId(vPortalUser.getId())); + vPortalUser.setUserRoleList(daoManager.getXXPortalUser().findXPortalUserRolebyXPortalUserId(vPortalUser.getId())); xUserMgr.assignPermissionToUser(vPortalUser, false); countUserPermissionUpdated += 1; - logger.info(" Permission was assigned to UserId - " - + xPortalUser.getId()); + logger.info(" Permission was assigned to UserId - " + xPortalUser.getId()); } logger.info(countUserPermissionUpdated + " permissions where assigned"); } + + @Override + public void printStats() { + } + } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java index 472dad6bb37..0b58c9197c3 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java @@ -761,6 +761,7 @@ public VXAuthSession getAuthSession(@Context HttpServletRequest request){ @Produces({ "application/xml", "application/json" }) @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_MODULE_DEF_PERMISSION + "\")") public VXModuleDef createXModuleDefPermission(VXModuleDef vXModuleDef) { + xUserMgr.checkAdminAccess(); return xUserMgr.createXModuleDefPermission(vXModuleDef); } @@ -777,6 +778,7 @@ public VXModuleDef getXModuleDefPermission(@PathParam("id") Long id) { @Produces({ "application/xml", "application/json" }) @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_MODULE_DEF_PERMISSION + "\")") public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { + xUserMgr.checkAdminAccess(); return xUserMgr.updateXModuleDefPermission(vXModuleDef); } @@ -786,6 +788,7 @@ public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { public void deleteXModuleDefPermission(@PathParam("id") Long id, @Context HttpServletRequest request) { boolean force = true; + xUserMgr.checkAdminAccess(); xUserMgr.deleteXModuleDefPermission(id, force); } @@ -827,6 +830,7 @@ public VXLong countXModuleDef(@Context HttpServletRequest request) { @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_USER_PERMISSION + "\")") public VXUserPermission createXUserPermission( VXUserPermission vXUserPermission) { + xUserMgr.checkAdminAccess(); return xUserMgr.createXUserPermission(vXUserPermission); } @@ -844,6 +848,7 @@ public VXUserPermission getXUserPermission(@PathParam("id") Long id) { @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_USER_PERMISSION + "\")") public VXUserPermission updateXUserPermission( VXUserPermission vXUserPermission) { + xUserMgr.checkAdminAccess(); return xUserMgr.updateXUserPermission(vXUserPermission); } @@ -853,6 +858,7 @@ public VXUserPermission updateXUserPermission( public void deleteXUserPermission(@PathParam("id") Long id, @Context HttpServletRequest request) { boolean force = true; + xUserMgr.checkAdminAccess(); xUserMgr.deleteXUserPermission(id, force); } @@ -889,6 +895,7 @@ public VXLong countXUserPermission(@Context HttpServletRequest request) { @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_GROUP_PERMISSION + "\")") public VXGroupPermission createXGroupPermission( VXGroupPermission vXGroupPermission) { + xUserMgr.checkAdminAccess(); return xUserMgr.createXGroupPermission(vXGroupPermission); } @@ -906,6 +913,7 @@ public VXGroupPermission getXGroupPermission(@PathParam("id") Long id) { @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_GROUP_PERMISSION + "\")") public VXGroupPermission updateXGroupPermission( VXGroupPermission vXGroupPermission) { + xUserMgr.checkAdminAccess(); return xUserMgr.updateXGroupPermission(vXGroupPermission); } @@ -915,6 +923,7 @@ public VXGroupPermission updateXGroupPermission( public void deleteXGroupPermission(@PathParam("id") Long id, @Context HttpServletRequest request) { boolean force = true; + xUserMgr.checkAdminAccess(); xUserMgr.deleteXGroupPermission(id, force); } diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java index 6d132e6c751..daf732e323d 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java +++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java @@ -19,19 +19,18 @@ package org.apache.ranger.security.context; -import java.util.List; import java.util.Set; +import java.util.concurrent.CopyOnWriteArraySet; import javax.servlet.http.HttpServletResponse; import org.apache.commons.collections.CollectionUtils; import org.apache.log4j.Logger; +import org.apache.ranger.biz.SessionMgr; import org.apache.ranger.common.ContextUtil; -import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.common.UserSessionBase; import org.apache.ranger.db.RangerDaoManager; -import org.apache.ranger.entity.XXUser; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @@ -47,6 +46,9 @@ public class RangerPreAuthSecurityHandler { @Autowired RangerAPIMapping rangerAPIMapping; + + @Autowired + SessionMgr sessionMgr; public boolean isAPIAccessible(String methodName) throws Exception { @@ -77,14 +79,15 @@ public boolean isAPIAccessible(String methodName) throws Exception { public boolean isAPIAccessible(Set associatedTabs) throws Exception { - XXUser xUser = daoManager.getXXUser().findByUserName(ContextUtil.getCurrentUserLoginId()); - if (xUser == null) { - restErrorUtil.createRESTException("x_user cannot be null.", MessageEnums.ERROR_SYSTEM); - } - - List accessibleModules = daoManager.getXXModuleDef().findAccessibleModulesByUserId(ContextUtil.getCurrentUserId(), xUser.getId()); - if (CollectionUtils.containsAny(accessibleModules, associatedTabs)) { - return true; + UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + if (userSession != null) { + sessionMgr.refreshPermissionsIfNeeded(userSession); + if (userSession.getRangerUserPermission() != null) { + CopyOnWriteArraySet accessibleModules = userSession.getRangerUserPermission().getUserPermissions(); + if (CollectionUtils.containsAny(accessibleModules, associatedTabs)) { + return true; + } + } } throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not allowed to access the API", true); diff --git a/security-admin/src/main/java/org/apache/ranger/security/listener/RangerHttpSessionListener.java b/security-admin/src/main/java/org/apache/ranger/security/listener/RangerHttpSessionListener.java new file mode 100644 index 00000000000..259a7e7517b --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/security/listener/RangerHttpSessionListener.java @@ -0,0 +1,48 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.security.listener; + +import java.util.concurrent.CopyOnWriteArrayList; + +import javax.servlet.http.HttpSession; +import javax.servlet.http.HttpSessionEvent; +import javax.servlet.http.HttpSessionListener; + +public class RangerHttpSessionListener implements HttpSessionListener { + + private static CopyOnWriteArrayList listOfSession = new CopyOnWriteArrayList(); + + @Override + public void sessionCreated(HttpSessionEvent event) { + listOfSession.add(event.getSession()); + } + + @Override + public void sessionDestroyed(HttpSessionEvent event) { + if (listOfSession.size() > 0) { + listOfSession.remove(event.getSession()); + } + } + + public static CopyOnWriteArrayList getActiveSessionOnServer() { + return listOfSession; + } + +} diff --git a/security-admin/src/main/java/org/apache/ranger/service/XGroupPermissionService.java b/security-admin/src/main/java/org/apache/ranger/service/XGroupPermissionService.java index d5168eb54df..c3bc78dcc70 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XGroupPermissionService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XGroupPermissionService.java @@ -22,6 +22,7 @@ import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.entity.XXGroup; import org.apache.ranger.entity.XXGroupPermission; +import org.apache.ranger.entity.XXUserPermission; import org.apache.ranger.view.VXGroupPermission; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Scope; @@ -47,12 +48,20 @@ public XGroupPermissionService() { @Override protected void validateForCreate(VXGroupPermission vObj) { - + XXGroupPermission xGroupPerm = daoManager.getXXGroupPermission().findByModuleIdAndGroupId(vObj.getGroupId(), vObj.getModuleId()); + if (xGroupPerm != null) { + throw restErrorUtil.createRESTException("Group with ID [" + vObj.getGroupId() + "] " + "is already " + "assigned to the module with ID [" + vObj.getModuleId() + "]", + MessageEnums.ERROR_DUPLICATE_OBJECT); + } } @Override protected void validateForUpdate(VXGroupPermission vObj, XXGroupPermission mObj) { - + XXGroupPermission xGroupPerm = daoManager.getXXGroupPermission().findByModuleIdAndGroupId(vObj.getGroupId(), vObj.getModuleId()); + if (xGroupPerm != null && !xGroupPerm.getId().equals(vObj.getId())) { + throw restErrorUtil.createRESTException("Group with ID [" + vObj.getGroupId() + "] " + "is already " + "assigned to the module with ID [" + vObj.getModuleId() + "]", + MessageEnums.ERROR_DUPLICATE_OBJECT); + } } @Override diff --git a/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java b/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java index 92b69515513..3ff9c8d0ac0 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java @@ -20,8 +20,8 @@ import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.SearchField; import org.apache.ranger.db.RangerDaoManager; +import org.apache.ranger.entity.XXModuleDef; import org.apache.ranger.entity.XXPortalUser; -import org.apache.ranger.entity.XXUser; import org.apache.ranger.entity.XXUserPermission; import org.apache.ranger.view.VXUserPermission; import org.springframework.beans.factory.annotation.Autowired; @@ -47,12 +47,20 @@ public XUserPermissionService() { @Override protected void validateForCreate(VXUserPermission vObj) { - + XXUserPermission xUserPerm = daoManager.getXXUserPermission().findByModuleIdAndUserId(vObj.getUserId(), vObj.getModuleId()); + if (xUserPerm != null) { + throw restErrorUtil.createRESTException("User with ID [" + vObj.getUserId() + "] " + "is already " + "assigned to the module with ID [" + vObj.getModuleId() + "]", + MessageEnums.ERROR_DUPLICATE_OBJECT); + } } @Override protected void validateForUpdate(VXUserPermission vObj, XXUserPermission mObj) { - + XXUserPermission xUserPerm = daoManager.getXXUserPermission().findByModuleIdAndUserId(vObj.getUserId(), vObj.getModuleId()); + if (xUserPerm != null && !xUserPerm.getId().equals(vObj.getId())) { + throw restErrorUtil.createRESTException("User with ID [" + vObj.getUserId() + "] " + "is already " + "assigned to the module with ID [" + vObj.getModuleId() + "]", + MessageEnums.ERROR_DUPLICATE_OBJECT); + } } @Override @@ -68,6 +76,12 @@ public VXUserPermission populateViewBean(XXUserPermission xObj) { } vObj.setUserName(xUser.getLoginId()); + + XXModuleDef xModuleDef = daoManager.getXXModuleDef().getById(xObj.getModuleId()); + if (xModuleDef != null) { + vObj.setModuleName(xModuleDef.getModule()); + } + return vObj; } diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml index ac4c753853b..0370e9abe60 100644 --- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml +++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml @@ -177,6 +177,11 @@ + + SELECT obj FROM XXGroupUser obj WHERE obj.parentGroupId=:groupId + + + SELECT obj FROM XXTrxLog obj WHERE obj.transactionId = :transactionId @@ -490,10 +495,9 @@ WHERE XXUserPermObj.moduleId = :moduleId AND XXUserPermObj.userId =:userId - - - SELECT XXMObj - FROM XXModuleDef XXMObj + + + SELECT obj FROM XXGroupPermission obj WHERE obj.moduleId = :moduleId AND obj.groupId =:groupId diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java index ab149ad1b53..cda423e80b3 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java @@ -20,6 +20,7 @@ import java.util.Collection; import java.util.Date; import java.util.HashMap; +import java.util.HashSet; import java.util.List; import java.util.Set; @@ -129,6 +130,9 @@ public class TestXUserMgr { @Mock XPortalUserService xPortalUserService; + + @Mock + SessionMgr sessionMgr; @Rule public ExpectedException thrown = ExpectedException.none(); @@ -225,7 +229,6 @@ public void test11CreateXUser() { XXModuleDefDao value = Mockito.mock(XXModuleDefDao.class); Mockito.when(daoManager.getXXModuleDef()).thenReturn(value); List lsvalue = new ArrayList(); - Mockito.when(value.findModuleNamesWithIds()).thenReturn(lsvalue); Mockito.when( userMgr.createDefaultAccountUser((VXPortalUser) Mockito @@ -250,7 +253,6 @@ public void test11CreateXUser() { Mockito.verify(userMgr).createDefaultAccountUser( (VXPortalUser) Mockito.anyObject()); Mockito.verify(daoManager).getXXModuleDef(); - Mockito.verify(value).findModuleNamesWithIds(); Assert.assertNotNull(dbvxUser); Assert.assertEquals(userId, dbvxUser.getId()); Assert.assertEquals(dbvxUser.getDescription(), vxUser.getDescription()); @@ -726,6 +728,8 @@ public void test31createXModuleDefPermission() { Mockito.when(xModuleDefService.createResource(vXModuleDef)).thenReturn( vXModuleDef); + XXModuleDefDao obj = Mockito.mock(XXModuleDefDao.class); + Mockito.when(daoManager.getXXModuleDef()).thenReturn(obj); VXModuleDef dbMuduleDef = xUserMgr .createXModuleDefPermission(vXModuleDef); @@ -825,7 +829,17 @@ public void test33updateXModuleDefPermission() { xGroupPermission); Mockito.when(xGroupPermissionService.populateViewBean(xGroupPermission)) .thenReturn(vXGroupPermission); - + XXGroupUserDao xGrpUserDao = Mockito.mock(XXGroupUserDao.class); + Mockito.when(daoManager.getXXGroupUser()).thenReturn(xGrpUserDao); + + UserSessionBase userSession = Mockito.mock(UserSessionBase.class); + Set userSessions = new HashSet(); + userSessions.add(userSession); + + Mockito.when(xGroupPermissionService.createResource((VXGroupPermission) Mockito.anyObject())).thenReturn(vXGroupPermission); + Mockito.when(xUserPermissionService.createResource((VXUserPermission) Mockito.anyObject())).thenReturn(vXUserPermission); + Mockito.when(sessionMgr.getActiveUserSessionsForPortalUserId(userId)).thenReturn(userSessions); + VXModuleDef dbMuduleDef = xUserMgr .updateXModuleDefPermission(vXModuleDef); Assert.assertEquals(dbMuduleDef, vXModuleDef); @@ -962,6 +976,10 @@ public void test38deleteXUserPermission() { Mockito.when(xUserPermissionService.deleteResource(1L)) .thenReturn(true); + XXUserPermission xUserPerm = Mockito.mock(XXUserPermission.class); + XXUserPermissionDao xUserPermDao = Mockito.mock(XXUserPermissionDao.class); + Mockito.when(daoManager.getXXUserPermission()).thenReturn(xUserPermDao); + Mockito.when(daoManager.getXXUserPermission().getById(1L)).thenReturn(xUserPerm); xUserMgr.deleteXUserPermission(1L, true); Mockito.verify(xUserPermissionService).deleteResource(1L); } @@ -970,9 +988,11 @@ public void test38deleteXUserPermission() { public void test39createXGroupPermission() { VXGroupPermission vXGroupPermission = vXGroupPermission(); - Mockito.when(xGroupPermissionService.createResource(vXGroupPermission)) - .thenReturn(vXGroupPermission); - + XXGroupUserDao xGrpUserDao = Mockito.mock(XXGroupUserDao.class); + Mockito.when(daoManager.getXXGroupUser()).thenReturn(xGrpUserDao); + + Mockito.when(xGroupPermissionService.createResource(vXGroupPermission)).thenReturn(vXGroupPermission); + VXGroupPermission dbGroupPermission = xUserMgr .createXGroupPermission(vXGroupPermission); Assert.assertNotNull(dbGroupPermission); @@ -1036,8 +1056,9 @@ public void test40getXGroupPermission() { public void test41updateXGroupPermission() { VXGroupPermission vXGroupPermission = vXGroupPermission(); - Mockito.when(xGroupPermissionService.updateResource(vXGroupPermission)) - .thenReturn(vXGroupPermission); + XXGroupUserDao xGrpUserDao = Mockito.mock(XXGroupUserDao.class); + Mockito.when(daoManager.getXXGroupUser()).thenReturn(xGrpUserDao); + Mockito.when(xGroupPermissionService.updateResource(vXGroupPermission)).thenReturn(vXGroupPermission); VXGroupPermission dbGroupPermission = xUserMgr .updateXGroupPermission(vXGroupPermission); @@ -1069,12 +1090,20 @@ public void test41updateXGroupPermission() { @Test public void test42deleteXGroupPermission() { - Mockito.when(xGroupPermissionService.deleteResource(1L)).thenReturn( - true); + XXGroupPermissionDao xGrpPermDao = Mockito.mock(XXGroupPermissionDao.class); + XXGroupPermission xGrpPerm = Mockito.mock(XXGroupPermission.class); + + Mockito.when(daoManager.getXXGroupPermission()).thenReturn(xGrpPermDao); + Mockito.when(daoManager.getXXGroupPermission().getById(1L)).thenReturn(xGrpPerm); + + XXGroupUserDao xGrpUserDao = Mockito.mock(XXGroupUserDao.class); + Mockito.when(daoManager.getXXGroupUser()).thenReturn(xGrpUserDao); + + Mockito.when(xGroupPermissionService.deleteResource(1L)).thenReturn(true); xUserMgr.deleteXGroupPermission(1L, true); Mockito.verify(xGroupPermissionService).deleteResource(1L); } - + /*@Test public void test43checkPermissionRoleByGivenUrls() { XXModuleDefDao value = Mockito.mock(XXModuleDefDao.class); From 132f3f2365d1f1629e218d078272dd3acd63bd8f Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Tue, 6 Oct 2015 12:36:29 +0530 Subject: [PATCH 065/202] RANGER-677 : Ranger Admin fails to render policies referring to groups that contain . (dot) in name --- .../src/main/java/org/apache/ranger/common/StringUtil.java | 1 - .../src/main/java/org/apache/ranger/rest/XUserREST.java | 6 ++---- security-admin/src/main/webapp/META-INF/context.xml | 4 ++-- security-admin/src/main/webapp/WEB-INF/web.xml | 5 ++++- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/common/StringUtil.java b/security-admin/src/main/java/org/apache/ranger/common/StringUtil.java index 1eaff1a082b..f5990b4f8d1 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/StringUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/StringUtil.java @@ -36,7 +36,6 @@ public class StringUtil implements Serializable { static final public String VALIDATION_NAME = "[\\w\\ \\-\\']*"; static final public String VALIDATION_TEXT = "[a-zA-Z0-9\\ \"!@#$%^&*()-_=+;:'"|~`<>?/{}\\.\\,\\-\\?<>]*"; - // Only for Student loginId static final public String VALIDATION_LOGINID = "[a-z,A-Z][\\w\\-\\_]*[a-z,A-Z,0-9]"; static final public String VALIDATION_ALPHA = "[a-z,A-Z]*"; diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java index 0b58c9197c3..b7884ebfffc 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java @@ -225,11 +225,9 @@ public void deleteXGroup(@PathParam("id") Long id, public VXGroupList searchXGroups(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xGroupService.sortFields); - searchUtil.extractString(request, searchCriteria, "name", "group name", - StringUtil.VALIDATION_NAME); + searchUtil.extractString(request, searchCriteria, "name", "group name", null); searchUtil.extractInt(request, searchCriteria, "isVisible", "Group Visibility"); - searchUtil.extractString(request, searchCriteria, "groupSource", "group source", - StringUtil.VALIDATION_NAME); + searchUtil.extractString(request, searchCriteria, "groupSource", "group source", null); return xUserMgr.searchXGroups(searchCriteria); } diff --git a/security-admin/src/main/webapp/META-INF/context.xml b/security-admin/src/main/webapp/META-INF/context.xml index 7a573f68800..9c7ea95d78f 100644 --- a/security-admin/src/main/webapp/META-INF/context.xml +++ b/security-admin/src/main/webapp/META-INF/context.xml @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. --> - + - \ No newline at end of file + diff --git a/security-admin/src/main/webapp/WEB-INF/web.xml b/security-admin/src/main/webapp/WEB-INF/web.xml index cbd57243c02..0725633ca64 100644 --- a/security-admin/src/main/webapp/WEB-INF/web.xml +++ b/security-admin/src/main/webapp/WEB-INF/web.xml @@ -79,6 +79,9 @@ 60 COOKIE + + true + 500 @@ -88,4 +91,4 @@ 404 /public/error404.jsp - \ No newline at end of file + From 4568ff5928458200aa600e713edfdd56ba61afff Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Mon, 21 Sep 2015 12:06:20 -0700 Subject: [PATCH 066/202] RANGER-682 Add support for audit to Azure Blob Storage via HDFS audit handler --- .../destination/HDFSAuditDestination.java | 37 +++++++++++---- .../audit/provider/BaseAuditHandler.java | 19 ++++++-- .../provider/hdfs/HdfsAuditProvider.java | 3 ++ .../provider/hdfs/HdfsLogDestination.java | 26 +++++++++- .../utils/install/XmlConfigChanger.java | 47 +++++++++++++++---- .../conf/ranger-hbase-audit-changes.cfg | 5 ++ hbase-agent/conf/ranger-hbase-audit.xml | 40 +++++++++++++++- hbase-agent/scripts/install.properties | 11 +++++ hdfs-agent/conf/ranger-hdfs-audit-changes.cfg | 5 ++ hdfs-agent/conf/ranger-hdfs-audit.xml | 36 ++++++++++++++ hdfs-agent/scripts/install.properties | 11 +++++ hive-agent/conf/ranger-hive-audit-changes.cfg | 5 ++ hive-agent/conf/ranger-hive-audit.xml | 36 ++++++++++++++ hive-agent/scripts/install.properties | 11 +++++ kms/scripts/install.properties | 11 +++++ knox-agent/conf/ranger-knox-audit-changes.cfg | 5 ++ knox-agent/conf/ranger-knox-audit.xml | 36 ++++++++++++++ knox-agent/scripts/install.properties | 11 +++++ .../conf/ranger-kafka-audit-changes.cfg | 5 ++ plugin-kafka/conf/ranger-kafka-audit.xml | 36 ++++++++++++++ plugin-kafka/scripts/install.properties | 11 +++++ plugin-kms/conf/ranger-kms-audit-changes.cfg | 5 ++ plugin-kms/conf/ranger-kms-audit.xml | 36 ++++++++++++++ .../conf/ranger-solr-audit-changes.cfg | 5 ++ plugin-solr/conf/ranger-solr-audit.xml | 36 ++++++++++++++ plugin-solr/scripts/install.properties | 11 +++++ .../conf/ranger-yarn-audit-changes.cfg | 5 ++ plugin-yarn/conf/ranger-yarn-audit.xml | 36 ++++++++++++++ plugin-yarn/scripts/install.properties | 11 +++++ .../conf/ranger-storm-audit-changes.cfg | 5 ++ storm-agent/conf/ranger-storm-audit.xml | 36 ++++++++++++++ storm-agent/scripts/install.properties | 11 +++++ 32 files changed, 580 insertions(+), 24 deletions(-) diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java b/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java index 49e5fbbd2c8..96755be9d15 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java @@ -23,12 +23,9 @@ import java.io.IOException; import java.io.PrintWriter; import java.net.URI; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Date; -import java.util.List; -import java.util.Properties; +import java.util.*; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; @@ -99,7 +96,7 @@ public void init(Properties prop, String propPrefix) { logger.info("logFolder=" + logFolder + ", destName=" + getName()); logger.info("logFileNameFormat=" + logFileNameFormat + ", destName=" + getName()); - + logger.info("config=" + configProps.toString()); initDone = true; } @@ -127,7 +124,15 @@ synchronized public boolean logJSON(Collection events) { for (String event : events) { out.println(event); } - out.flush(); + // flush and check the stream for errors + if (out.checkError()) { + // In theory, this count may NOT be accurate as part of the messages may have been successfully written. + // However, in practice, since client does buffering, either all of none would succeed. + addDeferredCount(events.size()); + out.close(); + logWriter = null; + return false; + } } catch (Throwable t) { addDeferredCount(events.size()); logError("Error writing to log file.", t); @@ -207,7 +212,7 @@ synchronized private PrintWriter getLogFileStream() throws Throwable { currentTime.getTime()); String parentFolder = MiscUtil.replaceTokens(logFolder, currentTime.getTime()); - Configuration conf = new Configuration(); + Configuration conf = createConfiguration(); String fullPath = parentFolder + org.apache.hadoop.fs.Path.SEPARATOR + fileName; @@ -243,6 +248,22 @@ synchronized private PrintWriter getLogFileStream() throws Throwable { return logWriter; } + Configuration createConfiguration() { + Configuration conf = new Configuration(); + for (Map.Entry entry : configProps.entrySet()) { + String key = entry.getKey(); + String value = entry.getValue(); + // for ease of install config file may contain properties with empty value, skip those + if (StringUtils.isNotEmpty(value)) { + conf.set(key, value); + } + logger.info("Adding property to HDFS config: " + key + " => " + value); + } + + logger.info("Returning HDFS Filesystem Config: " + conf.toString()); + return conf; + } + private void createParents(Path pathLogfile, FileSystem fileSystem) throws Throwable { logger.info("Creating parent folder for " + pathLogfile); diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java index 30db18bc253..6717c924ac0 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java @@ -25,17 +25,15 @@ import com.google.gson.GsonBuilder; +import java.util.*; import java.util.concurrent.atomic.AtomicLong; -import java.util.ArrayList; -import java.util.Collection; -import java.util.List; -import java.util.Properties; public abstract class BaseAuditHandler implements AuditHandler { private static final Log LOG = LogFactory.getLog(BaseAuditHandler.class); static final String AUDIT_LOG_FAILURE_REPORT_MIN_INTERVAL_PROP = "xasecure.audit.log.failure.report.min.interval.ms"; protected static final String AUDIT_DB_CREDENTIAL_PROVIDER_FILE = "xasecure.audit.credential.provider.file"; + public static final String PROP_CONFIG = "config"; private int mLogFailureReportMinIntervalInMs = 60 * 1000; @@ -75,6 +73,7 @@ public abstract class BaseAuditHandler implements AuditHandler { long statusLogIntervalMS = 1 * 60 * 1000; protected Properties props = null; + protected Map configProps = new HashMap(); @Override public void init(Properties props) { @@ -116,6 +115,18 @@ public void init(Properties props, String basePropertyName) { mLogFailureReportMinIntervalInMs = MiscUtil.getIntProperty(props, AUDIT_LOG_FAILURE_REPORT_MIN_INTERVAL_PROP, 60 * 1000); + String configPropsNamePrefix = propPrefix + "." + PROP_CONFIG + "."; + for (Object propNameObj : props.keySet()) { + String propName = propNameObj.toString(); + + if (!propName.startsWith(configPropsNamePrefix)) { + continue; + } + String configName = propName.substring(configPropsNamePrefix.length()); + String configValue = props.getProperty(propName); + configProps.put(configName, configValue); + LOG.info("Found Config property: " + configName + " => " + configValue); + } } /* diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsAuditProvider.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsAuditProvider.java index a18e3e9f903..8cdf869d8d6 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsAuditProvider.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsAuditProvider.java @@ -60,6 +60,8 @@ public void init(Properties props) { int localFileBufferRolloverIntervalSeconds = MiscUtil.parseInteger(hdfsProps.get("local.buffer.rollover.interval.seconds"), 10 * 60); String localFileBufferArchiveDirectory = hdfsProps.get("local.archive.directory"); int localFileBufferArchiveFileCount = MiscUtil.parseInteger(hdfsProps.get("local.archive.max.file.count"), 10); + // Added for Azure. Note that exact name of these properties is not known as it contains the variable account name in it. + Map configProps = MiscUtil.getPropertiesWithPrefix(props, "xasecure.audit.destination.hdfs.config."); DebugTracer tracer = new Log4jTracer(LOG); @@ -71,6 +73,7 @@ public void init(Properties props) { mHdfsDestination.setEncoding(encoding); mHdfsDestination.setRolloverIntervalSeconds(hdfsDestinationRolloverIntervalSeconds); mHdfsDestination.setOpenRetryIntervalSeconds(hdfsDestinationOpenRetryIntervalSeconds); + mHdfsDestination.setConfigProps(configProps); LocalFileLogBuffer mLocalFileBuffer = new LocalFileLogBuffer(tracer); diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsLogDestination.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsLogDestination.java index 49f4e655e01..a9aa8c1b414 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsLogDestination.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsLogDestination.java @@ -24,7 +24,9 @@ import java.io.OutputStreamWriter; import java.io.UnsupportedEncodingException; import java.net.URI; +import java.util.Map; +import org.apache.commons.lang.StringUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.FSDataOutputStream; import org.apache.hadoop.fs.FileSystem; @@ -55,6 +57,7 @@ public class HdfsLogDestination implements LogDestination { private long mNextFlushTime = 0; private long mLastOpenFailedTime = 0; private boolean mIsStopInProgress = false; + private Map configProps = null; public HdfsLogDestination(DebugTracer tracer) { mLogger = tracer; @@ -272,7 +275,7 @@ private void openFile() { // TODO: mechanism to XA-HDFS plugin to disable auditing of access checks to the current HDFS file - conf = new Configuration(); + conf = createConfiguration(); pathLogfile = new Path(mHdfsFilename); fileSystem = FileSystem.get(uri, conf); @@ -490,4 +493,25 @@ public String toString() { return sb.toString(); } + public void setConfigProps(Map configProps) { + this.configProps = configProps; + } + + Configuration createConfiguration() { + Configuration conf = new Configuration(); + if (configProps != null) { + for (Map.Entry entry : configProps.entrySet()) { + String key = entry.getKey(); + String value = entry.getValue(); + // for ease of install config file may contain properties with empty value, skip those + if (StringUtils.isNotEmpty(value)) { + conf.set(key, value); + } + mLogger.info("Adding property to HDFS config: " + key + " => " + value); + } + } + + mLogger.info("Returning HDFS Filesystem Config: " + conf.toString()); + return conf; + } } diff --git a/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java b/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java index 05fbb23645c..958ae83dbfa 100644 --- a/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java +++ b/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java @@ -25,6 +25,8 @@ import java.io.FileOutputStream; import java.io.FileReader; import java.io.IOException; +import java.util.HashMap; +import java.util.Map; import java.util.Properties; import javax.xml.parsers.DocumentBuilder; @@ -45,6 +47,7 @@ import org.apache.commons.cli.OptionBuilder; import org.apache.commons.cli.Options; import org.apache.commons.cli.ParseException; +import org.apache.commons.lang.StringUtils; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; @@ -157,7 +160,7 @@ public void parseConfig(String[] args) { } - + public void run() throws ParserConfigurationException, SAXException, IOException, TransformerException { @@ -177,7 +180,7 @@ public void run() throws ParserConfigurationException, SAXException, IOException @SuppressWarnings("unused") int lineNo = 0 ; - + Properties variables = new Properties(); while ((line = reader.readLine()) != null) { lineNo++ ; @@ -198,18 +201,21 @@ public void run() throws ParserConfigurationException, SAXException, IOException String[] tokens = line.split("\\s+") ; String propName = tokens[0] ; - + String propValue = null ; - + try { + if (propnameContainsVariables(propName)) { + propName = replaceProp(propName, variables); + } propValue = replaceProp(tokens[1],installProperties) ; } catch (ValidationException e) { // throw new RuntimeException("Unable to replace tokens in the line: \n[" + line + "]\n in file [" + confFile.getAbsolutePath() + "] line number:[" + lineNo + "]" ) ; throw new RuntimeException(e) ; } - - - + + + String actionType = tokens[2] ; String options = (tokens.length > 3 ? tokens[3] : null) ; boolean createIfNotExists = (options != null && options.contains("create-if-not-exists")) ; @@ -265,6 +271,9 @@ else if ("delval".equals(actionType)) { } } } + else if ("var".equals(actionType)) { + variables.put(propName, propValue); + } else { throw new RuntimeException("Unknown Command Found: [" + actionType + "], Supported Types: add modify del append") ; } @@ -290,8 +299,28 @@ else if ("delval".equals(actionType)) { } } - - + + /** + * Check if prop name contains a substitution variable embedded in it, e.g. %VAR_NAME%. + * @param propName + * @return true if propname contains at least 2 '%' characters in it, else false + */ + private boolean propnameContainsVariables(String propName) { + + if (propName != null) { + int first = propName.indexOf('%'); + if (first != -1) { + // indexof is safe even if 2nd argument is beyond size of string, i.e. if 1st percent was the last character of the string. + int second = propName.indexOf('%', first + 1); + if (second != -1) { + return true; + } + } + } + return false; + } + + private void addProperty(String propName, String val) { NodeList nl = doc.getElementsByTagName(ROOT_NODE_NAME) ; Node rootConfig = nl.item(0) ; diff --git a/hbase-agent/conf/ranger-hbase-audit-changes.cfg b/hbase-agent/conf/ranger-hbase-audit-changes.cfg index b540e18268d..e29ccd5a314 100644 --- a/hbase-agent/conf/ranger-hbase-audit-changes.cfg +++ b/hbase-agent/conf/ranger-hbase-audit-changes.cfg @@ -58,5 +58,10 @@ xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE% xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists +AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var +xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists +xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists +xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists + #xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists #xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists diff --git a/hbase-agent/conf/ranger-hbase-audit.xml b/hbase-agent/conf/ranger-hbase-audit.xml index c5f416e5a93..5f882246e75 100644 --- a/hbase-agent/conf/ranger-hbase-audit.xml +++ b/hbase-agent/conf/ranger-hbase-audit.xml @@ -160,8 +160,44 @@ xasecure.audit.hdfs.config.local.archive.max.file.count 10 - - + + + diff --git a/hbase-agent/scripts/install.properties b/hbase-agent/scripts/install.properties index 9170f41ea9d..5df518a1791 100644 --- a/hbase-agent/scripts/install.properties +++ b/hbase-agent/scripts/install.properties @@ -61,12 +61,23 @@ XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/hbase/audit/solr/spool #Example #XAAUDIT.HDFS.ENABLE=true #XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit +# If using Azure Blob Storage +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ +#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit #XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hbase/audit/hdfs/spool XAAUDIT.HDFS.ENABLE=false XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hbase/audit/hdfs/spool +# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS +# Get these values from your /etc/hadoop/conf/core-site.xml +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ +XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME +XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY +XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER +XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER + # End of V3 properties # diff --git a/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg b/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg index 93e7b867616..9c884508980 100644 --- a/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg +++ b/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg @@ -55,5 +55,10 @@ xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE% xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists +AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var +xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists +xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists +xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists + #xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists #xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists diff --git a/hdfs-agent/conf/ranger-hdfs-audit.xml b/hdfs-agent/conf/ranger-hdfs-audit.xml index 4c60c025d1e..a380906524e 100644 --- a/hdfs-agent/conf/ranger-hdfs-audit.xml +++ b/hdfs-agent/conf/ranger-hdfs-audit.xml @@ -162,6 +162,42 @@ 10 + diff --git a/hdfs-agent/scripts/install.properties b/hdfs-agent/scripts/install.properties index 289117badc1..fa21949dc73 100644 --- a/hdfs-agent/scripts/install.properties +++ b/hdfs-agent/scripts/install.properties @@ -58,11 +58,22 @@ XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/hadoop/hdfs/audit/solr/spool #XAAUDIT.HDFS.ENABLE=true #XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit #XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hadoop/hdfs/audit/hdfs/spool +# If using Azure Blob Storage +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ +#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit XAAUDIT.HDFS.ENABLE=false XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hadoop/hdfs/audit/hdfs/spool +# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS +# Get these values from your /etc/hadoop/conf/core-site.xml +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ +XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME +XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY +XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER +XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER + # End of V3 properties # diff --git a/hive-agent/conf/ranger-hive-audit-changes.cfg b/hive-agent/conf/ranger-hive-audit-changes.cfg index daa8b747c86..4e61c7d2e60 100644 --- a/hive-agent/conf/ranger-hive-audit-changes.cfg +++ b/hive-agent/conf/ranger-hive-audit-changes.cfg @@ -56,5 +56,10 @@ xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE% xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists +AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var +xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists +xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists +xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists + #xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists #xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists diff --git a/hive-agent/conf/ranger-hive-audit.xml b/hive-agent/conf/ranger-hive-audit.xml index 867080c503c..ae1dce962a1 100644 --- a/hive-agent/conf/ranger-hive-audit.xml +++ b/hive-agent/conf/ranger-hive-audit.xml @@ -162,6 +162,42 @@ 10 + diff --git a/hive-agent/scripts/install.properties b/hive-agent/scripts/install.properties index 93706006c19..2e41a37b537 100644 --- a/hive-agent/scripts/install.properties +++ b/hive-agent/scripts/install.properties @@ -58,12 +58,23 @@ XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/hive/audit/solr/spool #Example #XAAUDIT.HDFS.ENABLE=true #XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit +# If using Azure Blob Storage +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ +#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit #XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hive/audit/hdfs/spool XAAUDIT.HDFS.ENABLE=false XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hive/audit/hdfs/spool +# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS +# Get these values from your /etc/hadoop/conf/core-site.xml +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ +XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME +XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY +XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER +XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER + # End of V3 properties # diff --git a/kms/scripts/install.properties b/kms/scripts/install.properties index 563a0e08165..247e499c319 100755 --- a/kms/scripts/install.properties +++ b/kms/scripts/install.properties @@ -118,12 +118,23 @@ XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/ranger/kms/audit/solr/spool #Example #XAAUDIT.HDFS.ENABLE=true #XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit +# If using Azure Blob Storage +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ +#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit #XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/ranger/kms/audit/hdfs/spool XAAUDIT.HDFS.ENABLE=false XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/ranger/kms/audit/hdfs/spool +# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS +# Get these values from your /etc/hadoop/conf/core-site.xml +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ +XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME +XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY +XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER +XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER + # End of V3 properties diff --git a/knox-agent/conf/ranger-knox-audit-changes.cfg b/knox-agent/conf/ranger-knox-audit-changes.cfg index 57858f7aa78..f722e5387ab 100644 --- a/knox-agent/conf/ranger-knox-audit-changes.cfg +++ b/knox-agent/conf/ranger-knox-audit-changes.cfg @@ -56,5 +56,10 @@ xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE% xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists +AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var +xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists +xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists +xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists + #xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists #xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists diff --git a/knox-agent/conf/ranger-knox-audit.xml b/knox-agent/conf/ranger-knox-audit.xml index ccc269172d7..7b5bfb3294c 100644 --- a/knox-agent/conf/ranger-knox-audit.xml +++ b/knox-agent/conf/ranger-knox-audit.xml @@ -162,6 +162,42 @@ 10 + diff --git a/knox-agent/scripts/install.properties b/knox-agent/scripts/install.properties index 2fee7eea04a..506c53c23ce 100644 --- a/knox-agent/scripts/install.properties +++ b/knox-agent/scripts/install.properties @@ -61,12 +61,23 @@ XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/knox/audit/solr/spool #Example #XAAUDIT.HDFS.ENABLE=true #XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit +# If using Azure Blob Storage +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ +#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit #XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/knox/audit/hdfs/spool XAAUDIT.HDFS.ENABLE=false XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/knox/audit/hdfs/spool +# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS +# Get these values from your /etc/hadoop/conf/core-site.xml +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ +XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME +XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY +XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER +XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER + # End of V3 properties diff --git a/plugin-kafka/conf/ranger-kafka-audit-changes.cfg b/plugin-kafka/conf/ranger-kafka-audit-changes.cfg index 044557641e1..46ee29a3aa7 100644 --- a/plugin-kafka/conf/ranger-kafka-audit-changes.cfg +++ b/plugin-kafka/conf/ranger-kafka-audit-changes.cfg @@ -49,5 +49,10 @@ xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE% xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists +AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var +xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists +xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists +xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists + #xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists #xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists diff --git a/plugin-kafka/conf/ranger-kafka-audit.xml b/plugin-kafka/conf/ranger-kafka-audit.xml index bff6cbfd10d..5fbbf33c6e9 100644 --- a/plugin-kafka/conf/ranger-kafka-audit.xml +++ b/plugin-kafka/conf/ranger-kafka-audit.xml @@ -163,6 +163,42 @@ 10 + diff --git a/plugin-kafka/scripts/install.properties b/plugin-kafka/scripts/install.properties index 1e2854eb936..bc6481bc66b 100644 --- a/plugin-kafka/scripts/install.properties +++ b/plugin-kafka/scripts/install.properties @@ -64,12 +64,23 @@ XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/kafka/audit/solr/spool #Example #XAAUDIT.HDFS.ENABLE=true #XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit +# If using Azure Blob Storage +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ +#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit #XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/kafka/audit/hdfs/spool XAAUDIT.HDFS.ENABLE=false XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/kafka/audit/hdfs/spool +# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS +# Get these values from your /etc/hadoop/conf/core-site.xml +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ +XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME +XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY +XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER +XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER + # End of V3 properties # diff --git a/plugin-kms/conf/ranger-kms-audit-changes.cfg b/plugin-kms/conf/ranger-kms-audit-changes.cfg index f7d354380fb..5a514555f3a 100644 --- a/plugin-kms/conf/ranger-kms-audit-changes.cfg +++ b/plugin-kms/conf/ranger-kms-audit-changes.cfg @@ -58,5 +58,10 @@ xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE% xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists +AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var +xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists +xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists +xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists + #xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists #xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists diff --git a/plugin-kms/conf/ranger-kms-audit.xml b/plugin-kms/conf/ranger-kms-audit.xml index f1c4187edd6..02c1a799ba5 100755 --- a/plugin-kms/conf/ranger-kms-audit.xml +++ b/plugin-kms/conf/ranger-kms-audit.xml @@ -161,6 +161,42 @@ 10 + diff --git a/plugin-solr/conf/ranger-solr-audit-changes.cfg b/plugin-solr/conf/ranger-solr-audit-changes.cfg index 7e77a3084b4..2742bc166eb 100644 --- a/plugin-solr/conf/ranger-solr-audit-changes.cfg +++ b/plugin-solr/conf/ranger-solr-audit-changes.cfg @@ -50,5 +50,10 @@ xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE% xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists +AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var +xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists +xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists +xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists + #xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists #xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists diff --git a/plugin-solr/conf/ranger-solr-audit.xml b/plugin-solr/conf/ranger-solr-audit.xml index a42716faa73..f55b6232aa1 100644 --- a/plugin-solr/conf/ranger-solr-audit.xml +++ b/plugin-solr/conf/ranger-solr-audit.xml @@ -163,6 +163,42 @@ 10 + diff --git a/plugin-solr/scripts/install.properties b/plugin-solr/scripts/install.properties index 1f3852e4d33..9bc305b433b 100644 --- a/plugin-solr/scripts/install.properties +++ b/plugin-solr/scripts/install.properties @@ -64,12 +64,23 @@ XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/solr/audit/solr/spool #Example #XAAUDIT.HDFS.ENABLE=true #XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit +# If using Azure Blob Storage +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ +#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit #XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/solr/audit/hdfs/spool XAAUDIT.HDFS.ENABLE=false XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/solr/audit/hdfs/spool +# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS +# Get these values from your /etc/hadoop/conf/core-site.xml +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ +XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME +XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY +XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER +XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER + # End of V3 properties # diff --git a/plugin-yarn/conf/ranger-yarn-audit-changes.cfg b/plugin-yarn/conf/ranger-yarn-audit-changes.cfg index bfc2cd8ae1b..b650be15316 100644 --- a/plugin-yarn/conf/ranger-yarn-audit-changes.cfg +++ b/plugin-yarn/conf/ranger-yarn-audit-changes.cfg @@ -56,5 +56,10 @@ xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE% xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists +AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var +xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists +xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists +xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists + #xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists #xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists diff --git a/plugin-yarn/conf/ranger-yarn-audit.xml b/plugin-yarn/conf/ranger-yarn-audit.xml index c30f96301d6..667419daf94 100644 --- a/plugin-yarn/conf/ranger-yarn-audit.xml +++ b/plugin-yarn/conf/ranger-yarn-audit.xml @@ -163,6 +163,42 @@ 10 + diff --git a/plugin-yarn/scripts/install.properties b/plugin-yarn/scripts/install.properties index 93580339257..01f733d9165 100644 --- a/plugin-yarn/scripts/install.properties +++ b/plugin-yarn/scripts/install.properties @@ -56,12 +56,23 @@ XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/hadoop/yarn/audit/solr/spool #Example #XAAUDIT.HDFS.ENABLE=true #XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit +# If using Azure Blob Storage +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ +#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit #XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hadoop/yarn/audit/hdfs/spool XAAUDIT.HDFS.ENABLE=false XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hadoop/yarn/audit/hdfs/spool +# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS +# Get these values from your /etc/hadoop/conf/core-site.xml +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ +XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME +XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY +XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER +XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER + # End of V3 properties # diff --git a/storm-agent/conf/ranger-storm-audit-changes.cfg b/storm-agent/conf/ranger-storm-audit-changes.cfg index bfc2cd8ae1b..b650be15316 100644 --- a/storm-agent/conf/ranger-storm-audit-changes.cfg +++ b/storm-agent/conf/ranger-storm-audit-changes.cfg @@ -56,5 +56,10 @@ xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE% xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists +AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var +xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists +xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists +xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists + #xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists #xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists diff --git a/storm-agent/conf/ranger-storm-audit.xml b/storm-agent/conf/ranger-storm-audit.xml index 6a5ff692ba6..c0c66d40917 100644 --- a/storm-agent/conf/ranger-storm-audit.xml +++ b/storm-agent/conf/ranger-storm-audit.xml @@ -162,6 +162,42 @@ 10 + diff --git a/storm-agent/scripts/install.properties b/storm-agent/scripts/install.properties index 0cee6554d3a..82f17afec57 100644 --- a/storm-agent/scripts/install.properties +++ b/storm-agent/scripts/install.properties @@ -58,12 +58,23 @@ XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/storm/audit/solr/spool #Example #XAAUDIT.HDFS.ENABLE=true #XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit +# If using Azure Blob Storage +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ +#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit #XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/storm/audit/hdfs/spool XAAUDIT.HDFS.ENABLE=false XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/storm/audit/hdfs/spool +# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS +# Get these values from your /etc/hadoop/conf/core-site.xml +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ +XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME +XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY +XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER +XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER + # End of V3 properties # From 72961093e55888b1148db3e4b8432fb9ffabd523 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Tue, 6 Oct 2015 17:07:10 +0530 Subject: [PATCH 067/202] RANGER-673 : Setup changes to allow Ranger service to installed using custom service user Signed-off-by: Velmurugan Periasamy --- agents-common/scripts/enable-agent.sh | 28 ++++++++++++++++++++++++- hbase-agent/scripts/install.properties | 13 ++++++++++++ hdfs-agent/scripts/install.properties | 13 ++++++++++++ hive-agent/scripts/install.properties | 13 ++++++++++++ kms/scripts/setup.sh | 7 ++++++- knox-agent/scripts/install.properties | 14 +++++++++++++ plugin-kafka/scripts/install.properties | 14 +++++++++++++ plugin-kms/scripts/enable-kms-plugin.sh | 28 ++++++++++++++++++++++++- plugin-solr/scripts/install.properties | 14 +++++++++++++ plugin-yarn/scripts/install.properties | 13 ++++++++++++ security-admin/scripts/set_globals.sh | 6 ++++++ security-admin/scripts/setup.sh | 11 ++++++++++ storm-agent/scripts/install.properties | 13 ++++++++++++ unixauthservice/scripts/set_globals.sh | 5 +++++ unixauthservice/scripts/setup.py | 20 ++++++++++++++---- 15 files changed, 205 insertions(+), 7 deletions(-) diff --git a/agents-common/scripts/enable-agent.sh b/agents-common/scripts/enable-agent.sh index 55130a59996..f3db1253f20 100755 --- a/agents-common/scripts/enable-agent.sh +++ b/agents-common/scripts/enable-agent.sh @@ -23,7 +23,7 @@ function getInstallProperty() { do if [ -f "${file}" ] then - propertyValue=`grep "^${propertyName}" ${file} | awk -F= '{ sub("^[ \t]*", "", $2); sub("[ \t]*$", "", $2); print $2 }'` + propertyValue=`grep "^${propertyName}[ \t]*=" ${file} | awk -F= '{ sub("^[ \t]*", "", $2); sub("[ \t]*$", "", $2); print $2 }'` if [ "${propertyValue}" != "" ] then break @@ -123,6 +123,32 @@ JAVA=$JAVA_HOME/bin/java HCOMPONENT_INSTALL_DIR_NAME=$(getInstallProperty 'COMPONENT_INSTALL_DIR_NAME') + +CUSTOM_USER=$(getInstallProperty 'CUSTOM_USER') +CUSTOM_USER=${CUSTOM_USER// } + +CUSTOM_GROUP=$(getInstallProperty 'CUSTOM_GROUP') +CUSTOM_GROUP=${CUSTOM_GROUP// } + + + +if [ ! -z "${CUSTOM_USER}" ] && [ ! -z "${CUSTOM_GROUP}" ] +then + echo "Custom user and group is available, using custom user and group." + CFG_OWNER_INF="${CUSTOM_USER}:${CUSTOM_GROUP}" +elif [ ! -z "${CUSTOM_USER}" ] && [ -z "${CUSTOM_GROUP}" ] +then + echo "Custom user is available, using custom user and default group." + CFG_OWNER_INF="${CUSTOM_USER}:${HCOMPONENT_NAME}" +elif [ -z "${CUSTOM_USER}" ] && [ ! -z "${CUSTOM_GROUP}" ] +then + echo "Custom group is available, using default user and custom group." + CFG_OWNER_INF="${HCOMPONENT_NAME}:${CUSTOM_GROUP}" +else + echo "Custom user and group are not available, using default user and group." + CFG_OWNER_INF="${HCOMPONENT_NAME}:${HCOMPONENT_NAME}" +fi + if [ "${HCOMPONENT_INSTALL_DIR_NAME}" = "" ] then HCOMPONENT_INSTALL_DIR_NAME=${HCOMPONENT_NAME} diff --git a/hbase-agent/scripts/install.properties b/hbase-agent/scripts/install.properties index 5df518a1791..795ea3e20f3 100644 --- a/hbase-agent/scripts/install.properties +++ b/hbase-agent/scripts/install.properties @@ -161,3 +161,16 @@ SSL_TRUSTSTORE_PASSWORD=changeit # UPDATE_XAPOLICIES_ON_GRANT_REVOKE=false # UPDATE_XAPOLICIES_ON_GRANT_REVOKE=true + +# +# Custom component user +# CUSTOM_COMPONENT_USER= +# keep blank if component user is default +CUSTOM_USER=hbase + + +# +# Custom component group +# CUSTOM_COMPONENT_GROUP= +# keep blank if component group is default +CUSTOM_GROUP=hadoop diff --git a/hdfs-agent/scripts/install.properties b/hdfs-agent/scripts/install.properties index fa21949dc73..b4dda13e177 100644 --- a/hdfs-agent/scripts/install.properties +++ b/hdfs-agent/scripts/install.properties @@ -149,3 +149,16 @@ SSL_KEYSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-keystore.jks SSL_KEYSTORE_PASSWORD=myKeyFilePassword SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks SSL_TRUSTSTORE_PASSWORD=changeit + +# +# Custom component user +# CUSTOM_COMPONENT_USER= +# keep blank if component user is default +CUSTOM_USER=hdfs + + +# +# Custom component group +# CUSTOM_COMPONENT_GROUP= +# keep blank if component group is default +CUSTOM_GROUP=hadoop \ No newline at end of file diff --git a/hive-agent/scripts/install.properties b/hive-agent/scripts/install.properties index 2e41a37b537..6b71a8568a9 100644 --- a/hive-agent/scripts/install.properties +++ b/hive-agent/scripts/install.properties @@ -158,3 +158,16 @@ SSL_TRUSTSTORE_PASSWORD=changeit # UPDATE_XAPOLICIES_ON_GRANT_REVOKE=false # UPDATE_XAPOLICIES_ON_GRANT_REVOKE=true + +# +# Custom component user +# CUSTOM_COMPONENT_USER= +# keep blank if component user is default +CUSTOM_USER=hive + + +# +# Custom component group +# CUSTOM_COMPONENT_GROUP= +# keep blank if component group is default +CUSTOM_GROUP=hadoop diff --git a/kms/scripts/setup.sh b/kms/scripts/setup.sh index e0c3136cbc3..96bf6a0d4da 100755 --- a/kms/scripts/setup.sh +++ b/kms/scripts/setup.sh @@ -538,7 +538,9 @@ setup_install_files(){ if [ -d /etc/init.d ]; then log "[I] Setting up init.d" cp ${INSTALL_DIR}/${RANGER_KMS}-initd /etc/init.d/${RANGER_KMS} - + if [ "${unix_user}" != "kms" ]; then + sed 's/LINUX_USER=kms/LINUX_USER='${unix_user}'/g' -i /etc/init.d/${RANGER_KMS} + fi chmod ug+rx /etc/init.d/${RANGER_KMS} if [ -d /etc/rc2.d ] @@ -584,6 +586,9 @@ setup_install_files(){ chown -R ${unix_user} ${KMS_DIR}/ews/logs fi + if [ -d ${KMS_DIR}/ews/logs ]; then + chown -R ${unix_user} ${KMS_DIR}/ews/logs + fi log "[I] Setting up installation files and directory DONE"; if [ ! -f ${INSTALL_DIR}/rpm ]; then diff --git a/knox-agent/scripts/install.properties b/knox-agent/scripts/install.properties index 506c53c23ce..1febd49e776 100644 --- a/knox-agent/scripts/install.properties +++ b/knox-agent/scripts/install.properties @@ -152,3 +152,17 @@ SSL_KEYSTORE_FILE_PATH=/etc/knox/conf/ranger-plugin-keystore.jks SSL_KEYSTORE_PASSWORD=myKeyFilePassword SSL_TRUSTSTORE_FILE_PATH=/etc/knox/conf/ranger-plugin-truststore.jks SSL_TRUSTSTORE_PASSWORD=changeit + + +# +# Custom component user +# CUSTOM_COMPONENT_USER= +# keep blank if component user is default +CUSTOM_USER=knox + + +# +# Custom component group +# CUSTOM_COMPONENT_GROUP= +# keep blank if component group is default +CUSTOM_GROUP=knox \ No newline at end of file diff --git a/plugin-kafka/scripts/install.properties b/plugin-kafka/scripts/install.properties index bc6481bc66b..79ea6db62f5 100644 --- a/plugin-kafka/scripts/install.properties +++ b/plugin-kafka/scripts/install.properties @@ -155,3 +155,17 @@ SSL_KEYSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-keystore.jks SSL_KEYSTORE_PASSWORD=myKeyFilePassword SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks SSL_TRUSTSTORE_PASSWORD=changeit + + +# +# Custom component user +# CUSTOM_COMPONENT_USER= +# keep blank if component user is default +CUSTOM_USER=kafka + + +# +# Custom component group +# CUSTOM_COMPONENT_GROUP= +# keep blank if component group is default +CUSTOM_GROUP=hadoop \ No newline at end of file diff --git a/plugin-kms/scripts/enable-kms-plugin.sh b/plugin-kms/scripts/enable-kms-plugin.sh index 53187f75b9e..468d39e1c3d 100755 --- a/plugin-kms/scripts/enable-kms-plugin.sh +++ b/plugin-kms/scripts/enable-kms-plugin.sh @@ -23,7 +23,7 @@ function getInstallProperty() { do if [ -f "${file}" ] then - propertyValue=`grep "^${propertyName}" ${file} | awk -F= '{ sub("^[ \t]*", "", $2); sub("[ \t]*$", "", $2); print $2 }'` + propertyValue=`grep "^${propertyName}[ \t]*=" ${file} | awk -F= '{ sub("^[ \t]*", "", $2); sub("[ \t]*$", "", $2); print $2 }'` if [ "${propertyValue}" != "" ] then break @@ -118,6 +118,32 @@ JAVA=$JAVA_HOME/bin/java HCOMPONENT_INSTALL_DIR_NAME=$(getInstallProperty 'COMPONENT_INSTALL_DIR_NAME') +unix_user=$(getInstallProperty 'unix_user') +unix_user=${unix_user// } + +unix_group=$(getInstallProperty 'unix_group') +unix_group=${unix_group// } + + + +if [ ! -z "${unix_user}" ] && [ ! -z "${unix_group}" ] +then + echo "Custom user and group is available, using custom user and group." + CFG_OWNER_INF="${unix_user}:${unix_group}" +elif [ ! -z "${unix_user}" ] && [ -z "${unix_group}" ] +then + echo "Custom user is available, using custom user and default group." + CFG_OWNER_INF="${unix_user}:${HCOMPONENT_NAME}" +elif [ -z "${unix_user}" ] && [ ! -z "${unix_group}" ] +then + echo "Custom group is available, using default user and custom group." + CFG_OWNER_INF="${HCOMPONENT_NAME}:${unix_group}" +else + echo "Custom user and group are not available, using default user and group." + CFG_OWNER_INF="${HCOMPONENT_NAME}:${HCOMPONENT_NAME}" +fi + + if [ "${HCOMPONENT_INSTALL_DIR_NAME}" = "" ] then HCOMPONENT_INSTALL_DIR_NAME=${HCOMPONENT_NAME} diff --git a/plugin-solr/scripts/install.properties b/plugin-solr/scripts/install.properties index 9bc305b433b..a3d98878578 100644 --- a/plugin-solr/scripts/install.properties +++ b/plugin-solr/scripts/install.properties @@ -155,3 +155,17 @@ SSL_KEYSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-keystore.jks SSL_KEYSTORE_PASSWORD=myKeyFilePassword SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks SSL_TRUSTSTORE_PASSWORD=changeit + + + +# +# Custom component user +# CUSTOM_COMPONENT_USER= +# keep blank if component user is default +CUSTOM_USER=solr + +# +# Custom component group +# CUSTOM_COMPONENT_GROUP= +# keep blank if component group is default +CUSTOM_GROUP=solr \ No newline at end of file diff --git a/plugin-yarn/scripts/install.properties b/plugin-yarn/scripts/install.properties index 01f733d9165..3780068c1a6 100644 --- a/plugin-yarn/scripts/install.properties +++ b/plugin-yarn/scripts/install.properties @@ -147,3 +147,16 @@ SSL_KEYSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-keystore.jks SSL_KEYSTORE_PASSWORD=myKeyFilePassword SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks SSL_TRUSTSTORE_PASSWORD=changeit + +# +# Custom component user +# CUSTOM_COMPONENT_USER= +# keep blank if component user is default +CUSTOM_USER=yarn + + +# +# Custom component group +# CUSTOM_COMPONENT_GROUP= +# keep blank if component group is default +CUSTOM_GROUP=hadoop diff --git a/security-admin/scripts/set_globals.sh b/security-admin/scripts/set_globals.sh index 2c00aedf072..9a4159ca8e3 100755 --- a/security-admin/scripts/set_globals.sh +++ b/security-admin/scripts/set_globals.sh @@ -91,5 +91,11 @@ if [ ! -d /var/log/ranger/admin ]; then chmod 755 /var/log/ranger/admin chown -R $unix_user:$unix_group /var/log/ranger fi + +if [ -d /var/log/ranger/admin ]; then + chown -R $unix_user:$unix_group /var/log/ranger/admin +fi + + mv -f ews/logs ews/webapp/logs.$curDt 2> /dev/null ln -sf /var/log/ranger/admin ews/logs diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index 71c424c28a0..9710706ed51 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -1516,6 +1516,10 @@ setup_install_files(){ chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf fi + if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then + chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf + fi + if [ ! -d ${WEBAPP_ROOT}/WEB-INF/classes/lib ]; then log "[I] Creating ${WEBAPP_ROOT}/WEB-INF/classes/lib" mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/lib @@ -1525,6 +1529,9 @@ setup_install_files(){ if [ -d /etc/init.d ]; then log "[I] Setting up init.d" cp ${INSTALL_DIR}/ews/${RANGER_ADMIN_INITD} /etc/init.d/${RANGER_ADMIN} + if [ "${unix_user}" != "ranger" ]; then + sed 's/LINUX_USER=ranger/LINUX_USER='${unix_user}'/g' -i /etc/init.d/${RANGER_ADMIN} + fi chmod ug+rx /etc/init.d/${RANGER_ADMIN} @@ -1571,6 +1578,10 @@ setup_install_files(){ chown -R ${unix_user} ${XAPOLICYMGR_DIR}/ews/logs fi + if [ -d ${XAPOLICYMGR_DIR}/ews/logs ]; then + chown -R ${unix_user} ${XAPOLICYMGR_DIR}/ews/logs + fi + log "[I] Setting up installation files and directory DONE"; if [ ! -f ${INSTALL_DIR}/rpm ]; then diff --git a/storm-agent/scripts/install.properties b/storm-agent/scripts/install.properties index 82f17afec57..f2aa5c4b8b5 100644 --- a/storm-agent/scripts/install.properties +++ b/storm-agent/scripts/install.properties @@ -149,3 +149,16 @@ SSL_KEYSTORE_FILE_PATH=/etc/storm/conf/ranger-plugin-keystore.jks SSL_KEYSTORE_PASSWORD=myKeyFilePassword SSL_TRUSTSTORE_FILE_PATH=/etc/storm/conf/ranger-plugin-truststore.jks SSL_TRUSTSTORE_PASSWORD=changeit + +# +# Custom component user +# CUSTOM_COMPONENT_USER= +# keep blank if component user is default +CUSTOM_USER=storm + + +# +# Custom component group +# CUSTOM_COMPONENT_GROUP= +# keep blank if component group is default +CUSTOM_GROUP=hadoop diff --git a/unixauthservice/scripts/set_globals.sh b/unixauthservice/scripts/set_globals.sh index c77fbf9b435..c92dfdcff79 100755 --- a/unixauthservice/scripts/set_globals.sh +++ b/unixauthservice/scripts/set_globals.sh @@ -89,5 +89,10 @@ if [ ! -d /var/log/ranger/usersync ]; then chmod 755 /var/log/ranger/usersync chown -R $unix_user:$unix_group /var/log/ranger fi + +if [ -d /var/log/ranger/usersync ]; then + chown -R $unix_user:$unix_group /var/log/ranger/usersync +fi + mv -f logs logs.$curDt 2> /dev/null ln -sf /var/log/ranger/usersync logs diff --git a/unixauthservice/scripts/setup.py b/unixauthservice/scripts/setup.py index 5ba50d374f7..31c486eecb4 100755 --- a/unixauthservice/scripts/setup.py +++ b/unixauthservice/scripts/setup.py @@ -232,13 +232,25 @@ def createGroup(groupname): print "ERROR: Unable to create a new group: %s" % (groupname,e) sys.exit(1) -def initializeInitD(): +def initializeInitD(ownerName): if (os.path.isdir(initdDirName)): fn = join(installPropDirName,initdProgramName) initdFn = join(initdDirName,initdProgramName) shutil.copy(fn, initdFn) - os.chmod(initdFn,0550) - rcDirList = [ "/etc/rc2.d", "/etc/rc3.d", "/etc/rc.d/rc2.d", "/etc/rc.d/rc3.d" ] + if (ownerName != 'ranger'): + f = open(initdFn,'r') + filedata = f.read() + f.close() + find_str = "LINUX_USER=ranger" + replace_str = "LINUX_USER="+ ownerName + newdata = filedata.replace(find_str,replace_str) + + f = open(initdFn,'w') + f.write(newdata) + f.close() + + os.chmod(initdFn,0550) + rcDirList = [ "/etc/rc2.d", "/etc/rc3.d", "/etc/rc.d/rc2.d", "/etc/rc.d/rc3.d" ] for rcDir in rcDirList: if (os.path.isdir(rcDir)): for prefix in initPrefixList: @@ -365,7 +377,7 @@ def main(): os.chown(pidFolderName,ownerId,groupId) os.chown(rangerBaseDirName,ownerId,groupId) - initializeInitD() + initializeInitD(ownerName) # # Add password to crypt path From 4c29c547a5285e6e68633368716c3903ac7e0892 Mon Sep 17 00:00:00 2001 From: Sailaja Polavarapu Date: Fri, 9 Oct 2015 10:07:01 -0700 Subject: [PATCH 068/202] RANGER-652: Adding support for ldap connection check tool Signed-off-by: Velmurugan Periasamy --- src/main/assembly/usersync.xml | 36 + .../ldapconfigcheck/conf/input.properties | 63 ++ .../ldapconfigcheck/pom.xml | 130 +++ .../ldapconfigcheck/scripts/run.sh | 72 ++ .../ldapconfigcheck/AuthenticationCheck.java | 208 +++++ .../ldapconfigcheck/CommandLineOptions.java | 230 +++++ .../ranger/ldapconfigcheck/LdapConfig.java | 436 +++++++++ .../ldapconfigcheck/LdapConfigCheckMain.java | 241 +++++ .../ranger/ldapconfigcheck/UserSync.java | 860 ++++++++++++++++++ 9 files changed, 2276 insertions(+) create mode 100755 ugsync/ldapconfigchecktool/ldapconfigcheck/conf/input.properties create mode 100644 ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml create mode 100755 ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh create mode 100644 ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/AuthenticationCheck.java create mode 100644 ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java create mode 100644 ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfig.java create mode 100644 ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java create mode 100644 ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java diff --git a/src/main/assembly/usersync.xml b/src/main/assembly/usersync.xml index 8c2600eba17..161a443ce67 100644 --- a/src/main/assembly/usersync.xml +++ b/src/main/assembly/usersync.xml @@ -134,6 +134,42 @@ 544 + + 755 + 755 + /ldaptool + ugsync/ldapconfigchecktool/ldapconfigcheck/scripts + + run.sh + + + + 755 + 644 + /ldaptool/lib + ugsync/ldapconfigchecktool/ldapconfigcheck/target + + ldapconfigcheck.jar + + + + 755 + 644 + /ldaptool/conf + ugsync/ldapconfigchecktool/ldapconfigcheck/conf + + input.properties + + + + 755 + 644 + /ldaptool/output + ugsync/ldapconfigchecktool/ldapconfigcheck/conf + + input.properties + + diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/conf/input.properties b/ugsync/ldapconfigchecktool/ldapconfigcheck/conf/input.properties new file mode 100755 index 00000000000..dc6fc59f678 --- /dev/null +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/conf/input.properties @@ -0,0 +1,63 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Mandatory ldap configuration properties. +ranger.usersync.ldap.url= +ranger.usersync.ldap.binddn= +ranger.usersync.ldap.ldapbindpassword= + +# Mandatory only for openLdap +ranger.usersync.ldap.user.searchbase= +ranger.usersync.ldap.user.searchfilter= + +# For verifying authentication please provide sample username and password +ranger.admin.auth.sampleuser= +ranger.admin.auth.samplepassword= + +# Optional properties will be determined based on the above search +# User attributes +ranger.usersync.ldap.user.nameattribute= +ranger.usersync.ldap.user.objectclass= +ranger.usersync.ldap.user.groupnameattribute= + +# Group attributes +ranger.usersync.group.searchenabled=false +ranger.usersync.group.memberattributename= +ranger.usersync.group.nameattribute= +ranger.usersync.group.objectclass= +ranger.usersync.group.searchbase= +ranger.usersync.group.searchfilter= + +# Other UserSync related attributes +ranger.usersync.ldap.authentication.mechanism=simple +ranger.usersync.pagedresultsenabled=true +ranger.usersync.pagedresultssize=500 +ranger.usersync.ldap.username.caseconversion=lower +ranger.usersync.ldap.groupname.caseconversion=lower +ranger.usersync.ldap.user.searchscope=sub +ranger.usersync.group.searchscope=sub + +ranger.usersync.credstore.filename= +ranger.usersync.ldap.bindalias= +ranger.usersync.ldap.searchBase= +ranger.usersync.group.usermapsyncenabled=false + +# Authentication properties +ranger.authentication.method= +ranger.ldap.ad.domain= +ranger.ldap.user.dnpattern= +ranger.ldap.group.roleattribute= +ranger.ldap.group.searchbase= +ranger.ldap.group.searchfilter= diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml b/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml new file mode 100644 index 00000000000..a0971f2ee31 --- /dev/null +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml @@ -0,0 +1,130 @@ + + + + 4.0.0 + + + org.apache.ranger + ranger + 0.5.0 + .. + + + ldapconfigcheck + + jar + Ldap Config Check Tool + Ldap configuration check tool + + + + commons-cli + commons-cli + ${commons.cli.version} + + + commons-configuration + commons-configuration + ${commons.configuration.version} + + + commons-lang + commons-lang + ${commons.lang.version} + + + commons-logging + commons-logging + ${commons.logging.version} + + + org.springframework + spring-beans + ${springframework.version} + + + org.springframework + spring-context + ${springframework.version} + + + org.springframework + spring-core + ${springframework.version} + + + org.springframework + spring-tx + ${springframework.version} + + + org.springframework.ldap + spring-ldap-core + ${spring-ldap-core.version} + + + org.springframework.security + spring-security-core + ${springframework.security.version} + + + org.springframework.security + spring-security-ldap + ${springframework.security.version} + + + org.apache.ranger + credentialbuilder + ${project.version} + + + + org.apache.ranger + ranger-util + ${project.version} + + + + + ldapconfigcheck + + + org.apache.maven.plugins + maven-shade-plugin + 2.2 + + + package + + shade + + + + + org.apache.ranger.ldapconfigcheck.LdapConfigCheckMain + + + + + + + + + diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh b/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh new file mode 100755 index 00000000000..787e2166fb7 --- /dev/null +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh @@ -0,0 +1,72 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +AUTH=1 + +usage() { + echo "usage: run.sh + -noauth ignore authentication properties + -d {all|users|groups} + -h show help. + -i Input file name + -o Output directory + -r {all|users|groups}" + exit 1 +} + +cdir=`pwd` +cp="${cdir}/lib/*:${cdir}/conf" +OUTDIR="${cdir}/output/" +JAVA_CMD="java -cp ${cdir}/lib/ldapconfigcheck.jar:${cp} org.apache.ranger.ldapconfigcheck.LdapConfigCheckMain" + +while getopts "i:o:d:r:noauthh" opt; do + case $opt in + i) INFILE=$OPTARG + JAVA_CMD="$JAVA_CMD -i $OPTARG" + ;; + o) OUTDIR=$OPTARG + ;; + d) DISCOVER=$OPTARG + JAVA_CMD="$JAVA_CMD -d $OPTARG" + ;; + r) RETRIEVE=$OPTARG + JAVA_CMD="$JAVA_CMD -r $OPTARG" + ;; + noauth) AUTH=0 + JAVA_CMD="$JAVA_CMD -noauth" + ;; + h) usage + ;; + \?) echo -e \\n"Option -$OPTARG not allowed." + usage + ;; + esac +done + +JAVA_CMD="$JAVA_CMD -o $OUTDIR" + +echo "JAVA commnad = $JAVA_CMD" + +if [ "${JAVA_HOME}" != "" ] +then + export JAVA_HOME + PATH="${JAVA_HOME}/bin:${PATH}" + export PATH +fi + +cd ${cdir} +$JAVA_CMD diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/AuthenticationCheck.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/AuthenticationCheck.java new file mode 100644 index 00000000000..f39f7821cff --- /dev/null +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/AuthenticationCheck.java @@ -0,0 +1,208 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.ldapconfigcheck; + +import java.io.PrintStream; +import java.util.ArrayList; +import java.util.List; +import org.springframework.ldap.core.support.LdapContextSource; +import org.springframework.security.authentication.BadCredentialsException; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.ldap.search.FilterBasedLdapUserSearch; +import org.springframework.security.ldap.authentication.BindAuthenticator; +import org.springframework.security.ldap.authentication.LdapAuthenticationProvider; +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.ldap.DefaultSpringSecurityContextSource; + + +public class AuthenticationCheck { + private String ldapUrl = null; + private String authMethod = "NONE"; + private String adDomain = null; + private String userDnPattern = null; + private String roleAttribute = null; + private String groupSearchBase = null; + private String groupSearchFilter = null; + + private PrintStream logFile = null; + private PrintStream ambariProps = null; + private PrintStream installProps = null; + + public AuthenticationCheck(String ldapUrl, UserSync userSyncObj, PrintStream logFile, + PrintStream ambariProps, PrintStream installProps) { + + this.logFile = logFile; + this.ambariProps = ambariProps; + this.installProps = installProps; + + if (userSyncObj.getUserNameAttribute().equalsIgnoreCase("sAMAccountName")) { + authMethod = "AD"; + } else { + authMethod = "LDAP"; + } + this.ldapUrl = ldapUrl; + adDomain = userSyncObj.getSearchBase(); + userDnPattern = userSyncObj.getUserNameAttribute() + "={0}," + userSyncObj.getUserSearchBase(); + roleAttribute = userSyncObj.getGroupNameAttrName(); + groupSearchBase = userSyncObj.getGroupSearchBase(); + groupSearchFilter = userSyncObj.getGroupMemberName() + "=" + userDnPattern; + + } + + public void discoverAuthProperties() { + + ambariProps.println("\n# Possible values for authetication properties:"); + installProps.println("\n# Possible values for authetication properties:"); + if (authMethod.equalsIgnoreCase("AD")) { + installProps.println("xa_ldap_ad_url=" + ldapUrl); + installProps.println("xa_ldap_ad_domain=" + adDomain); + } else { + installProps.println("xa_ldap_url=" + ldapUrl); + installProps.println("xa_ldap_userDNpattern=" + userDnPattern); + installProps.println("xa_ldap_groupRoleAttribute=" + roleAttribute); + installProps.println("xa_ldap_groupSearchBase=" + groupSearchBase); + installProps.println("xa_ldap_groupSearchFilter=" + groupSearchFilter); + } + + ambariProps.println("ranger.authentication.method=" + authMethod); + if (authMethod.equalsIgnoreCase("AD")) { + ambariProps.println("ranger.ldap.ad.url=" + ldapUrl); + ambariProps.println("ranger.ldap.ad.domain=" + adDomain); + } else { + ambariProps.println("ranger.ldap.url=" + ldapUrl); + ambariProps.println("ranger.ldap.user.dnpattern=" + userDnPattern); + ambariProps.println("ranger.ldap.group.roleattribute=" + roleAttribute); + ambariProps.println("ranger.ldap.group.searchbase=" + groupSearchBase); + ambariProps.println("ranger.ldap.group.searchfilter=" + groupSearchFilter); + } + } + + public boolean isAuthenticated(String ldapUrl, String bindDn, String bindPassword, String userName, + String userPassword) { + boolean isAuthenticated = false; + //Verify Authentication + Authentication authentication; + if (authMethod.equalsIgnoreCase("AD")) { + authentication = getADBindAuthentication(ldapUrl, bindDn, bindPassword, userName, userPassword); + } else { + authentication = getLdapBindAuthentication(ldapUrl, bindDn, bindPassword, userName, userPassword); + } + if (authentication != null) { + isAuthenticated = authentication.isAuthenticated(); + } + + return isAuthenticated; + } + + private Authentication getADBindAuthentication(String ldapUrl, String bindDn, String bindPassword, + String userName, String userPassword) { + Authentication result = null; + try { + LdapContextSource ldapContextSource = new DefaultSpringSecurityContextSource(ldapUrl); + ldapContextSource.setUserDn(bindDn); + ldapContextSource.setPassword(bindPassword); + ldapContextSource.setReferral("follow"); + ldapContextSource.setCacheEnvironmentProperties(true); + ldapContextSource.setAnonymousReadOnly(false); + ldapContextSource.setPooled(true); + ldapContextSource.afterPropertiesSet(); + + String searchFilter="(sAMAccountName={0})"; + FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(adDomain, searchFilter,ldapContextSource); + userSearch.setSearchSubtree(true); + + BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource); + bindAuthenticator.setUserSearch(userSearch); + bindAuthenticator.afterPropertiesSet(); + + LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator); + + if (userName != null && userPassword != null && !userName.trim().isEmpty() && !userPassword.trim().isEmpty()) { + final List grantedAuths = new ArrayList<>(); + grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER")); + final UserDetails principal = new User(userName, userPassword, grantedAuths); + final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths); + + result = ldapAuthenticationProvider.authenticate(finalAuthentication); + } + + } catch (BadCredentialsException bce) { + logFile.println("ERROR: LDAP Authentication Failed. Please verify values for ranger.admin.auth.sampleuser and " + + "ranger.admin.auth.samplepassword\n"); + } catch (Exception e) { + logFile.println("ERROR: LDAP Authentication Failed: " + e); + } + return result; + } + + private Authentication getLdapBindAuthentication(String ldapUrl, String bindDn, String bindPassword, + String userName, String userPassword) { + Authentication result = null; + try { + LdapContextSource ldapContextSource = new DefaultSpringSecurityContextSource(ldapUrl); + ldapContextSource.setUserDn(bindDn); + ldapContextSource.setPassword(bindPassword); + ldapContextSource.setReferral("follow"); + ldapContextSource.setCacheEnvironmentProperties(false); + ldapContextSource.setAnonymousReadOnly(true); + ldapContextSource.setPooled(true); + ldapContextSource.afterPropertiesSet(); + + DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(ldapContextSource, groupSearchBase); + defaultLdapAuthoritiesPopulator.setGroupRoleAttribute(roleAttribute); + defaultLdapAuthoritiesPopulator.setGroupSearchFilter(groupSearchFilter); + defaultLdapAuthoritiesPopulator.setIgnorePartialResultException(true); + + String searchFilter="(uid={0})"; + FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(adDomain, searchFilter,ldapContextSource); + userSearch.setSearchSubtree(true); + + BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource); + bindAuthenticator.setUserSearch(userSearch); + String[] userDnPatterns = new String[] { userDnPattern }; + bindAuthenticator.setUserDnPatterns(userDnPatterns); + bindAuthenticator.afterPropertiesSet(); + + LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator,defaultLdapAuthoritiesPopulator); + + if (userName != null && userPassword != null && !userName.trim().isEmpty()&& !userPassword.trim().isEmpty()) { + final List grantedAuths = new ArrayList<>(); + grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER")); + final UserDetails principal = new User(userName, userPassword,grantedAuths); + final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths); + + result = ldapAuthenticationProvider.authenticate(finalAuthentication); + } + } catch (BadCredentialsException bce) { + logFile.println("ERROR: LDAP Authentication Failed. Please verify values for ranger.admin.auth.sampleuser and " + + "ranger.admin.auth.samplepassword\n"); + } catch (Exception e) { + logFile.println("ERROR: LDAP Authentication Failed: " + e); + } + return result; + } +} + + diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java new file mode 100644 index 00000000000..790330f3842 --- /dev/null +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java @@ -0,0 +1,230 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.ldapconfigcheck; + +import org.apache.commons.cli.*; +import java.io.Console; + +public class CommandLineOptions { + + private String[] args = null; + private Options options = new Options(); + private String input = null; + private String output = null; + private String discoverProperties; + private String retrieveValues = null; + private boolean isAuthEnabled = true; + private String ldapUrl = ""; + private String bindDn = ""; + private String bindPassword = ""; + private String userSearchBase = ""; + private String userSearchFilter = ""; + private String authUser = ""; + private String authPass = ""; + + public CommandLineOptions(String[] args) { + this.args = args; + options.addOption("h", "help", false, "show help."); + options.addOption("i", "inputfile", true, "Input file name"); + options.addOption("o", "outputdir", true, "Output directory"); + options.addOption("d", "discoverProperties", true, "{all|users|groups}"); + options.addOption("r", "retrieve", true, "{all|users|groups}"); + options.addOption("noauth", "noAuthentication", false, "Ignore authentication properties"); + } + + public void parse() { + CommandLineParser parser = new BasicParser(); + try { + CommandLine cmd = parser.parse(options, args); + if (cmd.hasOption("h")) { + + } + + + if (cmd.hasOption("o")) { + output = cmd.getOptionValue("o"); + } else { + System.out.println("Missing o option for output directory"); + help(); + } + + if (cmd.hasOption("d")) { + discoverProperties = cmd.getOptionValue("d"); + if (discoverProperties == null || (!discoverProperties.equalsIgnoreCase("all") && + !discoverProperties.equalsIgnoreCase("users") && !discoverProperties.equalsIgnoreCase("groups"))) { + System.out.println("Unsupported value for option d"); + help(); + } + } + + if (cmd.hasOption("r")) { + retrieveValues = cmd.getOptionValue("r"); + if (retrieveValues == null || (!retrieveValues.equalsIgnoreCase("all") + && !retrieveValues.equalsIgnoreCase("users") && !retrieveValues.equalsIgnoreCase("groups"))) { + System.out.println("Unsupported value for option r"); + help(); + } + } else { + if (discoverProperties == null || discoverProperties.isEmpty()) { + System.out.println("Default to discover all usersync properties"); + //help(); + // If "d" or "r" option is not specified, then default to discover all usersync properties + discoverProperties = "all"; + } + } + + if (cmd.hasOption("noauth")) { + isAuthEnabled = false; + } + + if (cmd.hasOption("i")) { + input = cmd.getOptionValue("i"); + if (input == null || input.isEmpty()) { + System.out.println("Please specify the input properties file name"); + help(); + } + + } else { + // Read the properties from CLI and write to the input properties file. + input = LdapConfig.CONFIG_FILE; + readCLI(); + } + + } catch (ParseException pe) { + System.out.println("Failed to parse command line arguments " + pe); + help(); + } + } + + public void help() { + // This prints out some help + HelpFormatter formater = new HelpFormatter(); + formater.printHelp("ldapConfigCheck", options); + System.exit(0); + } + + public String getInput() { + return input; + } + + public String getOutput() { + + return output; + } + + public String getDiscoverProperties() { + return discoverProperties; + } + + public boolean isAuthEnabled() { + return isAuthEnabled; + } + + public String getRetrieveValues() { + return retrieveValues; + } + + private void readCLI() { + boolean repeat; + Console console = System.console(); + do { + repeat = false; + System.out.print("Ldap url [ldap://ldap.example.com:389]: "); + ldapUrl = console.readLine(); + if (ldapUrl == null || ldapUrl.isEmpty()) { + System.out.println("Please enter valid ldap url."); + repeat = true; + } + } while (repeat == true); + do { + repeat = false; + System.out.print("Bind DN [cn=admin,ou=users,dc=example,dc=com]: "); + bindDn = console.readLine(); + if (bindDn == null || bindDn.isEmpty()) { + System.out.println("Please enter valid bindDn."); + repeat = true; + } + } while (repeat == true); + do { + repeat = false; + System.out.print("Bind Password: "); + char[] password = console.readPassword(); + bindPassword = String.valueOf(password); + if (bindPassword == null || bindPassword.isEmpty()) { + System.out.println("Bind Password can't be empty."); + repeat = true; + } + } while (repeat == true); + System.out.print("User Search Base [ou=users,dc=example,dc=com]: "); + userSearchBase = console.readLine(); + System.out.print("User Search Filter [cn=user1]: "); + userSearchFilter = console.readLine(); + + if (isAuthEnabled) { + do { + repeat = false; + System.out.print("Sample Authentication User [user1]: "); + authUser = console.readLine(); + if (authUser == null || authUser.isEmpty()) { + System.out.println("Sample Authentication user must not be empty!"); + repeat = true; + } + } while (repeat == true); + do { + repeat = false; + System.out.print("Sample Authentication Password: "); + char[] password = console.readPassword(); + authPass = String.valueOf(password); + if (authPass == null || authPass.isEmpty()) { + System.out.println("Sample Authentication password must not be empty!"); + repeat = true; + } + } while (repeat == true); + } + } + + public String getLdapUrl() { + return ldapUrl; + } + + public String getBindDn() { + return bindDn; + } + + public String getBindPassword() { + return bindPassword; + } + + public String getUserSearchBase() { + return userSearchBase; + } + + public String getUserSearchFilter() { + return userSearchFilter; + } + + public String getAuthUser() { + return authUser; + } + + public String getAuthPass() { + return authPass; + } +} diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfig.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfig.java new file mode 100644 index 00000000000..a548957fb27 --- /dev/null +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfig.java @@ -0,0 +1,436 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.ldapconfigcheck; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.IOException; +import java.io.InputStream; +import java.util.Properties; + +import org.apache.commons.configuration.ConfigurationException; +import org.apache.commons.lang.NullArgumentException; +import org.apache.commons.configuration.PropertiesConfiguration; + +public class LdapConfig { + + public static final String CONFIG_FILE = "input.properties"; + + private static final String LGSYNC_LDAP_URL = "ranger.usersync.ldap.url"; + + private static final String LGSYNC_LDAP_BIND_DN = "ranger.usersync.ldap.binddn"; + + private static final String LGSYNC_LDAP_BIND_KEYSTORE = "ranger.usersync.credstore.filename"; + + private static final String LGSYNC_LDAP_BIND_ALIAS = "ranger.usersync.ldap.bindalias"; + + private static final String LGSYNC_LDAP_BIND_PASSWORD = "ranger.usersync.ldap.ldapbindpassword"; + + private static final String LGSYNC_LDAP_AUTHENTICATION_MECHANISM = "ranger.usersync.ldap.authentication.mechanism"; + private static final String DEFAULT_AUTHENTICATION_MECHANISM = "simple"; + + private static final String LGSYNC_SEARCH_BASE = "ranger.usersync.ldap.searchBase"; + + private static final String LGSYNC_USER_SEARCH_BASE = "ranger.usersync.ldap.user.searchbase"; + + private static final String LGSYNC_USER_SEARCH_SCOPE = "ranger.usersync.ldap.user.searchscope"; + + private static final String LGSYNC_USER_OBJECT_CLASS = "ranger.usersync.ldap.user.objectclass"; + + private static final String LGSYNC_USER_SEARCH_FILTER = "ranger.usersync.ldap.user.searchfilter"; + + private static final String LGSYNC_USER_NAME_ATTRIBUTE = "ranger.usersync.ldap.user.nameattribute"; + + private static final String LGSYNC_USER_GROUP_NAME_ATTRIBUTE = "ranger.usersync.ldap.user.groupnameattribute"; + + public static final String UGSYNC_LOWER_CASE_CONVERSION_VALUE = "lower"; + + private static final String UGSYNC_USERNAME_CASE_CONVERSION_PARAM = "ranger.usersync.ldap.username.caseconversion"; + private static final String DEFAULT_UGSYNC_USERNAME_CASE_CONVERSION_VALUE = UGSYNC_LOWER_CASE_CONVERSION_VALUE; + + private static final String UGSYNC_GROUPNAME_CASE_CONVERSION_PARAM = "ranger.usersync.ldap.groupname.caseconversion"; + private static final String DEFAULT_UGSYNC_GROUPNAME_CASE_CONVERSION_VALUE = UGSYNC_LOWER_CASE_CONVERSION_VALUE; + + + private static final String LGSYNC_PAGED_RESULTS_ENABLED = "ranger.usersync.pagedresultsenabled"; + private static final boolean DEFAULT_LGSYNC_PAGED_RESULTS_ENABLED = true; + + private static final String LGSYNC_PAGED_RESULTS_SIZE = "ranger.usersync.pagedresultssize"; + private static final int DEFAULT_LGSYNC_PAGED_RESULTS_SIZE = 500; + + private static final String LGSYNC_GROUP_SEARCH_ENABLED = "ranger.usersync.group.searchenabled"; + private static final boolean DEFAULT_LGSYNC_GROUP_SEARCH_ENABLED = false; + + private static final String LGSYNC_GROUP_USER_MAP_SYNC_ENABLED = "ranger.usersync.group.usermapsyncenabled"; + private static final boolean DEFAULT_LGSYNC_GROUP_USER_MAP_SYNC_ENABLED = false; + + private static final String LGSYNC_GROUP_SEARCH_BASE = "ranger.usersync.group.searchbase"; + + private static final String LGSYNC_GROUP_SEARCH_SCOPE = "ranger.usersync.group.searchscope"; + + private static final String LGSYNC_GROUP_OBJECT_CLASS = "ranger.usersync.group.objectclass"; + + private static final String LGSYNC_GROUP_SEARCH_FILTER = "ranger.usersync.group.searchfilter"; + + private static final String LGSYNC_GROUP_NAME_ATTRIBUTE = "ranger.usersync.group.nameattribute"; + + private static final String LGSYNC_GROUP_MEMBER_ATTRIBUTE_NAME = "ranger.usersync.group.memberattributename"; + + //Authentication relate properties + private static final String AUTHENTICATION_METHOD = "ranger.authentication.method"; + private static final String AD_DOMAIN = "ranger.ldap.ad.domain"; + private static final String USER_DN_PATTERN = "ranger.ldap.user.dnpattern"; + private static final String GROUP_ROLE_ATTRIBUTE = "ranger.ldap.group.roleattribute"; + private static final String GROUP_SEARCH_BASE = "ranger.ldap.group.searchbase"; + private static final String GROUP_SEARCH_FILTER = "ranger.ldap.group.searchfilter"; + private static final String AUTH_USERNAME = "ranger.admin.auth.sampleuser"; + private static final String AUTH_PASSWORD = "ranger.admin.auth.samplepassword"; + + + private Properties prop = new Properties(); + + + public LdapConfig(String configFile) { + init(configFile); + } + + private void init(String configFile) { + readConfigFile(configFile); + } + + private void readConfigFile(String fileName) { + try { + InputStream in = getFileInputStream(fileName); + if (in != null) { + try { + System.out.println("Reading ldap properties from " + fileName); + prop.load(in); + + } finally { + try { + in.close(); + } catch (IOException ioe) { + // Ignore IOE when closing stream + System.out.println(ioe); + } + } + } + } catch (Throwable e) { + throw new RuntimeException("Unable to load configuration file [" + fileName + "]", e); + } + } + + + /*private InputStream getFileInputStream(String path) throws FileNotFoundException { + + InputStream ret = null; + + File f = new File(path); + + if (f.exists()) { + ret = new FileInputStream(f); + } + + return ret; + }*/ + + private InputStream getFileInputStream(String path) throws FileNotFoundException { + + InputStream ret = null; + + File f = new File(path); + + if (f.exists()) { + ret = new FileInputStream(f); + } else { + ret = getClass().getResourceAsStream(path); + + if (ret == null) { + if (! path.startsWith("/")) { + ret = getClass().getResourceAsStream("/" + path); + } + } + + if (ret == null) { + ret = ClassLoader.getSystemClassLoader().getResourceAsStream(path) ; + if (ret == null) { + if (! path.startsWith("/")) { + ret = ClassLoader.getSystemResourceAsStream("/" + path); + } + } + } + } + + return ret; + } + + public String getLdapUrl() throws Throwable { + String val = prop.getProperty(LGSYNC_LDAP_URL); + if (val == null || val.trim().isEmpty()) { + throw new NullArgumentException(LGSYNC_LDAP_URL); + } + return val; + } + + + public String getLdapBindDn() throws Throwable { + String val = prop.getProperty(LGSYNC_LDAP_BIND_DN); + if (val == null || val.trim().isEmpty()) { + throw new NullArgumentException(LGSYNC_LDAP_BIND_DN); + } + return val; + } + + + public String getLdapBindPassword() { + //update credential from keystore + if (prop == null) { + return null; + } + return prop.getProperty(LGSYNC_LDAP_BIND_PASSWORD); + } + + + public String getLdapAuthenticationMechanism() { + String val = prop.getProperty(LGSYNC_LDAP_AUTHENTICATION_MECHANISM); + if (val == null || val.trim().isEmpty()) { + return DEFAULT_AUTHENTICATION_MECHANISM; + } + return val; + } + + + public String getUserSearchBase() { + String val = prop.getProperty(LGSYNC_USER_SEARCH_BASE); + if (val == null || val.trim().isEmpty()) { + val = getSearchBase(); + } + return val; + } + + + public int getUserSearchScope() { + String val = prop.getProperty(LGSYNC_USER_SEARCH_SCOPE); + if (val == null || val.trim().isEmpty()) { + return 2; //subtree scope + } + + val = val.trim().toLowerCase(); + if (val.equals("0") || val.startsWith("base")) { + return 0; // object scope + } else if (val.equals("1") || val.startsWith("one")) { + return 1; // one level scope + } else { + return 2; // subtree scope + } + } + + + public String getUserObjectClass() { + String val = prop.getProperty(LGSYNC_USER_OBJECT_CLASS); + return val; + } + + public String getUserSearchFilter() { + return prop.getProperty(LGSYNC_USER_SEARCH_FILTER); + } + + + public String getUserNameAttribute() { + String val = prop.getProperty(LGSYNC_USER_NAME_ATTRIBUTE); + return val; + } + + public String getUserGroupNameAttribute() { + String val = prop.getProperty(LGSYNC_USER_GROUP_NAME_ATTRIBUTE); + return val; + } + + public String getUserNameCaseConversion() { + String ret = prop.getProperty(UGSYNC_USERNAME_CASE_CONVERSION_PARAM, DEFAULT_UGSYNC_USERNAME_CASE_CONVERSION_VALUE); + return ret.trim().toLowerCase(); + } + + public String getGroupNameCaseConversion() { + String ret = prop.getProperty(UGSYNC_GROUPNAME_CASE_CONVERSION_PARAM, DEFAULT_UGSYNC_GROUPNAME_CASE_CONVERSION_VALUE); + return ret.trim().toLowerCase(); + } + + public String getSearchBase() { + return prop.getProperty(LGSYNC_SEARCH_BASE); + } + + public boolean isPagedResultsEnabled() { + boolean pagedResultsEnabled; + String val = prop.getProperty(LGSYNC_PAGED_RESULTS_ENABLED); + if (val == null || val.trim().isEmpty()) { + pagedResultsEnabled = DEFAULT_LGSYNC_PAGED_RESULTS_ENABLED; + } else { + pagedResultsEnabled = Boolean.valueOf(val); + } + return pagedResultsEnabled; + } + + public int getPagedResultsSize() { + int pagedResultsSize; + String val = prop.getProperty(LGSYNC_PAGED_RESULTS_SIZE); + if (val == null || val.trim().isEmpty()) { + pagedResultsSize = DEFAULT_LGSYNC_PAGED_RESULTS_SIZE; + } else { + pagedResultsSize = Integer.parseInt(val); + } + if (pagedResultsSize < 1) { + pagedResultsSize = DEFAULT_LGSYNC_PAGED_RESULTS_SIZE; + } + return pagedResultsSize; + } + + public boolean isGroupSearchEnabled() { + boolean groupSearchEnabled; + String val = prop.getProperty(LGSYNC_GROUP_SEARCH_ENABLED); + if (val == null || val.trim().isEmpty()) { + groupSearchEnabled = DEFAULT_LGSYNC_GROUP_SEARCH_ENABLED; + } else { + groupSearchEnabled = Boolean.valueOf(val); + } + return groupSearchEnabled; + } + + public boolean isGroupUserMapSyncEnabled() { + boolean groupUserMapSyncEnabled; + String val = prop.getProperty(LGSYNC_GROUP_USER_MAP_SYNC_ENABLED); + if (val == null || val.trim().isEmpty()) { + groupUserMapSyncEnabled = DEFAULT_LGSYNC_GROUP_USER_MAP_SYNC_ENABLED; + } else { + groupUserMapSyncEnabled = Boolean.valueOf(val); + } + return groupUserMapSyncEnabled; + } + + public String getGroupSearchBase() { + String val = prop.getProperty(LGSYNC_GROUP_SEARCH_BASE); + return val; + } + + public int getGroupSearchScope() { + String val = prop.getProperty(LGSYNC_GROUP_SEARCH_SCOPE); + if (val == null || val.trim().isEmpty()) { + return 2; //subtree scope + } + + val = val.trim().toLowerCase(); + if (val.equals("0") || val.startsWith("base")) { + return 0; // object scope + } else if (val.equals("1") || val.startsWith("one")) { + return 1; // one level scope + } else { + return 2; // subtree scope + } + } + + public String getGroupObjectClass() { + String val = prop.getProperty(LGSYNC_GROUP_OBJECT_CLASS); + return val; + } + + public String getGroupSearchFilter() { + return prop.getProperty(LGSYNC_GROUP_SEARCH_FILTER); + } + + public String getUserGroupMemberAttributeName() { + String val = prop.getProperty(LGSYNC_GROUP_MEMBER_ATTRIBUTE_NAME); + return val; + } + + public String getGroupNameAttribute() { + String val = prop.getProperty(LGSYNC_GROUP_NAME_ATTRIBUTE); + return val; + } + + public String getAuthenticationMethod() { + String val = prop.getProperty(AUTHENTICATION_METHOD); + return val; + } + + public String getAdDomain() { + String val = prop.getProperty(AD_DOMAIN); + return val; + } + + public String getUserDnPattern() { + String val = prop.getProperty(USER_DN_PATTERN); + return val; + } + + public String getGroupRoleAttribute() { + String val = prop.getProperty(GROUP_ROLE_ATTRIBUTE); + return val; + } + + public String getAuthGroupSearchBase() { + String val = prop.getProperty(GROUP_SEARCH_BASE); + return val; + } + + public String getAuthGroupSearchFilter() { + String val = prop.getProperty(GROUP_SEARCH_FILTER); + return val; + } + + public String getAuthUsername() { + return prop.getProperty(AUTH_USERNAME); + } + + public String getAuthPassword() { + return prop.getProperty(AUTH_PASSWORD); + } + + public void updateInputPropFile(String ldapUrl, String bindDn, String bindPassword, + String userSearchBase, String userSearchFilter, + String authUser, String authPass) { + try { + PropertiesConfiguration config = new PropertiesConfiguration(CONFIG_FILE); + // Update properties in memory and update the file as well + prop.setProperty(LGSYNC_LDAP_URL, ldapUrl); + prop.setProperty(LGSYNC_LDAP_BIND_DN, bindDn); + prop.setProperty(LGSYNC_LDAP_BIND_PASSWORD, bindPassword); + prop.setProperty(LGSYNC_USER_SEARCH_BASE, userSearchBase); + prop.setProperty(LGSYNC_USER_SEARCH_FILTER, userSearchFilter); + prop.setProperty(AUTH_USERNAME, authUser); + prop.setProperty(AUTH_PASSWORD, authPass); + config.setProperty(LGSYNC_LDAP_URL, ldapUrl); + config.setProperty(LGSYNC_LDAP_BIND_DN, bindDn); + config.setProperty(LGSYNC_LDAP_BIND_PASSWORD, bindPassword); + config.setProperty(LGSYNC_USER_SEARCH_BASE, userSearchBase); + config.setProperty(LGSYNC_USER_SEARCH_FILTER, userSearchFilter); + config.setProperty(AUTH_USERNAME, authUser); + config.setProperty(AUTH_PASSWORD, authPass); + config.save(); + } catch (ConfigurationException e) { + System.out.println("Failed to update " + CONFIG_FILE + ": " + e); + } + } +} + + + + + diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java new file mode 100644 index 00000000000..ad56b2e38a1 --- /dev/null +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java @@ -0,0 +1,241 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.ldapconfigcheck; + +import javax.naming.Context; +import javax.naming.NamingException; +import javax.naming.ldap.Control; +import javax.naming.ldap.InitialLdapContext; +import javax.naming.ldap.LdapContext; +import javax.naming.ldap.PagedResultsControl; +import java.io.File; +import java.io.FileNotFoundException; +import java.io.IOException; +import java.io.PrintStream; +import java.util.Properties; + +import org.apache.commons.lang.NullArgumentException; + +public class LdapConfigCheckMain { + + private static final String LOG_FILE = "ldapConfigCheck.log"; + private static final String AMBARI_PROPERTIES = "ambari.properties"; + private static final String INSTALL_PROPERTIES = "install.properties"; + + public static void main(String[] args) { + + CommandLineOptions cli = new CommandLineOptions(args); + cli.parse(); + String inFileName = cli.getInput(); + String outputDir = cli.getOutput(); + if (!outputDir.endsWith("/")) { + outputDir = outputDir.concat("/"); + } + + LdapConfig config = new LdapConfig(inFileName); + if (cli.getLdapUrl() != null && !cli.getLdapUrl().isEmpty()) { + config.updateInputPropFile(cli.getLdapUrl(), cli.getBindDn(), cli.getBindPassword(), + cli.getUserSearchBase(), cli.getUserSearchFilter(), cli.getAuthUser(), cli.getAuthPass()); + } + + PrintStream logFile = null; + PrintStream ambariProps = null; + PrintStream installProps = null; + LdapContext ldapContext; + + try { + logFile = new PrintStream(new File(outputDir + LOG_FILE)); + ambariProps = new PrintStream(new File(outputDir + AMBARI_PROPERTIES)); + installProps = new PrintStream(new File(outputDir + INSTALL_PROPERTIES)); + + UserSync userSyncObj = new UserSync(config, logFile, ambariProps, installProps); + + String bindDn = config.getLdapBindDn(); + + Properties env = new Properties(); + env.put(Context.INITIAL_CONTEXT_FACTORY, + "com.sun.jndi.ldap.LdapCtxFactory"); + env.put(Context.PROVIDER_URL, config.getLdapUrl()); + env.put(Context.SECURITY_PRINCIPAL, bindDn); + env.put(Context.SECURITY_CREDENTIALS, config.getLdapBindPassword()); + env.put(Context.SECURITY_AUTHENTICATION, config.getLdapAuthenticationMechanism()); + env.put(Context.REFERRAL, "follow"); + + ldapContext = new InitialLdapContext(env, null); + + if (config.isPagedResultsEnabled()) { + ldapContext.setRequestControls(new Control[]{ + new PagedResultsControl(config.getPagedResultsSize(), Control.CRITICAL) }); + } + + String retrieveValues = "all"; + + if (cli.getDiscoverProperties() != null) { + retrieveValues = cli.getDiscoverProperties(); + if (cli.getDiscoverProperties().equalsIgnoreCase("users")) { + userSyncObj.findUserProperties(ldapContext); + } else if (cli.getDiscoverProperties().equalsIgnoreCase("groups")) { + userSyncObj.findGroupProperties(ldapContext); + } else { + findAllUserSyncProperties(ldapContext, userSyncObj); + } + }else if (cli.getRetrieveValues() != null){ + retrieveValues = cli.getRetrieveValues(); + + } else { + cli.help(); + } + + if (cli.isAuthEnabled()) { + authenticate(userSyncObj, config, logFile, ambariProps, installProps); + } + + retrieveUsersGroups(ldapContext, userSyncObj, retrieveValues); + + if (ldapContext != null) { + ldapContext.close(); + } + + } catch (FileNotFoundException fe) { + System.out.println(fe.getMessage()); + } catch (IOException ioe) { + logFile.println("ERROR: Failed while setting the paged results controls\n" + ioe); + } catch (NamingException ne) { + System.out.println("ERROR: Failed to perfom ldap bind. Please verify values for " + + "ranger.usersync.ldap.binddn and ranger.usersync.ldap.ldapbindpassword\n" + ne); + } catch (Throwable t) { + if (logFile != null) { + logFile.println("ERROR: Connection failed: " + t.getMessage()); + } else { + System.out.println("ERROR: Connection failed: " + t.getMessage()); + } + } finally { + if (logFile != null) { + logFile.close(); + } + if (ambariProps != null) { + ambariProps.close(); + } + if (installProps != null) { + installProps.close(); + } + } + } + + private static void findAllUserSyncProperties(LdapContext ldapContext, UserSync userSyncObj) throws Throwable { + + userSyncObj.findUserProperties(ldapContext); + userSyncObj.findGroupProperties(ldapContext); + } + + private static void authenticate(UserSync userSyncObj, LdapConfig config, + PrintStream logFile, PrintStream ambariProps, + PrintStream installProps) throws Throwable{ + AuthenticationCheck auth = new AuthenticationCheck(config.getLdapUrl(), userSyncObj, logFile, ambariProps, installProps); + + auth.discoverAuthProperties(); + + String msg; + if (config.getAuthUsername() == null || config.getAuthUsername().isEmpty()) { + msg = "ranger.admin.auth.sampleuser "; + throw new NullArgumentException(msg); + } + + if (config.getAuthPassword() == null || config.getAuthPassword().isEmpty()) { + msg = "ranger.admin.auth.samplepassword "; + throw new NullArgumentException(msg); + } + + if (auth.isAuthenticated(config.getLdapUrl(), config.getLdapBindDn(), config.getLdapBindPassword(), + config.getAuthUsername(), config.getAuthPassword())) { + logFile.println("INFO: Authentication verified successfully"); + } else { + logFile.println("ERROR: Failed to authenticate " + config.getAuthUsername()); + } + } + + private static void retrieveUsersGroups(LdapContext ldapContext, UserSync userSyncObj, + String retrieve) throws Throwable { + String msg; + if (retrieve == null || userSyncObj == null || ldapContext == null) { + msg = "Input validation failed while retrieving Users or Groups"; + throw new NullArgumentException(msg); + } + + if (retrieve.equalsIgnoreCase("users")) { + retrieveUsers(ldapContext, userSyncObj); + } else if (retrieve.equalsIgnoreCase("groups")){ + retrieveGroups(ldapContext, userSyncObj); + } else { + // retrieve both + retrieveUsers(ldapContext, userSyncObj); + retrieveGroups(ldapContext, userSyncObj); + } + } + + private static void retrieveUsers(LdapContext ldapContext, UserSync userSyncObj) throws Throwable { + String msg; + if (userSyncObj.getUserNameAttribute() == null || userSyncObj.getUserNameAttribute().isEmpty()) { + msg = "ranger.usersync.ldap.user.nameattribute "; + throw new NullArgumentException(msg); + } + if (userSyncObj.getUserObjClassName() == null || userSyncObj.getUserObjClassName().isEmpty()) { + msg = "ranger.usersync.ldap.user.objectclass "; + throw new NullArgumentException(msg); + } + if (userSyncObj.getUserGroupMemberName() == null || userSyncObj.getUserGroupMemberName().isEmpty()) { + msg = "ranger.usersync.ldap.user.groupnameattribute "; + throw new NullArgumentException(msg); + } + if ((userSyncObj.getUserSearchBase() == null || userSyncObj.getUserSearchBase().isEmpty()) && + (userSyncObj.getSearchBase() == null || userSyncObj.getSearchBase().isEmpty())) { + msg = "ranger.usersync.ldap.user.searchbase and " + + "ranger.usersync.ldap.searchBase "; + throw new NullArgumentException(msg); + } + userSyncObj.getAllUsers(ldapContext); + } + + private static void retrieveGroups(LdapContext ldapContext, UserSync userSyncObj) throws Throwable { + String msg; + if (userSyncObj.getGroupNameAttrName() == null || userSyncObj.getGroupNameAttrName().isEmpty()) { + msg = "ranger.usersync.group.nameattribute "; + throw new NullArgumentException(msg); + } + if (userSyncObj.getGroupObjClassName() == null || userSyncObj.getGroupObjClassName().isEmpty()) { + msg = "ranger.usersync.group.objectclass "; + throw new NullArgumentException(msg); + } + if (userSyncObj.getUserGroupMemberName() == null || userSyncObj.getUserGroupMemberName().isEmpty()) { + msg = "ranger.usersync.group.memberattributename "; + throw new NullArgumentException(msg); + } + if ((userSyncObj.getGroupSearchBase() == null || userSyncObj.getGroupSearchBase().isEmpty()) && + (userSyncObj.getSearchBase() == null || userSyncObj.getSearchBase().isEmpty())) { + msg = "ranger.usersync.group.searchbase and " + + "ranger.usersync.ldap.searchBase "; + throw new NullArgumentException(msg); + } + userSyncObj.getAllGroups(ldapContext); + } + + +} + diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java new file mode 100644 index 00000000000..53da9f2374c --- /dev/null +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java @@ -0,0 +1,860 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.ldapconfigcheck; + +import javax.naming.NamingEnumeration; +import javax.naming.NamingException; +import javax.naming.directory.Attribute; +import javax.naming.directory.Attributes; +import javax.naming.directory.SearchControls; +import javax.naming.directory.SearchResult; +import javax.naming.ldap.LdapContext; +import javax.naming.ldap.Control; +import javax.naming.ldap.PagedResultsResponseControl; +import javax.naming.ldap.PagedResultsControl; +import java.io.PrintStream; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Set; + +public class UserSync { + private static String[] userNameAttrValues = { "sAMAccountName", "uid", "cn" }; + private static String[] userObjClassValues = { "person", "posixAccount" }; //Not needed as this is read from the second occurence of objectClass attribute from user entry + private static String[] userGroupMemAttrValues = { "memberOf", "ismemberOf"}; + + private static String[] groupObjectClassValues = { "group", "groupOfNames", "posixGroup" }; + private static String[] groupNameAttrValues = { "distinguishedName", "cn" }; + private static String[] groupMemAttrValues = { "member", "memberUid" }; + + private String userNameAttribute = null; + private String userObjClassName = null; + private String userGroupMemberName = null; + private String groupMemberName = null; + private String groupNameAttrName = null; + private String groupObjClassName = null; + private String groupSearchBase = null; + private String groupSearchFilter = null; + private String userSearchBase = null; + private String userSearchFilter = null; + private String searchBase = null; + private String groupName = null; + private PrintStream logFile = null; + private PrintStream ambariProps = null; + private PrintStream installProps = null; + + private LdapConfig config = null; + + public String getUserNameAttribute() { + return userNameAttribute; + } + + public String getUserObjClassName() { + return userObjClassName; + } + + public String getUserGroupMemberName() { + return userGroupMemberName; + } + + public String getGroupMemberName() { + return groupMemberName; + } + + public String getGroupNameAttrName() { + return groupNameAttrName; + } + + public String getGroupObjClassName() { + return groupObjClassName; + } + + public String getGroupSearchBase() { return groupSearchBase; } + + public String getUserSearchBase() { return userSearchBase; } + + public String getSearchBase() { + return searchBase; + } + + public UserSync(LdapConfig config, PrintStream logFile, PrintStream ambariProps, PrintStream installProps) { + this.config = config; + this.logFile = logFile; + this.ambariProps = ambariProps; + this.installProps = installProps; + initUserSync(); + } + + private void initUserSync() { + try { + String bindDn = config.getLdapBindDn(); + userObjClassName = config.getUserObjectClass(); + userNameAttribute = config.getUserNameAttribute(); + userGroupMemberName = config.getUserGroupNameAttribute(); + userSearchBase = config.getUserSearchBase(); + userSearchFilter = config.getUserSearchFilter(); + groupObjClassName = config.getGroupObjectClass(); + groupNameAttrName = config.getGroupNameAttribute(); + groupMemberName = config.getUserGroupMemberAttributeName(); + groupSearchBase = config.getGroupSearchBase(); + groupSearchFilter = config.getGroupSearchFilter(); + + //String userName = null; + if (bindDn.contains("@")) { + //userName = bindDn.substring(0, bindDn.indexOf("@")); + searchBase = bindDn.substring(bindDn.indexOf("@") + 1); + searchBase = "dc=".concat(searchBase); + searchBase = searchBase.replaceAll("\\.", ",dc="); + } else { + int dcIndex = bindDn.toLowerCase().indexOf("dc="); + //userName = bindDn.substring(bindDn.indexOf("=") + 1, dcIndex - 1); + searchBase = bindDn.substring(dcIndex); + } + } catch (Throwable t) { + logFile.println("ERROR: Failed to initialize the user sync properties " + t); + } + } + + public void findUserProperties(LdapContext ldapContext) throws Throwable { + // 1. find basic user properties + // 2. find user search base and user search filter by passing basic attributes + + findBasicUserProperties(ldapContext, true); + + findAdvUserProperties(ldapContext, true); + } + + /* Use the provided bind dn or the user search base and user search filter for sample user and determine the basic user attribute. + */ + private void findBasicUserProperties(LdapContext ldapContext, boolean isOutputNeeded) throws Throwable{ + String bindDn = config.getLdapBindDn(); + String userSFilter = config.getUserSearchFilter(); + String userSBase = config.getUserSearchBase(); + Attribute userNameAttr = null; + Attribute groupMemberAttr; + SearchControls userSearchControls = new SearchControls(); + userSearchControls.setSearchScope(config.getUserSearchScope()); + userSearchControls.setReturningAttributes(new java.lang.String[]{"*", "+"}); + int noOfUsers = 0; + + NamingEnumeration userSearchResultEnum = null; + + try { + if (userSBase == null || userSBase.isEmpty()) { + if (bindDn.contains("@")) { + userSBase = bindDn.substring(bindDn.indexOf("@") + 1); + userSBase = "dc=".concat(userSBase); + userSBase = userSBase.replaceAll("\\.", ",dc="); + } else { + //int dcIndex = bindDn.toLowerCase().indexOf("dc="); + userSBase = bindDn.substring(bindDn.indexOf(",") + 1); + } + //System.out.println("Derived user search base = " + userSearchBase); + } + + if (userSFilter == null || userSFilter.isEmpty()) { + if (bindDn.contains("@")) { + userSFilter = "userPrincipalName=" + bindDn; + } else { + int cnEndIndex = bindDn.indexOf(","); + userSFilter = bindDn.substring(0,cnEndIndex); + + } + //System.out.println("Derived user search filter = " + userSearchFilter); + } + + try { + userSearchResultEnum = ldapContext.search(userSBase, + userSFilter, userSearchControls); + while (userSearchResultEnum.hasMore()) { + if (noOfUsers >= 1) { + break; + } + final SearchResult userEntry = userSearchResultEnum.next(); + + if (userEntry == null) { + logFile.println("WARN: userEntry null"); + continue; + } + + Attributes attributes = userEntry.getAttributes(); + if (attributes == null) { + logFile.println("WARN: Attributes missing for entry " + userEntry.getNameInNamespace()); + continue; + } + + if (userNameAttribute == null || userNameAttribute.isEmpty()) { + for (int i = 0; i < userNameAttrValues.length; i++) { + userNameAttr = attributes.get(userNameAttrValues[i]); + if (userNameAttr != null) { + userNameAttribute = userNameAttrValues[i]; + break; + } + } + if (userNameAttr == null) { + logFile.print("WARN: Failed to find any of ( "); + for (int i = 0; i < userNameAttrValues.length; i++) { + logFile.print(userNameAttrValues[i] + " "); + } + logFile.println(") for entry " + userEntry.getNameInNamespace()); + continue; + } + } else { + userNameAttr = attributes.get(userNameAttribute); + if (userNameAttr == null) { + logFile.println("WARN: Failed to find " + userNameAttribute + " for entry " + userEntry.getNameInNamespace()); + continue; + } + } + + String userName = (String) userNameAttr.get(); + + if (userName == null || userName.trim().isEmpty()) { + logFile.println("WARN: " + userNameAttribute + " empty for entry " + userEntry.getNameInNamespace()); + continue; + } + userName = userName.toLowerCase(); + Attribute userObjClassAttr = attributes.get("objectClass"); + NamingEnumeration userObjClassEnum = userObjClassAttr.getAll(); + String userObjClass = null; + while (userObjClassEnum.hasMore()) { + userObjClass = userObjClassEnum.next().toString(); + if (userObjClassName == null || userObjClassName.isEmpty()) { + if (userObjClass != null) { + for (int i = 0; i < userObjClassValues.length; i++) { + if (userObjClass.equalsIgnoreCase(userObjClassValues[i])) { + userObjClassName = userObjClass; + break; + } + } + } else { + logFile.println("WARN: Failed to find objectClass attribute for " + userName); + //continue; + } + } + } + + if (userObjClassName == null || userObjClassName.isEmpty()) { + userObjClassName = userObjClass; + } + + for (int i = 0; i < userGroupMemAttrValues.length; i++) { + groupMemberAttr = attributes.get(userGroupMemAttrValues[i]); + if (groupMemberAttr != null) { + userGroupMemberName = userGroupMemAttrValues[i]; + groupName = groupMemberAttr.get(1).toString(); + break; + } + } + + noOfUsers++; + } + } catch (NamingException ne) { + String msg = "Exception occured while discovering basic user properties:\n" + + "ranger.usersync.ldap.user.nameattribute\n" + + "ranger.usersync.ldap.user.objectclass\n" + + "ranger.usersync.ldap.user.groupnameattribute\n"; + if ((config.getUserSearchBase() != null && !config.getUserSearchBase().isEmpty()) || + (config.getUserSearchFilter() != null && !config.getUserSearchFilter().isEmpty())) { + throw new Exception(msg + "Please verify values for ranger.usersync.ldap.user.searchbase and ranger.usersync.ldap.user.searchfilter"); + } else { + throw new Exception(msg + ne); + } + } + + if (isOutputNeeded) { + installProps.println("# Possible values for user search related properties:"); + installProps.println("SYNC_LDAP_USER_NAME_ATTRIBUTE=" + userNameAttribute); + installProps.println("SYNC_LDAP_USER_OBJECT_CLASS=" + userObjClassName); + installProps.println("SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE=" + userGroupMemberName); + + ambariProps.println("# Possible values for user search related properties:"); + ambariProps.println("ranger.usersync.ldap.user.nameattribute=" + userNameAttribute); + ambariProps.println("ranger.usersync.ldap.user.objectclass=" + userObjClassName); + ambariProps.println("ranger.usersync.ldap.user.groupnameattribute=" + userGroupMemberName); + } + } finally { + try { + if (userSearchResultEnum != null) { + userSearchResultEnum.close(); + } + } catch (NamingException ne) { + throw new Exception("Exception occured while closing user search result: " + ne); + } + } + } + + private void findAdvUserProperties(LdapContext ldapContext, boolean isOutputNeeded) throws Throwable{ + int noOfUsers; + NamingEnumeration userSearchResultEnum = null; + SearchControls userSearchControls = new SearchControls(); + userSearchControls.setSearchScope(config.getUserSearchScope()); + if (userNameAttribute != null && !userNameAttribute.isEmpty()) { + Set userSearchAttributes = new HashSet<>(); + userSearchAttributes.add(userNameAttribute); + userSearchAttributes.add(userGroupMemberName); + userSearchAttributes.add("distinguishedName"); + userSearchControls.setReturningAttributes(userSearchAttributes.toArray( + new String[userSearchAttributes.size()])); + } else { + userSearchControls.setReturningAttributes(new java.lang.String[]{"*", "+"}); + } + + String extendedUserSearchFilter = "(objectclass=" + userObjClassName + ")"; + + try { + + HashMap ouOccurences = new HashMap<>(); + + userSearchResultEnum = ldapContext.search(searchBase, + extendedUserSearchFilter, userSearchControls); + + noOfUsers = 0; + while (userSearchResultEnum.hasMore()) { + if (noOfUsers >= 20) { + break; + } + final SearchResult userEntry = userSearchResultEnum.next(); + + if (userEntry == null) { + logFile.println("WARN: userEntry null"); + continue; + } + + Attributes attributes = userEntry.getAttributes(); + if (attributes == null) { + logFile.println("WARN: Attributes missing for entry " + userEntry.getNameInNamespace()); + continue; + } + + String dnValue; + + Attribute dnAttr = attributes.get("distinguishedName"); + if (dnAttr != null) { + dnValue = dnAttr.get().toString(); + String ouStr = "OU="; + int indexOfOU = dnValue.indexOf(ouStr); + if (indexOfOU > 0) { + dnValue = dnValue.substring(indexOfOU); + + } else { + dnValue = dnValue.substring(dnValue.indexOf(",") + 1); + } + + } else { + // If distinguishedName is not found, + // strip off the userName from the long name for OU or sub domain + dnValue = userEntry.getNameInNamespace(); + dnValue = dnValue.substring(dnValue.indexOf(",") + 1); + + } + //System.out.println("OU from dn = " + dnValue); + Integer ouOccrs = ouOccurences.get(dnValue); + if (ouOccrs == null) { + //System.out.println("value = 0"); + ouOccrs = new Integer(0); + } + int val = ouOccrs.intValue(); + ouOccrs = new Integer(++val); + ouOccurences.put(dnValue, ouOccrs); + noOfUsers++; + } + + if (!ouOccurences.isEmpty()) { + Set keys = ouOccurences.keySet(); + int maxOUOccr = 0; + for (String key : keys) { + int ouOccurVal = ouOccurences.get(key).intValue(); + logFile.println("INFO: No. of users from " + key + " = " + ouOccurVal); + if (ouOccurVal > maxOUOccr) { + maxOUOccr = ouOccurVal; + userSearchBase = key; + } + } + } + userSearchFilter = userNameAttribute + "=*"; + + if (isOutputNeeded) { + installProps.println("SYNC_LDAP_USER_SEARCH_BASE=" + userSearchBase); + installProps.println("SYNC_LDAP_USER_SEARCH_FILTER=" + userSearchFilter); + + ambariProps.println("ranger.usersync.ldap.user.searchbase=" + userSearchBase); + ambariProps.println("ranger.usersync.ldap.user.searchfilter=" + userSearchFilter); + } + + } catch (NamingException ne) { + String msg = "Exception occured while discovering user properties:\n" + + "ranger.usersync.ldap.user.searchbase\n" + + "ranger.usersync.ldap.user.searchfilter\n"; + if ((config.getUserNameAttribute() != null && !config.getUserNameAttribute().isEmpty()) || + (config.getUserObjectClass() != null && !config.getUserObjectClass().isEmpty()) || + (config.getGroupNameAttribute() != null && !config.getGroupNameAttribute().isEmpty())) { + throw new Exception("Please verify values for ranger.usersync.ldap.user.nameattribute, " + + "ranger.usersync.ldap.user.objectclass, and" + + "ranger.usersync.ldap.user.groupnameattribute"); + } else { + throw new Exception(msg + ne); + } + } finally { + if (userSearchResultEnum != null) { + userSearchResultEnum.close(); + } + } + } + + public void getAllUsers(LdapContext ldapContext) throws Throwable { + int noOfUsers = 0; + Attribute userNameAttr = null; + String groupName = null; + Attribute groupMemberAttr; + NamingEnumeration userSearchResultEnum = null; + SearchControls userSearchControls = new SearchControls(); + userSearchControls.setSearchScope(config.getUserSearchScope()); + Set userSearchAttributes = new HashSet<>(); + if (userNameAttribute != null) { + userSearchAttributes.add(userNameAttribute); + } + if (userGroupMemberName != null) { + userSearchAttributes.add(userGroupMemberName); + } + if (userSearchAttributes.size() > 0) { + userSearchControls.setReturningAttributes(userSearchAttributes.toArray( + new String[userSearchAttributes.size()])); + } else { + userSearchControls.setReturningAttributes(new java.lang.String[]{"*", "+"}); + } + + String extendedUserSearchFilter = "(objectclass=" + userObjClassName + ")"; + if (userSearchFilter != null && !userSearchFilter.trim().isEmpty()) { + String customFilter = userSearchFilter.trim(); + if (!customFilter.startsWith("(")) { + customFilter = "(" + customFilter + ")"; + } + extendedUserSearchFilter = "(&" + extendedUserSearchFilter + customFilter + ")"; + } + + byte[] cookie = null; + logFile.println(); + logFile.println("INFO: First 20 Users and associated groups are:"); + + try { + do { + + userSearchResultEnum = ldapContext.search(userSearchBase, + extendedUserSearchFilter, userSearchControls); + + while (userSearchResultEnum.hasMore()) { + final SearchResult userEntry = userSearchResultEnum.next(); + + if (userEntry == null) { + logFile.println("WARN: userEntry null"); + continue; + } + + Attributes attributes = userEntry.getAttributes(); + if (attributes == null) { + logFile.println("WARN: Attributes missing for entry " + userEntry.getNameInNamespace()); + continue; + } + + if (userNameAttribute == null || userNameAttribute.isEmpty()) { + for (int i = 0; i < userNameAttrValues.length; i++) { + userNameAttr = attributes.get(userNameAttrValues[i]); + if (userNameAttr != null) { + userNameAttribute = userNameAttrValues[i]; + break; + } + } + if (userNameAttr == null) { + logFile.print("WARN: Failed to find any of ( "); + for (int i = 0; i < userNameAttrValues.length; i++) { + logFile.print(userNameAttrValues[i] + " "); + } + logFile.println(") for entry " + userEntry.getNameInNamespace()); + continue; + } + } else { + userNameAttr = attributes.get(userNameAttribute); + if (userNameAttr == null) { + logFile.println("WARN: Failed to find " + userNameAttribute + " for entry " + userEntry.getNameInNamespace()); + continue; + } + } + + String userName = userNameAttr.get().toString(); + + if (userName == null || userName.trim().isEmpty()) { + logFile.println("WARN: " + userNameAttribute + " empty for entry " + userEntry.getNameInNamespace()); + continue; + } + userName = userName.toLowerCase(); + + Set groups = new HashSet<>(); + groupMemberAttr = attributes.get(userGroupMemberName); + + if (groupMemberAttr != null) { + NamingEnumeration groupEnum = groupMemberAttr.getAll(); + while (groupEnum.hasMore()) { + String groupRes = groupEnum.next().toString(); + groups.add(groupRes); + if (groupName == null || groupName.isEmpty()) { + groupName = groupRes; + } + } + } + + if (noOfUsers < 20) { + logFile.println("Username: " + userName + ", Groups: " + groups); + } + noOfUsers++; + } + // Examine the paged results control response + Control[] controls = ldapContext.getResponseControls(); + if (controls != null) { + for (int i = 0; i < controls.length; i++) { + if (controls[i] instanceof PagedResultsResponseControl) { + PagedResultsResponseControl prrc = + (PagedResultsResponseControl)controls[i]; + cookie = prrc.getCookie(); + } + } + } else { + logFile.println("WARN: No controls were sent from the server"); + } + // Re-activate paged results + if (config.isPagedResultsEnabled()) { + ldapContext.setRequestControls(new Control[]{ + new PagedResultsControl(config.getPagedResultsSize(), cookie, Control.CRITICAL)}); + } + } while (cookie != null); + logFile.println("\nINFO: Total no. of users = " + noOfUsers); + + } catch (NamingException ne) { + String msg = "Exception occured while retreiving users\n"; + if ((config.getUserNameAttribute() != null && !config.getUserNameAttribute().isEmpty()) || + (config.getUserObjectClass() != null && !config.getUserObjectClass().isEmpty()) || + (config.getGroupNameAttribute() != null && !config.getGroupNameAttribute().isEmpty()) || + (config.getUserSearchBase() != null && !config.getUserSearchBase().isEmpty()) || + (config.getUserSearchFilter() != null && !config.getUserSearchFilter().isEmpty())) { + throw new Exception("Please verify values for:\n ranger.usersync.ldap.user.nameattribute\n " + + "ranger.usersync.ldap.user.objectclass\n" + + "ranger.usersync.ldap.user.groupnameattribute\n" + + "ranger.usersync.ldap.user.searchbase\n" + + "ranger.usersync.ldap.user.searchfilter\n"); + } else { + throw new Exception(msg + ne); + } + } finally { + if (userSearchResultEnum != null) { + userSearchResultEnum.close(); + } + } + } + + public void findGroupProperties(LdapContext ldapContext) throws Throwable { + // find basic group attributes/properties + // find group search base and group search filter + // Get all groups + + if (groupName == null || groupName.isEmpty()) { + // Perform basic user search and get the group name from the user's group attribute name. + findBasicUserProperties(ldapContext, false); + } + + if (groupName == null || groupName.isEmpty()) { + // Perform adv user search and get the group name from the user's group attribute name. + findAdvUserProperties(ldapContext, false); + } + + findBasicGroupProperties(ldapContext); + + findAdvGroupProperties(ldapContext); + } + + private void findBasicGroupProperties(LdapContext ldapContext) throws Throwable { + int noOfGroups; + Attribute groupNameAttr; + String groupBase; + String groupFilter; + Attribute groupMemberAttr; + NamingEnumeration groupSearchResultEnum = null; + SearchControls groupSearchControls = new SearchControls(); + groupSearchControls.setSearchScope(config.getGroupSearchScope()); + + try { + int baseIndex = groupName.indexOf(","); + groupBase = groupName.substring(baseIndex + 1); + groupFilter = groupName.substring(0, baseIndex); + groupSearchResultEnum = ldapContext.search(groupBase, groupFilter, + groupSearchControls); + + noOfGroups = 0; + while (groupSearchResultEnum.hasMore()) { + if (noOfGroups >= 1) { + break; + } + + final SearchResult groupEntry = groupSearchResultEnum.next(); + if (groupEntry == null) { + continue; + } + Attributes groupAttributes = groupEntry.getAttributes(); + if (groupAttributes == null) { + logFile.println("WARN: Attributes missing for entry " + groupEntry.getNameInNamespace()); + continue; + } + + Attribute groupObjClassAttr = groupAttributes.get("objectClass"); + if (groupObjClassAttr != null) { + NamingEnumeration groupObjClassEnum = groupObjClassAttr.getAll(); + while (groupObjClassEnum.hasMore()) { + String groupObjClassStr = groupObjClassEnum.next().toString(); + for (int i = 0; i < groupObjectClassValues.length; i++) { + if (groupObjClassStr.equalsIgnoreCase(groupObjectClassValues[i])) { + groupObjClassName = groupObjClassStr; + break; + } + } + } + } else { + logFile.println("WARN: Failed to find group objectClass attribute for " + groupEntry.getNameInNamespace()); + continue; + } + + if (groupNameAttrName == null || groupNameAttrName.isEmpty()) { + + for (int i = 0; i < groupNameAttrValues.length; i++) { + groupNameAttr = groupAttributes.get(groupNameAttrValues[i]); + if (groupNameAttr != null) { + groupNameAttrName = groupNameAttrValues[i]; + break; + } + } + } + + for (int i = 0; i < groupMemAttrValues.length; i++) { + groupMemberAttr = groupAttributes.get(groupMemAttrValues[i]); + if (groupMemberAttr != null) { + groupMemberName = groupMemAttrValues[i]; + break; + } + } + noOfGroups++; + } + + installProps.println("\n# Possible values for group search related properties:"); + installProps.println("SYNC_GROUP_MEMBER_ATTRIBUTE_NAME=" + groupMemberName); + installProps.println("SYNC_GROUP_NAME_ATTRIBUTE=" + groupNameAttrName); + installProps.println("SYNC_GROUP_OBJECT_CLASS=" + groupObjClassName); + + ambariProps.println("\n# Possible values for group search related properties:"); + ambariProps.println("ranger.usersync.group.memberattributename=" + groupMemberName); + ambariProps.println("ranger.usersync.group.nameattribute=" + groupNameAttrName); + ambariProps.println("ranger.usersync.group.objectclass=" + groupObjClassName); + + } finally { + + if (groupSearchResultEnum != null) { + groupSearchResultEnum.close(); + } + } + } + + private void findAdvGroupProperties(LdapContext ldapContext) throws Throwable { + int noOfGroups = 0; + NamingEnumeration groupSearchResultEnum = null; + SearchControls groupSearchControls = new SearchControls(); + groupSearchControls.setSearchScope(config.getGroupSearchScope()); + Set groupSearchAttributes = new HashSet<>(); + groupSearchAttributes.add(groupNameAttrName); + groupSearchAttributes.add(groupMemberName); + groupSearchAttributes.add("distinguishedName"); + groupSearchControls.setReturningAttributes(groupSearchAttributes.toArray( + new String[groupSearchAttributes.size()])); + String extendedGroupSearchFilter = "(objectclass=" + groupObjClassName + ")"; + + try { + HashMap ouOccurences = new HashMap<>(); + + groupSearchResultEnum = ldapContext.search(searchBase, extendedGroupSearchFilter, + groupSearchControls); + + while (groupSearchResultEnum.hasMore()) { + if (noOfGroups >= 20) { + break; + } + + final SearchResult groupEntry = groupSearchResultEnum.next(); + if (groupEntry == null) { + continue; + } + Attributes groupAttributes = groupEntry.getAttributes(); + if (groupAttributes == null) { + logFile.println("WARN: Attributes missing for entry " + groupEntry.getNameInNamespace()); + continue; + } + + String dnValue; + + Attribute dnAttr = groupAttributes.get("distinguishedName"); + if (dnAttr != null) { + dnValue = dnAttr.get().toString(); + String ouStr = "OU="; + int indexOfOU = dnValue.indexOf(ouStr); + if (indexOfOU > 0) { + dnValue = dnValue.substring(indexOfOU); + + } else { + dnValue = dnValue.substring(dnValue.indexOf(",") + 1); + } + + } else { + // If distinguishedName is not found, + // strip off the userName from the long name for OU or sub domain + dnValue = groupEntry.getNameInNamespace(); + dnValue = dnValue.substring(dnValue.indexOf(",") + 1); + } + //System.out.println("OU from dn = " + dnValue); + Integer ouOccrs = ouOccurences.get(dnValue); + if (ouOccrs == null) { + //System.out.println("value = 0"); + ouOccrs = new Integer(0); + } + int val = ouOccrs.intValue(); + ouOccrs = new Integer(++val); + ouOccurences.put(dnValue, ouOccrs); + + noOfGroups++; + } + + if (!ouOccurences.isEmpty()) { + Set keys = ouOccurences.keySet(); + int maxOUOccr = 0; + for (String key : keys) { + int ouOccurVal = ouOccurences.get(key).intValue(); + logFile.println("INFO: No. of groups from " + key + " = " + ouOccurVal); + if (ouOccurVal > maxOUOccr) { + maxOUOccr = ouOccurVal; + groupSearchBase = key; + } + } + } + + groupSearchFilter = groupNameAttrName + "=*"; + + installProps.println("SYNC_GROUP_SEARCH_BASE=" + groupSearchBase); + installProps.println("SYNC_LDAP_GROUP_SEARCH_FILTER=" + groupSearchFilter); + + ambariProps.println("ranger.usersync.group.searchbase=" + groupSearchBase); + ambariProps.println("ranger.usersync.group.searchfilter=" + groupSearchFilter); + + } finally { + + if (groupSearchResultEnum != null) { + groupSearchResultEnum.close(); + } + } + } + + public void getAllGroups(LdapContext ldapContext) throws Throwable { + int noOfGroups = 0; + Attribute groupNameAttr; + Attribute groupMemberAttr; + NamingEnumeration groupSearchResultEnum = null; + SearchControls groupSearchControls = new SearchControls(); + groupSearchControls.setSearchScope(config.getGroupSearchScope()); + Set groupSearchAttributes = new HashSet<>(); + groupSearchAttributes.add(groupNameAttrName); + groupSearchAttributes.add(groupMemberName); + groupSearchAttributes.add("distinguishedName"); + groupSearchControls.setReturningAttributes(groupSearchAttributes.toArray( + new String[groupSearchAttributes.size()])); + + String extendedGroupSearchFilter= "(objectclass=" + groupObjClassName + ")"; + if (groupSearchFilter != null && !groupSearchFilter.trim().isEmpty()) { + String customFilter = groupSearchFilter.trim(); + if (!customFilter.startsWith("(")) { + customFilter = "(" + customFilter + ")"; + } + extendedGroupSearchFilter = "(&" + extendedGroupSearchFilter + customFilter + ")"; + } + + try { + + groupSearchResultEnum = ldapContext.search(groupSearchBase, extendedGroupSearchFilter, + groupSearchControls); + + logFile.println("\nINFO: First 20 Groups and associated Users are:"); + + while (groupSearchResultEnum.hasMore()) { + final SearchResult groupEntry = groupSearchResultEnum.next(); + if (groupEntry == null) { + continue; + } + Attributes groupAttributes = groupEntry.getAttributes(); + if (groupAttributes == null) { + logFile.println("WARN: Attributes missing for entry " + groupEntry.getNameInNamespace()); + continue; + } + + groupMemberAttr = groupAttributes.get(groupMemberName); + + Set users = new HashSet<>(); + if (groupMemberAttr != null) { + NamingEnumeration userEnum = groupMemberAttr.getAll(); + while (userEnum.hasMore()) { + String userRes = userEnum.next().toString(); + users.add(userRes); + } + } + + groupNameAttr = groupAttributes.get(groupNameAttrName); + if (noOfGroups < 20) { + logFile.println("Group name: " + groupNameAttr.get().toString() + ", Users: " + users); + } + noOfGroups++; + } + + logFile.println("\nINFO: Total no. of groups = " + noOfGroups); + + } catch (NamingException ne) { + String msg = "Exception occured while retreiving groups\n"; + if ((config.getGroupNameAttribute() != null && !config.getGroupNameAttribute().isEmpty()) || + (config.getGroupObjectClass() != null && !config.getGroupObjectClass().isEmpty()) || + (config.getUserGroupMemberAttributeName() != null && !config.getUserGroupMemberAttributeName().isEmpty()) || + (config.getGroupSearchBase() != null && !config.getGroupSearchBase().isEmpty()) || + (config.getGroupSearchFilter() != null && !config.getGroupSearchFilter().isEmpty())) { + throw new Exception("Please verify values for:\n ranger.usersync.group.memberattributename\n " + + "ranger.usersync.group.nameattribute\n" + + "ranger.usersync.group.objectclass\n" + + "ranger.usersync.group.searchbase\n" + + "ranger.usersync.group.searchfilter\n"); + } else { + throw new Exception(msg + ne); + } + } finally { + + if (groupSearchResultEnum != null) { + groupSearchResultEnum.close(); + } + } + } +} + + From 275736bdb89960ac62d5b3edf8ea1654dba82c36 Mon Sep 17 00:00:00 2001 From: rmani Date: Thu, 30 Jul 2015 14:20:29 -0700 Subject: [PATCH 069/202] RANGER-590: Escape spaces in the user and group names which are part of rest call uri in UserSync process Signed-off-by: rmani --- .../process/PolicyMgrUserGroupBuilder.java | 45 ++++++++++++------- .../ranger/usersync/util/UserSyncUtil.java | 39 ++++++++++++++++ 2 files changed, 68 insertions(+), 16 deletions(-) create mode 100644 ugsync/src/main/java/org/apache/ranger/usersync/util/UserSyncUtil.java diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java index 5768f550947..78e3e7229c0 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java @@ -63,7 +63,7 @@ import org.apache.ranger.unixusersync.model.XUserInfo; import org.apache.ranger.unixusersync.model.UserGroupInfo; import org.apache.ranger.usergroupsync.UserGroupSink; -import org.mortbay.log.Log; +import org.apache.ranger.usersync.util.UserSyncUtil; public class PolicyMgrUserGroupBuilder implements UserGroupSink { @@ -603,25 +603,38 @@ private void delXUserGroupInfo(XUserInfo aUserInfo, List aGroupList) { } private void delXUserGroupInfo(XUserInfo aUserInfo, XGroupInfo aGroupInfo) { - - Client c = getClient() ; - - String uri = PM_DEL_USER_GROUP_LINK_URI.replaceAll(Pattern.quote("${groupName}"), aGroupInfo.getName()).replaceAll(Pattern.quote("${userName}"), aUserInfo.getName()) ; - - WebResource r = c.resource(getURL(uri)) ; - - ClientResponse response = r.delete(ClientResponse.class) ; - - LOG.debug("RESPONSE: [" + response.toString() + "]") ; + + String groupName = aGroupInfo.getName(); - - if (response.getStatus() == 200) { - delUserGroupFromList(aUserInfo, aGroupInfo) ; - } + String userName = aUserInfo.getName(); + try { + + Client c = getClient() ; + + String uri = PM_DEL_USER_GROUP_LINK_URI.replaceAll(Pattern.quote("${groupName}"), + UserSyncUtil.encodeURIParam(groupName)).replaceAll(Pattern.quote("${userName}"), UserSyncUtil.encodeURIParam(userName)); + + WebResource r = c.resource(getURL(uri)) ; + + ClientResponse response = r.delete(ClientResponse.class) ; + + if ( LOG.isDebugEnabled() ) { + LOG.debug("RESPONSE: [" + response.toString() + "]") ; + } + + if (response.getStatus() == 200) { + delUserGroupFromList(aUserInfo, aGroupInfo) ; + } + + } catch (Exception e) { + + LOG.warn( "ERROR: Unable to delete GROUP: " + groupName + " from USER:" + userName , e) ; + } + } - + private MUserInfo addMUser(String aUserName) { MUserInfo ret = null ; diff --git a/ugsync/src/main/java/org/apache/ranger/usersync/util/UserSyncUtil.java b/ugsync/src/main/java/org/apache/ranger/usersync/util/UserSyncUtil.java new file mode 100644 index 00000000000..050419d6b3b --- /dev/null +++ b/ugsync/src/main/java/org/apache/ranger/usersync/util/UserSyncUtil.java @@ -0,0 +1,39 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.usersync.util; + +import org.apache.commons.httpclient.URIException; +import org.apache.commons.httpclient.util.URIUtil; + +public class UserSyncUtil { + + public static String encodeURIParam(String s) throws URIException { + + String ret = null; + + try { + ret = URIUtil.encodeQuery(s); + } catch (URIException e) { + throw e; + } + + return ret; + } +} From ecdaa6c1ba39a8bd6df3844860ba439b2d71f51f Mon Sep 17 00:00:00 2001 From: rmani Date: Mon, 28 Sep 2015 22:32:41 -0700 Subject: [PATCH 070/202] RANGER-664:Ranger PolicyRefresh REST Client timeout parameter should be configurable --- .../admin/client/RangerAdminRESTClient.java | 12 ++++-- .../ranger/plugin/util/RangerRESTClient.java | 40 +++++++++++++------ .../conf/ranger-hbase-security-changes.cfg | 3 ++ hbase-agent/conf/ranger-hbase-security.xml | 16 ++++++++ .../conf/ranger-hdfs-security-changes.cfg | 2 + hdfs-agent/conf/ranger-hdfs-security.xml | 16 ++++++++ .../conf/ranger-hive-security-changes.cfg | 2 + hive-agent/conf/ranger-hive-security.xml | 16 ++++++++ .../conf/ranger-knox-security-changes.cfg | 2 + knox-agent/conf/ranger-knox-security.xml | 16 ++++++++ .../client/RangerAdminJersey2RESTClient.java | 8 ++++ .../conf/ranger-kafka-security-changes.cfg | 4 +- plugin-kafka/conf/ranger-kafka-security.xml | 16 ++++++++ .../conf/ranger-kms-security-changes.cfg | 4 +- plugin-kms/conf/ranger-kms-security.xml | 16 ++++++++ .../conf/ranger-solr-security-changes.cfg | 4 +- plugin-solr/conf/ranger-solr-security.xml | 16 ++++++++ .../conf/ranger-yarn-security-changes.cfg | 2 + plugin-yarn/conf/ranger-yarn-security.xml | 16 ++++++++ .../conf/ranger-storm-security-changes.cfg | 4 +- storm-agent/conf/ranger-storm-security.xml | 16 ++++++++ 21 files changed, 211 insertions(+), 20 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java index f74bc6da786..7f1c6b3f43d 100644 --- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java +++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java @@ -51,10 +51,12 @@ public void init(String serviceName, String appId, String propertyPrefix) { this.serviceName = serviceName; this.pluginId = restUtils.getPluginId(serviceName, appId); - String url = RangerConfiguration.getInstance().get(propertyPrefix + ".policy.rest.url"); - String sslConfigFileName = RangerConfiguration.getInstance().get(propertyPrefix + ".policy.rest.ssl.config.file"); + String url = RangerConfiguration.getInstance().get(propertyPrefix + ".policy.rest.url"); + String sslConfigFileName = RangerConfiguration.getInstance().get(propertyPrefix + ".policy.rest.ssl.config.file"); + int restClientConnTimeOutMs = RangerConfiguration.getInstance().getInt(propertyPrefix + ".policy.rest.client.connection.timeoutMs", 120 * 1000); + int restClientReadTimeOutMs = RangerConfiguration.getInstance().getInt(propertyPrefix + ".policy.rest.client.read.timeoutMs", 30 * 1000); - init(url, sslConfigFileName); + init(url, sslConfigFileName, restClientConnTimeOutMs , restClientReadTimeOutMs); } @Override @@ -142,12 +144,14 @@ public void revokeAccess(GrantRevokeRequest request) throws Exception { } } - private void init(String url, String sslConfigFileName) { + private void init(String url, String sslConfigFileName, int restClientConnTimeOutMs , int restClientReadTimeOutMs ) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAdminRESTClient.init(" + url + ", " + sslConfigFileName + ")"); } restClient = new RangerRESTClient(url, sslConfigFileName); + restClient.setRestClientConnTimeOutMs(restClientConnTimeOutMs); + restClient.setRestClientReadTimeOutMs(restClientReadTimeOutMs); if(LOG.isDebugEnabled()) { LOG.debug("<== RangerAdminRESTClient.init(" + url + ", " + sslConfigFileName + ")"); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java index 46fab4058c2..c3116705cd6 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java @@ -83,14 +83,11 @@ public class RangerRESTClient { public static final String RANGER_SSL_TRUSTMANAGER_ALGO_TYPE = "SunX509" ; public static final String RANGER_SSL_CONTEXT_ALGO_TYPE = "SSL" ; - public static final int RANGER_POLICYMGR_CLIENT_CONNECTION_TIMEOUT = 120000; - public static final int RANGER_POLICYMGR_CLIENT_READ_TIMEOUT = 30000; - - private String mUrl = null; - private String mSslConfigFileName = null; - private String mUsername = null; - private String mPassword = null; - private boolean mIsSSL = false; + private String mUrl = null; + private String mSslConfigFileName = null; + private String mUsername = null; + private String mPassword = null; + private boolean mIsSSL = false; private String mKeyStoreURL = null; private String mKeyStoreAlias = null; @@ -101,8 +98,11 @@ public class RangerRESTClient { private String mTrustStoreFile = null; private String mTrustStoreType = null; - private Gson gsonBuilder = null; - private volatile Client client = null; + private Gson gsonBuilder = null; + private volatile Client client = null; + + private int mRestClientConnTimeOutMs; + private int mRestClientReadTimeOutMs; public RangerRESTClient() { this(RangerConfiguration.getInstance().get(RANGER_PROP_POLICYMGR_URL), @@ -132,6 +132,22 @@ public String getPassword() { return mPassword; } + public int getRestClientConnTimeOutMs() { + return mRestClientConnTimeOutMs; + } + + public void setRestClientConnTimeOutMs(int mRestClientConnTimeOutMs) { + this.mRestClientConnTimeOutMs = mRestClientConnTimeOutMs; + } + + public int getRestClientReadTimeOutMs() { + return mRestClientReadTimeOutMs; + } + + public void setRestClientReadTimeOutMs(int mRestClientReadTimeOutMs) { + this.mRestClientReadTimeOutMs = mRestClientReadTimeOutMs; + } + public void setBasicAuthInfo(String username, String password) { mUsername = username; mPassword = password; @@ -202,8 +218,8 @@ public boolean verify(String urlHostName, SSLSession session) { } // Set Connection Timeout and ReadTime for the PolicyRefresh - client.setConnectTimeout(RANGER_POLICYMGR_CLIENT_CONNECTION_TIMEOUT); - client.setReadTimeout(RANGER_POLICYMGR_CLIENT_READ_TIMEOUT); + client.setConnectTimeout(mRestClientConnTimeOutMs); + client.setReadTimeout(mRestClientReadTimeOutMs); return client; } diff --git a/hbase-agent/conf/ranger-hbase-security-changes.cfg b/hbase-agent/conf/ranger-hbase-security-changes.cfg index 9c74898dd70..31505b31a8f 100644 --- a/hbase-agent/conf/ranger-hbase-security-changes.cfg +++ b/hbase-agent/conf/ranger-hbase-security-changes.cfg @@ -24,5 +24,8 @@ ranger.plugin.hbase.policy.rest.url %POLICY_MGR_URL% ranger.plugin.hbase.policy.rest.ssl.config.file /etc/hbase/conf/ranger-policymgr-ssl.xml mod create-if-not-exists ranger.plugin.hbase.policy.pollIntervalMs 30000 mod create-if-not-exists ranger.plugin.hbase.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists +ranger.plugin.hbase.policy.rest.client.connection.timeoutMs 120000 mod create-if-not-exists +ranger.plugin.hbase.policy.rest.client.read.timeoutMs 30000 mod create-if-not-exists + xasecure.hbase.update.xapolicies.on.grant.revoke %UPDATE_XAPOLICIES_ON_GRANT_REVOKE% mod create-if-not-exists diff --git a/hbase-agent/conf/ranger-hbase-security.xml b/hbase-agent/conf/ranger-hbase-security.xml index 43d5d367330..08716eabc1a 100644 --- a/hbase-agent/conf/ranger-hbase-security.xml +++ b/hbase-agent/conf/ranger-hbase-security.xml @@ -72,4 +72,20 @@ Should HBase plugin update Ranger policies for updates to permissions done using GRANT/REVOKE? + + + ranger.plugin.hbase.policy.rest.client.connection.timeoutMs + 120000 + + RangerRestClient Connection Timeout in Milli Seconds + + + + + ranger.plugin.hbase.policy.rest.client.read.timeoutMs + 30000 + + RangerRestClient read Timeout in Milli Seconds + + diff --git a/hdfs-agent/conf/ranger-hdfs-security-changes.cfg b/hdfs-agent/conf/ranger-hdfs-security-changes.cfg index 4bdb08f540d..5639c173cce 100644 --- a/hdfs-agent/conf/ranger-hdfs-security-changes.cfg +++ b/hdfs-agent/conf/ranger-hdfs-security-changes.cfg @@ -24,3 +24,5 @@ ranger.plugin.hdfs.policy.rest.url %POLICY_MGR_URL% ranger.plugin.hdfs.policy.rest.ssl.config.file /etc/hadoop/conf/ranger-policymgr-ssl.xml mod create-if-not-exists ranger.plugin.hdfs.policy.pollIntervalMs 30000 mod create-if-not-exists ranger.plugin.hdfs.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists +ranger.plugin.hdfs.policy.rest.client.connection.timeoutMs 120000 mod create-if-not-exists +ranger.plugin.hdfs.policy.rest.client.read.timeoutMs 30000 mod create-if-not-exists \ No newline at end of file diff --git a/hdfs-agent/conf/ranger-hdfs-security.xml b/hdfs-agent/conf/ranger-hdfs-security.xml index 37230b7589d..10409d91013 100644 --- a/hdfs-agent/conf/ranger-hdfs-security.xml +++ b/hdfs-agent/conf/ranger-hdfs-security.xml @@ -65,6 +65,22 @@ + + ranger.plugin.hdfs.policy.rest.client.connection.timeoutMs + 120000 + + Hdfs Plugin RangerRestClient Connection Timeout in Milli Seconds + + + + + ranger.plugin.hdfs.policy.rest.client.read.timeoutMs + 30000 + + Hdfs Plugin RangerRestClient read Timeout in Milli Seconds + + +
diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java index 479dfde7696..e617de6da55 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java @@ -105,7 +105,10 @@ public class TestUserMgr { @Mock SessionMgr sessionMgr; - + + @Mock + XUserMgr xUserMgr; + @Rule public ExpectedException thrown = ExpectedException.none(); @@ -131,10 +134,9 @@ private VXPortalUser userProfile() { return userProfile; } - @Ignore("Junit breakage: RANGER-425") // TODO @Test public void test11CreateUser() { - setup(); + setup(); XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class); XXPortalUserRoleDao roleDao = Mockito.mock(XXPortalUserRoleDao.class); @@ -188,10 +190,9 @@ public void test11CreateUser() { Mockito.verify(daoManager).getXXPortalUserRole(); } - @Ignore("Junit breakage: RANGER-425") // TODO @Test public void test12CreateUser() { - setup(); + setup(); XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class); XXPortalUserRoleDao roleDao = Mockito.mock(XXPortalUserRoleDao.class); @@ -426,7 +427,7 @@ public void test21CreateUser() { Mockito.when(daoManager.getXXGroupPermission()).thenReturn( xGroupPermissionDao); Mockito.when( - xGroupPermissionDao.findbyVXPoratUserId(userProfile.getId())) + xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId())) .thenReturn(xGroupPermissionList); VXPortalUser dbVXPortalUser = userMgr.createUser(userProfile); @@ -710,7 +711,7 @@ public void test29DeactivateUser() { Mockito.when(daoManager.getXXGroupPermission()).thenReturn( xGroupPermissionDao); Mockito.when( - xGroupPermissionDao.findbyVXPoratUserId(userProfile.getId())) + xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId())) .thenReturn(xGroupPermissionList); Mockito.when( @@ -744,6 +745,7 @@ public void test29DeactivateUser() { @Test public void test30checkAccess() { + setup(); XXPortalUserDao xPortalUserDao = Mockito.mock(XXPortalUserDao.class); XXPortalUser xPortalUser = Mockito.mock(XXPortalUser.class); Mockito.when(daoManager.getXXPortalUser()).thenReturn(xPortalUserDao); @@ -755,6 +757,7 @@ public void test30checkAccess() { @Test public void test31getUserProfile() { + setup(); XXPortalUserDao xPortalUserDao = Mockito.mock(XXPortalUserDao.class); XXPortalUser xPortalUser = Mockito.mock(XXPortalUser.class); XXUserPermissionDao xUserPermissionDao = Mockito @@ -812,7 +815,7 @@ public void test31getUserProfile() { Mockito.when(daoManager.getXXGroupPermission()).thenReturn( xGroupPermissionDao); Mockito.when( - xGroupPermissionDao.findbyVXPoratUserId(userProfile.getId())) + xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId())) .thenReturn(xGroupPermissionList); VXPortalUser dbVXPortalUser = userMgr.getUserProfile(userId); Assert.assertNotNull(dbVXPortalUser); @@ -825,6 +828,7 @@ public void test31getUserProfile() { @Test public void test32getUserProfileByLoginId() { + setup(); XXPortalUserDao xPortalUserDao = Mockito.mock(XXPortalUserDao.class); XXPortalUser xPortalUser = Mockito.mock(XXPortalUser.class); Mockito.when(daoManager.getXXPortalUser()).thenReturn(xPortalUserDao); @@ -836,24 +840,175 @@ public void test32getUserProfileByLoginId() { Mockito.verify(daoManager).getXXPortalUser(); } - @Ignore("Junit breakage: RANGER-526") // TODO + @Test public void test33setUserRoles() { - XXPortalUserRoleDao xPortalUserRoleDao = Mockito.mock(XXPortalUserRoleDao.class); + setup(); + XXPortalUserRoleDao xPortalUserRoleDao = Mockito + .mock(XXPortalUserRoleDao.class); + XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class); + XXUserPermissionDao xUserPermissionDao = Mockito + .mock(XXUserPermissionDao.class); + XXGroupPermissionDao xGroupPermissionDao = Mockito + .mock(XXGroupPermissionDao.class); + XXModuleDefDao xModuleDefDao = Mockito.mock(XXModuleDefDao.class); + + VXPortalUser userProfile = userProfile(); + XXPortalUser user = new XXPortalUser(); + user.setEmailAddress(userProfile.getEmailAddress()); + user.setFirstName(userProfile.getFirstName()); + user.setLastName(userProfile.getLastName()); + user.setLoginId(userProfile.getLoginId()); + user.setPassword(userProfile.getPassword()); + user.setUserSource(userProfile.getUserSource()); + user.setPublicScreenName(userProfile.getPublicScreenName()); + user.setId(userProfile.getId()); + List vStringRolesList = new ArrayList(); VXString vXStringObj = new VXString(); - vXStringObj.setValue("1L"); + vXStringObj.setValue("ROLE_USER"); vStringRolesList.add(vXStringObj); - + List xPortalUserRoleList = new ArrayList(); XXPortalUserRole XXPortalUserRole = new XXPortalUserRole(); XXPortalUserRole.setId(userId); + XXPortalUserRole.setUserId(userId); XXPortalUserRole.setUserRole("ROLE_USER"); xPortalUserRoleList.add(XXPortalUserRole); - - Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao); - Mockito.when(xPortalUserRoleDao.findByUserId(userId)) - .thenReturn(xPortalUserRoleList); + + List xUserPermissionsList = new ArrayList(); + XXUserPermission xUserPermissionObj = new XXUserPermission(); + xUserPermissionObj.setAddedByUserId(userId); + xUserPermissionObj.setCreateTime(new Date()); + xUserPermissionObj.setId(userId); + xUserPermissionObj.setIsAllowed(1); + xUserPermissionObj.setModuleId(1L); + xUserPermissionObj.setUpdatedByUserId(userId); + xUserPermissionObj.setUpdateTime(new Date()); + xUserPermissionObj.setUserId(userId); + xUserPermissionsList.add(xUserPermissionObj); + + List xGroupPermissionList = new ArrayList(); + XXGroupPermission xGroupPermissionObj = new XXGroupPermission(); + xGroupPermissionObj.setAddedByUserId(userId); + xGroupPermissionObj.setCreateTime(new Date()); + xGroupPermissionObj.setId(userId); + xGroupPermissionObj.setIsAllowed(1); + xGroupPermissionObj.setModuleId(1L); + xGroupPermissionObj.setUpdatedByUserId(userId); + xGroupPermissionObj.setUpdateTime(new Date()); + xGroupPermissionObj.setGroupId(userId); + xGroupPermissionList.add(xGroupPermissionObj); + + List groupPermList = new ArrayList(); + VXGroupPermission groupPermission = new VXGroupPermission(); + groupPermission.setId(1L); + groupPermission.setIsAllowed(1); + groupPermission.setModuleId(1L); + groupPermission.setGroupId(userId); + groupPermission.setGroupName("xyz"); + groupPermission.setOwner("admin"); + groupPermList.add(groupPermission); + + XXModuleDef xModuleDef = new XXModuleDef(); + xModuleDef.setUpdatedByUserId(userId); + xModuleDef.setAddedByUserId(userId); + xModuleDef.setCreateTime(new Date()); + xModuleDef.setId(userId); + xModuleDef.setModule("Policy manager"); + xModuleDef.setUpdateTime(new Date()); + xModuleDef.setUrl("/policy manager"); + + VXUserPermission userPermission = new VXUserPermission(); + userPermission.setId(1L); + userPermission.setIsAllowed(1); + userPermission.setModuleId(1L); + userPermission.setUserId(userId); + userPermission.setUserName("xyz"); + userPermission.setOwner("admin"); + + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn( + xPortalUserRoleDao); + Mockito.when(xPortalUserRoleDao.findByUserId(userId)).thenReturn( + xPortalUserRoleList); + Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); + Mockito.when(userDao.getById(userId)).thenReturn(user); + Mockito.when(daoManager.getXXUserPermission()).thenReturn( + xUserPermissionDao); + Mockito.when( + xUserPermissionDao + .findByUserPermissionIdAndIsAllowed(userProfile.getId())) + .thenReturn(xUserPermissionsList); + Mockito.when(daoManager.getXXGroupPermission()).thenReturn( + xGroupPermissionDao); + Mockito.when( + xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId())) + .thenReturn(xGroupPermissionList); + Mockito.when( + xGroupPermissionService.populateViewBean(xGroupPermissionObj)) + .thenReturn(groupPermission); + Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao); + Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong())) + .thenReturn(xModuleDef); + Mockito.when( + xUserPermissionService.populateViewBean(xUserPermissionObj)) + .thenReturn(userPermission); + Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao); + Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong())) + .thenReturn(xModuleDef); + + userMgr.checkAccess(userId); userMgr.setUserRoles(userId, vStringRolesList); + + Mockito.verify(daoManager).getXXUserPermission(); + Mockito.verify(daoManager).getXXGroupPermission(); + Mockito.verify(xGroupPermissionService).populateViewBean( + xGroupPermissionObj); + Mockito.verify(xUserPermissionService).populateViewBean( + xUserPermissionObj); } + + @Test + public void test19updateRoles() { + //setup(); + Collection rolesList = new ArrayList(); + rolesList.add("ROLE_USER"); + rolesList.add("ROLE_ADMIN"); + XXPortalUserRole XXPortalUserRole = new XXPortalUserRole(); + XXPortalUserRole.setId(userId); + XXPortalUserRole.setUserRole("ROLE_USER"); + List list = new ArrayList(); + list.add(XXPortalUserRole); + XXPortalUserRoleDao userDao = Mockito.mock(XXPortalUserRoleDao.class); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(userDao); + Mockito.when(userDao.findByUserId(userId)).thenReturn(list); + boolean isFound = userMgr.updateRoles(userId, rolesList); + Assert.assertFalse(isFound); + } + + @Test + public void test20UpdateUserWithPass() { + XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class); + VXPortalUser userProfile = userProfile(); + String userName = userProfile.getFirstName(); + String userPassword = userProfile.getPassword(); + XXPortalUser user = new XXPortalUser(); + user.setEmailAddress(userProfile.getEmailAddress()); + user.setFirstName(userProfile.getFirstName()); + user.setLastName(userProfile.getLastName()); + user.setLoginId(userProfile.getLoginId()); + user.setPassword(userProfile.getPassword()); + user.setUserSource(userProfile.getUserSource()); + user.setPublicScreenName(userProfile.getPublicScreenName()); + user.setId(userProfile.getId()); + Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); + Mockito.when(userDao.findByLoginId(Mockito.anyString())).thenReturn( + user); + Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); + Mockito.when(userDao.update(user)).thenReturn(user); + XXPortalUser dbXXPortalUser = userMgr.updatePasswordInSHA256(userName, + userPassword); + Assert.assertNotNull(dbXXPortalUser); + } + } diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java index cda423e80b3..e9921909e86 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java @@ -61,10 +61,12 @@ import org.apache.ranger.view.VXGroupUserList; import org.apache.ranger.view.VXModuleDef; import org.apache.ranger.view.VXPortalUser; +import org.apache.ranger.view.VXStringList; import org.apache.ranger.view.VXUser; import org.apache.ranger.view.VXUserGroupInfo; import org.apache.ranger.view.VXUserList; import org.apache.ranger.view.VXUserPermission; +import org.apache.ranger.view.VXString; import org.junit.Assert; import org.junit.FixMethodOrder; import org.junit.Rule; @@ -211,7 +213,19 @@ private VXGroupPermission vXGroupPermission() { return groupPermission; } - @Ignore("temp disable") + private VXPortalUser userProfile() { + VXPortalUser userProfile = new VXPortalUser(); + userProfile.setEmailAddress("test@test.com"); + userProfile.setFirstName("user12"); + userProfile.setLastName("test12"); + userProfile.setLoginId("134"); + userProfile.setPassword("usertest12323"); + userProfile.setUserSource(123); + userProfile.setPublicScreenName("user"); + userProfile.setId(userId); + return userProfile; + } + @Test public void test11CreateXUser() { setup(); @@ -1147,4 +1161,499 @@ public void test44getGroupsForUser() { Assert.assertNotNull(list); Mockito.verify(xUserService).getXUserByUserName(userName); } + + @Test + public void test45setUserRolesByExternalID() { + setup(); + XXPortalUserRoleDao xPortalUserRoleDao = Mockito + .mock(XXPortalUserRoleDao.class); + XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class); + XXUserPermissionDao xUserPermissionDao = Mockito + .mock(XXUserPermissionDao.class); + XXGroupPermissionDao xGroupPermissionDao = Mockito + .mock(XXGroupPermissionDao.class); + XXModuleDefDao xModuleDefDao = Mockito.mock(XXModuleDefDao.class); + + VXUser vXUser = vxUser(); + VXPortalUser userProfile = userProfile(); + XXPortalUser user = new XXPortalUser(); + user.setEmailAddress(userProfile.getEmailAddress()); + user.setFirstName(userProfile.getFirstName()); + user.setLastName(userProfile.getLastName()); + user.setLoginId(userProfile.getLoginId()); + user.setPassword(userProfile.getPassword()); + user.setUserSource(userProfile.getUserSource()); + user.setPublicScreenName(userProfile.getPublicScreenName()); + user.setId(userProfile.getId()); + + List vStringRolesList = new ArrayList(); + VXString vXStringObj = new VXString(); + vXStringObj.setValue("ROLE_USER"); + vStringRolesList.add(vXStringObj); + + List xPortalUserRoleList = new ArrayList(); + XXPortalUserRole XXPortalUserRole = new XXPortalUserRole(); + XXPortalUserRole.setId(userId); + XXPortalUserRole.setUserId(userId); + XXPortalUserRole.setUserRole("ROLE_USER"); + xPortalUserRoleList.add(XXPortalUserRole); + + List xUserPermissionsList = new ArrayList(); + XXUserPermission xUserPermissionObj = new XXUserPermission(); + xUserPermissionObj.setAddedByUserId(userId); + xUserPermissionObj.setCreateTime(new Date()); + xUserPermissionObj.setId(userId); + xUserPermissionObj.setIsAllowed(1); + xUserPermissionObj.setModuleId(1L); + xUserPermissionObj.setUpdatedByUserId(userId); + xUserPermissionObj.setUpdateTime(new Date()); + xUserPermissionObj.setUserId(userId); + xUserPermissionsList.add(xUserPermissionObj); + + List xGroupPermissionList = new ArrayList(); + XXGroupPermission xGroupPermissionObj = new XXGroupPermission(); + xGroupPermissionObj.setAddedByUserId(userId); + xGroupPermissionObj.setCreateTime(new Date()); + xGroupPermissionObj.setId(userId); + xGroupPermissionObj.setIsAllowed(1); + xGroupPermissionObj.setModuleId(1L); + xGroupPermissionObj.setUpdatedByUserId(userId); + xGroupPermissionObj.setUpdateTime(new Date()); + xGroupPermissionObj.setGroupId(userId); + xGroupPermissionList.add(xGroupPermissionObj); + + List groupPermList = new ArrayList(); + VXGroupPermission groupPermission = new VXGroupPermission(); + groupPermission.setId(1L); + groupPermission.setIsAllowed(1); + groupPermission.setModuleId(1L); + groupPermission.setGroupId(userId); + groupPermission.setGroupName("xyz"); + groupPermission.setOwner("admin"); + groupPermList.add(groupPermission); + + XXModuleDef xModuleDef = new XXModuleDef(); + xModuleDef.setUpdatedByUserId(userId); + xModuleDef.setAddedByUserId(userId); + xModuleDef.setCreateTime(new Date()); + xModuleDef.setId(userId); + xModuleDef.setModule("Policy manager"); + xModuleDef.setUpdateTime(new Date()); + xModuleDef.setUrl("/policy manager"); + + VXUserPermission userPermission = new VXUserPermission(); + userPermission.setId(1L); + userPermission.setIsAllowed(1); + userPermission.setModuleId(1L); + userPermission.setUserId(userId); + userPermission.setUserName("xyz"); + userPermission.setOwner("admin"); + + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn( + xPortalUserRoleDao); + Mockito.when(xPortalUserRoleDao.findByUserId(userId)).thenReturn( + xPortalUserRoleList); + Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); + Mockito.when(userDao.getById(userId)).thenReturn(user); + Mockito.when(daoManager.getXXUserPermission()).thenReturn( + xUserPermissionDao); + Mockito.when( + xUserPermissionDao + .findByUserPermissionIdAndIsAllowed(userProfile.getId())) + .thenReturn(xUserPermissionsList); + Mockito.when(daoManager.getXXGroupPermission()).thenReturn( + xGroupPermissionDao); + Mockito.when( + xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId())) + .thenReturn(xGroupPermissionList); + Mockito.when( + xGroupPermissionService.populateViewBean(xGroupPermissionObj)) + .thenReturn(groupPermission); + Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao); + Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong())) + .thenReturn(xModuleDef); + Mockito.when( + xUserPermissionService.populateViewBean(xUserPermissionObj)) + .thenReturn(userPermission); + Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao); + Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong())) + .thenReturn(xModuleDef); + Mockito.when(xUserMgr.getXUser(userId)).thenReturn(vXUser); + Mockito.when(userMgr.getUserProfileByLoginId(vXUser.getName())) + .thenReturn(userProfile); + VXStringList vXStringList = xUserMgr.setUserRolesByExternalID(userId, + vStringRolesList); + Assert.assertNotNull(vXStringList); + } + + @Test + public void test46setUserRolesByName() { + setup(); + XXPortalUserRoleDao xPortalUserRoleDao = Mockito + .mock(XXPortalUserRoleDao.class); + XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class); + XXUserPermissionDao xUserPermissionDao = Mockito + .mock(XXUserPermissionDao.class); + XXGroupPermissionDao xGroupPermissionDao = Mockito + .mock(XXGroupPermissionDao.class); + XXModuleDefDao xModuleDefDao = Mockito.mock(XXModuleDefDao.class); + + VXPortalUser userProfile = userProfile(); + XXPortalUser user = new XXPortalUser(); + user.setEmailAddress(userProfile.getEmailAddress()); + user.setFirstName(userProfile.getFirstName()); + user.setLastName(userProfile.getLastName()); + user.setLoginId(userProfile.getLoginId()); + user.setPassword(userProfile.getPassword()); + user.setUserSource(userProfile.getUserSource()); + user.setPublicScreenName(userProfile.getPublicScreenName()); + user.setId(userProfile.getId()); + + List vStringRolesList = new ArrayList(); + VXString vXStringObj = new VXString(); + vXStringObj.setValue("ROLE_USER"); + vStringRolesList.add(vXStringObj); + + List xPortalUserRoleList = new ArrayList(); + XXPortalUserRole XXPortalUserRole = new XXPortalUserRole(); + XXPortalUserRole.setId(userId); + XXPortalUserRole.setUserId(userId); + XXPortalUserRole.setUserRole("ROLE_USER"); + xPortalUserRoleList.add(XXPortalUserRole); + + List xUserPermissionsList = new ArrayList(); + XXUserPermission xUserPermissionObj = new XXUserPermission(); + xUserPermissionObj.setAddedByUserId(userId); + xUserPermissionObj.setCreateTime(new Date()); + xUserPermissionObj.setId(userId); + xUserPermissionObj.setIsAllowed(1); + xUserPermissionObj.setModuleId(1L); + xUserPermissionObj.setUpdatedByUserId(userId); + xUserPermissionObj.setUpdateTime(new Date()); + xUserPermissionObj.setUserId(userId); + xUserPermissionsList.add(xUserPermissionObj); + + List xGroupPermissionList = new ArrayList(); + XXGroupPermission xGroupPermissionObj = new XXGroupPermission(); + xGroupPermissionObj.setAddedByUserId(userId); + xGroupPermissionObj.setCreateTime(new Date()); + xGroupPermissionObj.setId(userId); + xGroupPermissionObj.setIsAllowed(1); + xGroupPermissionObj.setModuleId(1L); + xGroupPermissionObj.setUpdatedByUserId(userId); + xGroupPermissionObj.setUpdateTime(new Date()); + xGroupPermissionObj.setGroupId(userId); + xGroupPermissionList.add(xGroupPermissionObj); + + List groupPermList = new ArrayList(); + VXGroupPermission groupPermission = new VXGroupPermission(); + groupPermission.setId(1L); + groupPermission.setIsAllowed(1); + groupPermission.setModuleId(1L); + groupPermission.setGroupId(userId); + groupPermission.setGroupName("xyz"); + groupPermission.setOwner("admin"); + groupPermList.add(groupPermission); + + XXModuleDef xModuleDef = new XXModuleDef(); + xModuleDef.setUpdatedByUserId(userId); + xModuleDef.setAddedByUserId(userId); + xModuleDef.setCreateTime(new Date()); + xModuleDef.setId(userId); + xModuleDef.setModule("Policy manager"); + xModuleDef.setUpdateTime(new Date()); + xModuleDef.setUrl("/policy manager"); + + VXUserPermission userPermission = new VXUserPermission(); + userPermission.setId(1L); + userPermission.setIsAllowed(1); + userPermission.setModuleId(1L); + userPermission.setUserId(userId); + userPermission.setUserName("xyz"); + userPermission.setOwner("admin"); + + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn( + xPortalUserRoleDao); + Mockito.when(xPortalUserRoleDao.findByUserId(userId)).thenReturn( + xPortalUserRoleList); + Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); + Mockito.when(userDao.getById(userId)).thenReturn(user); + Mockito.when(daoManager.getXXUserPermission()).thenReturn( + xUserPermissionDao); + Mockito.when( + xUserPermissionDao + .findByUserPermissionIdAndIsAllowed(userProfile.getId())) + .thenReturn(xUserPermissionsList); + Mockito.when(daoManager.getXXGroupPermission()).thenReturn( + xGroupPermissionDao); + Mockito.when( + xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId())) + .thenReturn(xGroupPermissionList); + Mockito.when( + xGroupPermissionService.populateViewBean(xGroupPermissionObj)) + .thenReturn(groupPermission); + Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao); + Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong())) + .thenReturn(xModuleDef); + Mockito.when( + xUserPermissionService.populateViewBean(xUserPermissionObj)) + .thenReturn(userPermission); + Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao); + Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong())) + .thenReturn(xModuleDef); + Mockito.when(userMgr.getUserProfileByLoginId(userProfile.getLoginId())) + .thenReturn(userProfile); + VXStringList vXStringList = xUserMgr.setUserRolesByName( + userProfile.getLoginId(), vStringRolesList); + Assert.assertNotNull(vXStringList); + } + + @Test + public void test47getUserRolesByExternalID() { + setup(); + XXPortalUserRoleDao xPortalUserRoleDao = Mockito + .mock(XXPortalUserRoleDao.class); + XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class); + XXUserPermissionDao xUserPermissionDao = Mockito + .mock(XXUserPermissionDao.class); + XXGroupPermissionDao xGroupPermissionDao = Mockito + .mock(XXGroupPermissionDao.class); + XXModuleDefDao xModuleDefDao = Mockito.mock(XXModuleDefDao.class); + + VXUser vXUser = vxUser(); + VXPortalUser userProfile = userProfile(); + XXPortalUser user = new XXPortalUser(); + user.setEmailAddress(userProfile.getEmailAddress()); + user.setFirstName(userProfile.getFirstName()); + user.setLastName(userProfile.getLastName()); + user.setLoginId(userProfile.getLoginId()); + user.setPassword(userProfile.getPassword()); + user.setUserSource(userProfile.getUserSource()); + user.setPublicScreenName(userProfile.getPublicScreenName()); + user.setId(userProfile.getId()); + + List vStringRolesList = new ArrayList(); + VXString vXStringObj = new VXString(); + vXStringObj.setValue("ROLE_USER"); + vStringRolesList.add(vXStringObj); + + List xPortalUserRoleList = new ArrayList(); + XXPortalUserRole XXPortalUserRole = new XXPortalUserRole(); + XXPortalUserRole.setId(userId); + XXPortalUserRole.setUserId(userId); + XXPortalUserRole.setUserRole("ROLE_USER"); + xPortalUserRoleList.add(XXPortalUserRole); + + List xUserPermissionsList = new ArrayList(); + XXUserPermission xUserPermissionObj = new XXUserPermission(); + xUserPermissionObj.setAddedByUserId(userId); + xUserPermissionObj.setCreateTime(new Date()); + xUserPermissionObj.setId(userId); + xUserPermissionObj.setIsAllowed(1); + xUserPermissionObj.setModuleId(1L); + xUserPermissionObj.setUpdatedByUserId(userId); + xUserPermissionObj.setUpdateTime(new Date()); + xUserPermissionObj.setUserId(userId); + xUserPermissionsList.add(xUserPermissionObj); + + List xGroupPermissionList = new ArrayList(); + XXGroupPermission xGroupPermissionObj = new XXGroupPermission(); + xGroupPermissionObj.setAddedByUserId(userId); + xGroupPermissionObj.setCreateTime(new Date()); + xGroupPermissionObj.setId(userId); + xGroupPermissionObj.setIsAllowed(1); + xGroupPermissionObj.setModuleId(1L); + xGroupPermissionObj.setUpdatedByUserId(userId); + xGroupPermissionObj.setUpdateTime(new Date()); + xGroupPermissionObj.setGroupId(userId); + xGroupPermissionList.add(xGroupPermissionObj); + + List groupPermList = new ArrayList(); + VXGroupPermission groupPermission = new VXGroupPermission(); + groupPermission.setId(1L); + groupPermission.setIsAllowed(1); + groupPermission.setModuleId(1L); + groupPermission.setGroupId(userId); + groupPermission.setGroupName("xyz"); + groupPermission.setOwner("admin"); + groupPermList.add(groupPermission); + + XXModuleDef xModuleDef = new XXModuleDef(); + xModuleDef.setUpdatedByUserId(userId); + xModuleDef.setAddedByUserId(userId); + xModuleDef.setCreateTime(new Date()); + xModuleDef.setId(userId); + xModuleDef.setModule("Policy manager"); + xModuleDef.setUpdateTime(new Date()); + xModuleDef.setUrl("/policy manager"); + + VXUserPermission userPermission = new VXUserPermission(); + userPermission.setId(1L); + userPermission.setIsAllowed(1); + userPermission.setModuleId(1L); + userPermission.setUserId(userId); + userPermission.setUserName("xyz"); + userPermission.setOwner("admin"); + + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn( + xPortalUserRoleDao); + Mockito.when(xPortalUserRoleDao.findByUserId(userId)).thenReturn( + xPortalUserRoleList); + Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); + Mockito.when(userDao.getById(userId)).thenReturn(user); + Mockito.when(daoManager.getXXUserPermission()).thenReturn( + xUserPermissionDao); + Mockito.when( + xUserPermissionDao + .findByUserPermissionIdAndIsAllowed(userProfile.getId())) + .thenReturn(xUserPermissionsList); + Mockito.when(daoManager.getXXGroupPermission()).thenReturn( + xGroupPermissionDao); + Mockito.when( + xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId())) + .thenReturn(xGroupPermissionList); + Mockito.when( + xGroupPermissionService.populateViewBean(xGroupPermissionObj)) + .thenReturn(groupPermission); + Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao); + Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong())) + .thenReturn(xModuleDef); + Mockito.when( + xUserPermissionService.populateViewBean(xUserPermissionObj)) + .thenReturn(userPermission); + Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao); + Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong())) + .thenReturn(xModuleDef); + Mockito.when(xUserMgr.getXUser(userId)).thenReturn(vXUser); + Mockito.when(userMgr.getUserProfileByLoginId(vXUser.getName())) + .thenReturn(userProfile); + VXStringList vXStringList = xUserMgr.getUserRolesByExternalID(userId); + Assert.assertNotNull(vXStringList); + } + + @Test + public void test48getUserRolesByName() { + setup(); + XXPortalUserRoleDao xPortalUserRoleDao = Mockito + .mock(XXPortalUserRoleDao.class); + XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class); + XXUserPermissionDao xUserPermissionDao = Mockito + .mock(XXUserPermissionDao.class); + XXGroupPermissionDao xGroupPermissionDao = Mockito + .mock(XXGroupPermissionDao.class); + XXModuleDefDao xModuleDefDao = Mockito.mock(XXModuleDefDao.class); + + VXPortalUser userProfile = userProfile(); + Collection userRoleList = new ArrayList(); + userRoleList.add("ROLE_USER"); + userProfile.setUserRoleList(userRoleList); + + XXPortalUser user = new XXPortalUser(); + user.setEmailAddress(userProfile.getEmailAddress()); + user.setFirstName(userProfile.getFirstName()); + user.setLastName(userProfile.getLastName()); + user.setLoginId(userProfile.getLoginId()); + user.setPassword(userProfile.getPassword()); + user.setUserSource(userProfile.getUserSource()); + user.setPublicScreenName(userProfile.getPublicScreenName()); + user.setId(userProfile.getId()); + + List vStringRolesList = new ArrayList(); + VXString vXStringObj = new VXString(); + vXStringObj.setValue("ROLE_USER"); + vStringRolesList.add(vXStringObj); + + List xPortalUserRoleList = new ArrayList(); + XXPortalUserRole XXPortalUserRole = new XXPortalUserRole(); + XXPortalUserRole.setId(userId); + XXPortalUserRole.setUserId(userId); + XXPortalUserRole.setUserRole("ROLE_USER"); + xPortalUserRoleList.add(XXPortalUserRole); + + List xUserPermissionsList = new ArrayList(); + XXUserPermission xUserPermissionObj = new XXUserPermission(); + xUserPermissionObj.setAddedByUserId(userId); + xUserPermissionObj.setCreateTime(new Date()); + xUserPermissionObj.setId(userId); + xUserPermissionObj.setIsAllowed(1); + xUserPermissionObj.setModuleId(1L); + xUserPermissionObj.setUpdatedByUserId(userId); + xUserPermissionObj.setUpdateTime(new Date()); + xUserPermissionObj.setUserId(userId); + xUserPermissionsList.add(xUserPermissionObj); + + List xGroupPermissionList = new ArrayList(); + XXGroupPermission xGroupPermissionObj = new XXGroupPermission(); + xGroupPermissionObj.setAddedByUserId(userId); + xGroupPermissionObj.setCreateTime(new Date()); + xGroupPermissionObj.setId(userId); + xGroupPermissionObj.setIsAllowed(1); + xGroupPermissionObj.setModuleId(1L); + xGroupPermissionObj.setUpdatedByUserId(userId); + xGroupPermissionObj.setUpdateTime(new Date()); + xGroupPermissionObj.setGroupId(userId); + xGroupPermissionList.add(xGroupPermissionObj); + + List groupPermList = new ArrayList(); + VXGroupPermission groupPermission = new VXGroupPermission(); + groupPermission.setId(1L); + groupPermission.setIsAllowed(1); + groupPermission.setModuleId(1L); + groupPermission.setGroupId(userId); + groupPermission.setGroupName("xyz"); + groupPermission.setOwner("admin"); + groupPermList.add(groupPermission); + + XXModuleDef xModuleDef = new XXModuleDef(); + xModuleDef.setUpdatedByUserId(userId); + xModuleDef.setAddedByUserId(userId); + xModuleDef.setCreateTime(new Date()); + xModuleDef.setId(userId); + xModuleDef.setModule("Policy manager"); + xModuleDef.setUpdateTime(new Date()); + xModuleDef.setUrl("/policy manager"); + + VXUserPermission userPermission = new VXUserPermission(); + userPermission.setId(1L); + userPermission.setIsAllowed(1); + userPermission.setModuleId(1L); + userPermission.setUserId(userId); + userPermission.setUserName("xyz"); + userPermission.setOwner("admin"); + + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn( + xPortalUserRoleDao); + Mockito.when(xPortalUserRoleDao.findByUserId(userId)).thenReturn( + xPortalUserRoleList); + Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao); + Mockito.when(userDao.getById(userId)).thenReturn(user); + Mockito.when(daoManager.getXXUserPermission()).thenReturn( + xUserPermissionDao); + Mockito.when( + xUserPermissionDao + .findByUserPermissionIdAndIsAllowed(userProfile.getId())) + .thenReturn(xUserPermissionsList); + Mockito.when(daoManager.getXXGroupPermission()).thenReturn( + xGroupPermissionDao); + Mockito.when( + xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId())) + .thenReturn(xGroupPermissionList); + Mockito.when( + xGroupPermissionService.populateViewBean(xGroupPermissionObj)) + .thenReturn(groupPermission); + Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao); + Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong())) + .thenReturn(xModuleDef); + Mockito.when( + xUserPermissionService.populateViewBean(xUserPermissionObj)) + .thenReturn(userPermission); + Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao); + Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong())) + .thenReturn(xModuleDef); + Mockito.when(userMgr.getUserProfileByLoginId(userProfile.getLoginId())) + .thenReturn(userProfile); + VXStringList vXStringList = xUserMgr.getUserRolesByName(userProfile + .getLoginId()); + Assert.assertNotNull(vXStringList); + } } From 86d0ba0c920da9d2f78278b710c8cf8107ac925e Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Tue, 13 Oct 2015 15:44:06 +0530 Subject: [PATCH 072/202] RANGER-681 : Update default sync intervals for LDAP and UNIX Signed-off-by: Velmurugan Periasamy --- .../config/UserGroupSyncConfig.java | 21 +++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java index 7240fce840a..c1b305b4fd0 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java @@ -75,11 +75,11 @@ public class UserGroupSyncConfig { private static final String UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_PARAM = "ranger.usersync.sleeptimeinmillisbetweensynccycle" ; - private static final long UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_MIN_VALUE = 30000L ; + private static final long UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_MIN_VALUE = 60000L; - private static final long UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_UNIX_DEFAULT_VALUE = 300000L ; + private static final long UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_UNIX_DEFAULT_VALUE = 60000L; - private static final long UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_LDAP_DEFAULT_VALUE = 21600000L ; + private static final long UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_LDAP_DEFAULT_VALUE = 3600000L; private static final String UGSYNC_SOURCE_CLASS_PARAM = "ranger.usersync.source.impl.class"; @@ -365,9 +365,18 @@ public long getSleepTimeInMillisBetweenCycle() throws Throwable { } else { long ret = Long.parseLong(val) ; - if (ret < UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_MIN_VALUE) { - LOG.info("Sleep Time Between Cycle can not be lower than [" + UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_MIN_VALUE + "] millisec. resetting to min value.") ; - ret = UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_MIN_VALUE ; + long min_interval; + if (LGSYNC_SOURCE_CLASS.equals(getUserGroupSource().getClass().getName())) { + min_interval = UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_LDAP_DEFAULT_VALUE ; + }else if(UGSYNC_SOURCE_CLASS.equals(getUserGroupSource().getClass().getName())){ + min_interval = UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_UNIX_DEFAULT_VALUE; + } else { + min_interval = UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_MIN_VALUE ; + } + if(ret < min_interval) + { + LOG.info("Sleep Time Between Cycle can not be lower than [" + min_interval + "] millisec. resetting to min value.") ; + ret = min_interval; } return ret; } From a94e793db824b97165eab42ed60538c76d53920b Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Tue, 13 Oct 2015 17:34:13 +0530 Subject: [PATCH 073/202] RANGER-697 : KeyAdmin role user should see only KMS related audit access logs in Audit tab Signed-off-by: Velmurugan Periasamy --- .../java/org/apache/ranger/rest/AssetREST.java | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java index 79cea029766..775c647730c 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java @@ -51,8 +51,11 @@ import org.apache.ranger.common.StringUtil; import org.apache.ranger.common.annotation.RangerAnnotationClassName; import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName; +import org.apache.ranger.db.RangerDaoManager; +import org.apache.ranger.entity.XXServiceDef; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerService; +import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.SearchFilter; import org.apache.ranger.plugin.util.ServicePolicies; @@ -134,7 +137,9 @@ public class AssetREST { @Autowired ServiceREST serviceREST; - + @Autowired + RangerDaoManager daoManager; + @GET @Path("/assets/{id}") @Produces({ "application/xml", "application/json" }) @@ -645,6 +650,13 @@ public VXAccessAuditList getAccessLogs(@Context HttpServletRequest request){ "startDate", "MM/dd/yyyy"); searchUtil.extractDate(request, searchCriteria, "endDate", "endDate", "MM/dd/yyyy"); + + boolean isKeyAdmin = msBizUtil.isKeyAdmin(); + XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_KMS_NAME); + if(isKeyAdmin && xxServiceDef != null){ + searchCriteria.getParamList().put("repoType", xxServiceDef.getId()); + } + return assetMgr.getAccessLogs(searchCriteria); } From b63e20261844e0f3ca72fa23b28f82acdb23f8e0 Mon Sep 17 00:00:00 2001 From: Madhan Neethiraj Date: Wed, 23 Sep 2015 19:08:26 -0700 Subject: [PATCH 074/202] RANGER-663: fix to handle simultaneous updates to service-def/service/policy --- .../org/apache/ranger/biz/ServiceDBStore.java | 35 +++++-------------- .../apache/ranger/entity/XXPolicyBase.java | 2 ++ .../apache/ranger/entity/XXServiceBase.java | 2 ++ .../ranger/entity/XXServiceDefBase.java | 2 ++ .../org/apache/ranger/rest/ServiceREST.java | 1 - .../service/RangerServiceDefServiceBase.java | 1 - .../service/RangerServiceServiceBase.java | 1 - .../apache/ranger/biz/TestServiceDBStore.java | 4 --- .../apache/ranger/rest/TestServiceREST.java | 2 -- .../service/TestRangerPolicyService.java | 1 - .../service/TestRangerServiceDefService.java | 2 -- .../TestRangerServiceDefServiceBase.java | 1 - .../service/TestRangerServiceService.java | 1 - .../service/TestRangerServiceServiceBase.java | 1 - 14 files changed, 14 insertions(+), 42 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 326cae0052e..bf26e26394a 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -411,14 +411,10 @@ public RangerServiceDef updateServiceDef(RangerServiceDef serviceDef) throws Exc List contextEnrichers = serviceDef.getContextEnrichers() != null ? serviceDef.getContextEnrichers() : new ArrayList(); List enums = serviceDef.getEnums() != null ? serviceDef.getEnums() : new ArrayList(); - Long version = serviceDef.getVersion(); - if (version == null) { - version = new Long(1); - LOG.info("Found Version Value: `null`, so setting value of version to 1. While updating object version should not be null."); - } else { - version = new Long(version.longValue() + 1); - } - serviceDef.setVersion(version); + serviceDef.setCreateTime(existing.getCreateTime()); + serviceDef.setGuid(existing.getGuid()); + serviceDef.setVersion(existing.getVersion()); + serviceDef = serviceDefService.update(serviceDef); XXServiceDef createdSvcDef = daoMgr.getXXServiceDef().getById(serviceDefId); @@ -1120,16 +1116,6 @@ public RangerService updateService(RangerService service) throws Exception { List trxLogList = svcService.getTransactionLog(service, existing, RangerServiceService.OPERATION_UPDATE_CONTEXT); - Long version = service.getVersion(); - if(version == null) { - version = new Long(1); - LOG.info("Found Version Value: `null`, so setting value of version to 1, While updating object, version should not be null."); - } else { - version = new Long(version.longValue() + 1); - } - - service.setVersion(version); - if(populateExistingBaseFields) { svcServiceWithAssignedId.setPopulateExistingBaseFields(true); service = svcServiceWithAssignedId.update(service); @@ -1433,17 +1419,12 @@ public RangerPolicy updatePolicy(RangerPolicy policy) throws Exception { Map newResources = policy.getResources(); List newPolicyItems = policy.getPolicyItems(); + policy.setCreateTime(xxExisting.getCreateTime()); + policy.setGuid(xxExisting.getGuid()); + policy.setVersion(xxExisting.getVersion()); + List trxLogList = policyService.getTransactionLog(policy, xxExisting, RangerPolicyService.OPERATION_UPDATE_CONTEXT); - Long version = policy.getVersion(); - if(version == null) { - version = new Long(1); - LOG.info("Found Version Value: `null`, so setting value of version to 1, While updating object, version should not be null."); - } else { - version = new Long(version.longValue() + 1); - } - - policy.setVersion(version); updatePolicySignature(policy); policy = policyService.update(policy); diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyBase.java b/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyBase.java index 7e595303ceb..8564d43f560 100644 --- a/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyBase.java +++ b/security-admin/src/main/java/org/apache/ranger/entity/XXPolicyBase.java @@ -19,6 +19,7 @@ import javax.persistence.Column; import javax.persistence.MappedSuperclass; +import javax.persistence.Version; import javax.xml.bind.annotation.XmlRootElement; @MappedSuperclass @@ -42,6 +43,7 @@ public abstract class XXPolicyBase extends XXDBBase { * * */ + @Version @Column(name = "version") protected Long version; diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXServiceBase.java b/security-admin/src/main/java/org/apache/ranger/entity/XXServiceBase.java index 9fc7349cc5e..243526f88a5 100644 --- a/security-admin/src/main/java/org/apache/ranger/entity/XXServiceBase.java +++ b/security-admin/src/main/java/org/apache/ranger/entity/XXServiceBase.java @@ -23,6 +23,7 @@ import javax.persistence.MappedSuperclass; import javax.persistence.Temporal; import javax.persistence.TemporalType; +import javax.persistence.Version; import javax.xml.bind.annotation.XmlRootElement; @MappedSuperclass @@ -46,6 +47,7 @@ public abstract class XXServiceBase extends XXDBBase { * * */ + @Version @Column(name = "version") protected Long version; diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXServiceDefBase.java b/security-admin/src/main/java/org/apache/ranger/entity/XXServiceDefBase.java index 93a03721f9c..c59286eac85 100644 --- a/security-admin/src/main/java/org/apache/ranger/entity/XXServiceDefBase.java +++ b/security-admin/src/main/java/org/apache/ranger/entity/XXServiceDefBase.java @@ -21,6 +21,7 @@ import javax.persistence.Column; import javax.persistence.MappedSuperclass; +import javax.persistence.Version; import javax.xml.bind.annotation.XmlRootElement; @MappedSuperclass @@ -43,6 +44,7 @@ public abstract class XXServiceDefBase extends XXDBBase implements Serializable * * */ + @Version @Column(name = "version") protected Long version; diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index f523d670019..537189706de 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -49,7 +49,6 @@ import org.apache.ranger.biz.ServiceDBStore; import org.apache.ranger.biz.ServiceMgr; import org.apache.ranger.biz.XUserMgr; -import org.apache.ranger.common.AppConstants; import org.apache.ranger.common.GUIDUtil; import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.RESTErrorUtil; diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java index dac980787ee..56c8c915dd7 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java @@ -158,7 +158,6 @@ protected XXServiceDefBase mapViewToEntityBean(RangerServiceDef vObj, XXServiceD String guid = (StringUtils.isEmpty(vObj.getGuid())) ? guidUtil.genGUID() : vObj.getGuid(); xObj.setGuid(guid); - xObj.setVersion(vObj.getVersion()); xObj.setName(vObj.getName()); xObj.setImplclassname(vObj.getImplClass()); xObj.setLabel(vObj.getLabel()); diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceServiceBase.java b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceServiceBase.java index d0ddcff1a81..09dced6461c 100755 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceServiceBase.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceServiceBase.java @@ -65,7 +65,6 @@ protected XXServiceBase mapViewToEntityBean(RangerService vObj, XXServiceBase xO String guid = (StringUtils.isEmpty(vObj.getGuid())) ? guidUtil.genGUID() : vObj.getGuid(); xObj.setGuid(guid); - xObj.setVersion(vObj.getVersion()); XXServiceDef xServiceDef = daoMgr.getXXServiceDef().findByName(vObj.getType()); if(xServiceDef == null) { diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java b/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java index e13b862aaac..eea1a3b0695 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java @@ -292,7 +292,6 @@ private XXServiceDef serviceDef() { xServiceDef.setDescription("HDFS Repository"); xServiceDef.setGuid("1427365526516_835_0"); xServiceDef.setId(Id); - xServiceDef.setVersion(Id); xServiceDef.setUpdateTime(new Date()); xServiceDef.setUpdatedByUserId(Id); xServiceDef.setImplclassname("RangerServiceHdfs"); @@ -318,7 +317,6 @@ private XXService xService() { xService.setType(1L); xService.setUpdatedByUserId(Id); xService.setUpdateTime(new Date()); - xService.setVersion(1L); return xService; } @@ -677,7 +675,6 @@ public void test13deleteServiceDef() throws Exception { xService.setType(1L); xService.setUpdatedByUserId(Id); xService.setUpdateTime(new Date()); - xService.setVersion(1L); xServiceList.add(xService); List accessTypeDefList = new ArrayList(); @@ -2465,7 +2462,6 @@ public void test33getServicePoliciesIfUpdated() throws Exception { xService.setType(1L); xService.setUpdatedByUserId(Id); xService.setUpdateTime(new Date()); - xService.setVersion(1L); String serviceName = "HDFS_1"; Long lastKnownVersion = 1l; diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java index f728c58dbee..8b3e34815dc 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java @@ -284,7 +284,6 @@ private XXServiceDef serviceDef() { xServiceDef.setDescription("HDFS Repository"); xServiceDef.setGuid("1427365526516_835_0"); xServiceDef.setId(Id); - xServiceDef.setVersion(Id); xServiceDef.setUpdateTime(new Date()); xServiceDef.setUpdatedByUserId(Id); xServiceDef.setImplclassname("RangerServiceHdfs"); @@ -310,7 +309,6 @@ private XXService xService() { xService.setType(1L); xService.setUpdatedByUserId(Id); xService.setUpdateTime(new Date()); - xService.setVersion(1L); return xService; } diff --git a/security-admin/src/test/java/org/apache/ranger/service/TestRangerPolicyService.java b/security-admin/src/test/java/org/apache/ranger/service/TestRangerPolicyService.java index bac5261a553..513746baac4 100644 --- a/security-admin/src/test/java/org/apache/ranger/service/TestRangerPolicyService.java +++ b/security-admin/src/test/java/org/apache/ranger/service/TestRangerPolicyService.java @@ -180,7 +180,6 @@ private XXService xService() { xService.setType(1L); xService.setUpdatedByUserId(Id); xService.setUpdateTime(new Date()); - xService.setVersion(1L); return xService; } diff --git a/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefService.java b/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefService.java index 94680c34792..5c57a9f445c 100644 --- a/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefService.java +++ b/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefService.java @@ -138,7 +138,6 @@ private XXServiceDef serviceDef() { xServiceDef.setDescription("HDFS Repository"); xServiceDef.setGuid("1427365526516_835_0"); xServiceDef.setId(Id); - xServiceDef.setVersion(Id); xServiceDef.setUpdateTime(new Date()); xServiceDef.setUpdatedByUserId(Id); xServiceDef.setImplclassname("RangerServiceHdfs"); @@ -408,7 +407,6 @@ public void test4getAllServiceDefs() { serviceDef.setDescription("HDFS Repository"); serviceDef.setGuid("1427365526516_835_0"); serviceDef.setId(Id); - serviceDef.setVersion(Id); serviceDef.setUpdateTime(new Date()); serviceDef.setUpdatedByUserId(Id); serviceDef.setImplclassname("RangerServiceHdfs"); diff --git a/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefServiceBase.java b/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefServiceBase.java index dd1978bedf4..e01e23ca93e 100644 --- a/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefServiceBase.java +++ b/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefServiceBase.java @@ -152,7 +152,6 @@ private XXServiceDef serviceDef() { xServiceDef.setRbkeylabel(null); xServiceDef.setUpdatedByUserId(Id); xServiceDef.setUpdateTime(new Date()); - xServiceDef.setVersion(Id); return xServiceDef; } diff --git a/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceService.java b/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceService.java index 7d0cf61de79..215506e5510 100644 --- a/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceService.java +++ b/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceService.java @@ -141,7 +141,6 @@ private XXService xService() { xService.setType(1L); xService.setUpdatedByUserId(userId); xService.setUpdateTime(new Date()); - xService.setVersion(1L); return xService; } diff --git a/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceServiceBase.java b/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceServiceBase.java index f3591185ef7..5dff936d6da 100644 --- a/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceServiceBase.java +++ b/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceServiceBase.java @@ -127,7 +127,6 @@ private XXService service() { xService.setType(1L); xService.setUpdatedByUserId(Id); xService.setUpdateTime(new Date()); - xService.setVersion(1L); return xService; } From 6dbc6232f0de4b4789944b7f8ed418b3d5cc9424 Mon Sep 17 00:00:00 2001 From: Madhan Neethiraj Date: Thu, 24 Sep 2015 00:20:01 -0700 Subject: [PATCH 075/202] RANGER-661: fixed policy-download to return error, instead of empty policy-list, on failure in retrieving policies from DB --- .../org/apache/ranger/biz/ServiceDBStore.java | 32 ++++++------------- .../apache/ranger/biz/TestServiceDBStore.java | 6 ++-- 2 files changed, 13 insertions(+), 25 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index bf26e26394a..d7964564489 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -1577,19 +1577,13 @@ public List getServicePolicies(String serviceName, SearchFilter fi LOG.debug("==> ServiceDBStore.getServicePolicies(" + serviceName + ")"); } - List ret = new ArrayList(); - - try { - if(filter == null) { - filter = new SearchFilter(); - } + if(filter == null) { + filter = new SearchFilter(); + } - filter.setParam(SearchFilter.SERVICE_NAME, serviceName); + filter.setParam(SearchFilter.SERVICE_NAME, serviceName); - ret = getPolicies(filter); - } catch(Exception excp) { - LOG.error("ServiceDBStore.getServicePolicies(" + serviceName + "): failed to read policies", excp); - } + List ret = getPolicies(filter); if(LOG.isDebugEnabled()) { LOG.debug("<== ServiceDBStore.getServicePolicies(" + serviceName + "): count=" + ((ret == null) ? 0 : ret.size())); @@ -1603,19 +1597,13 @@ public RangerPolicyList getPaginatedServicePolicies(String serviceName, SearchFi LOG.debug("==> ServiceDBStore.getPaginatedServicePolicies(" + serviceName + ")"); } - RangerPolicyList ret = null; - - try { - if (filter == null) { - filter = new SearchFilter(); - } + if (filter == null) { + filter = new SearchFilter(); + } - filter.setParam(SearchFilter.SERVICE_NAME, serviceName); + filter.setParam(SearchFilter.SERVICE_NAME, serviceName); - ret = getPaginatedPolicies(filter); - } catch (Exception excp) { - LOG.error("ServiceDBStore.getPaginatedServicePolicies(" + serviceName + "): failed to read policies", excp); - } + RangerPolicyList ret = getPaginatedPolicies(filter); if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceDBStore.getPaginatedServicePolicies(" + serviceName + "): count=" diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java b/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java index eea1a3b0695..bae09247bdc 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java @@ -2433,9 +2433,9 @@ public void test32getServicePolicies() throws Exception { Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao); Mockito.when(xServiceDao.getById(Id)).thenReturn(xService); + thrown.expect(Exception.class); List dbRangerPolicy = serviceDBStore.getServicePolicies( Id, filter); - Assert.assertNotNull(dbRangerPolicy); Mockito.verify(daoManager).getXXService(); } @@ -2536,9 +2536,9 @@ public void test37getPaginatedServicePolicies() throws Exception { Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao); Mockito.when(xServiceDao.getById(Id)).thenReturn(xService); + thrown.expect(Exception.class); RangerPolicyList dbRangerPolicyList = serviceDBStore .getPaginatedServicePolicies(rangerService.getId(), filter); - Assert.assertNull(dbRangerPolicyList); Mockito.verify(daoManager).getXXService(); } @@ -2605,4 +2605,4 @@ public void test40getPoliciesByResourceSignature() throws Exception { Assert.assertNotNull(policyList); Mockito.verify(daoManager).getXXPolicy(); } -} \ No newline at end of file +} From 7bce05377cc4fbede3a6022d42272a5c0f6c8d1c Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Wed, 14 Oct 2015 15:10:57 +0530 Subject: [PATCH 076/202] RANGER-688 : Handle scenario where ids of XUser and XPortalUser are not in sync --- security-admin/scripts/setup.sh | 20 +++--- .../java/org/apache/ranger/biz/XUserMgr.java | 35 ++++++---- .../apache/ranger/common/UserSessionBase.java | 3 +- .../org/apache/ranger/db/XXPortalUserDao.java | 21 +++--- .../java/org/apache/ranger/db/XXUserDao.java | 12 ++++ .../apache/ranger/db/XXUserPermissionDao.java | 5 +- .../patch/PatchPersmissionModel_J10003.java | 4 +- .../service/XUserPermissionService.java | 24 ++----- .../service/XUserPermissionServiceBase.java | 65 +++++++++++++++++-- .../resources/META-INF/jpa_named_queries.xml | 7 +- 10 files changed, 131 insertions(+), 65 deletions(-) diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index 9710706ed51..cd5d2bfa8a8 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -1513,26 +1513,22 @@ setup_install_files(){ log "[I] Copying ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist ${WEBAPP_ROOT}/WEB-INF/classes/conf" mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/conf cp ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist/* ${WEBAPP_ROOT}/WEB-INF/classes/conf + fi + if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf fi - if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then - chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf - fi - if [ ! -d ${WEBAPP_ROOT}/WEB-INF/classes/lib ]; then log "[I] Creating ${WEBAPP_ROOT}/WEB-INF/classes/lib" mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/lib + fi + if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/lib ]; then chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/lib fi if [ -d /etc/init.d ]; then log "[I] Setting up init.d" cp ${INSTALL_DIR}/ews/${RANGER_ADMIN_INITD} /etc/init.d/${RANGER_ADMIN} - if [ "${unix_user}" != "ranger" ]; then - sed 's/LINUX_USER=ranger/LINUX_USER='${unix_user}'/g' -i /etc/init.d/${RANGER_ADMIN} - fi - chmod ug+rx /etc/init.d/${RANGER_ADMIN} if [ -d /etc/rc2.d ] @@ -1571,15 +1567,19 @@ setup_install_files(){ ln -s /etc/init.d/${RANGER_ADMIN} $RC_DIR/K90${RANGER_ADMIN} fi fi + if [ -f /etc/init.d/${RANGER_ADMIN} ]; then + if [ "${unix_user}" != "ranger" ]; then + sed 's/^LINUX_USER=.*$/LINUX_USER='${unix_user}'/g' -i /etc/init.d/${RANGER_ADMIN} + fi + fi if [ ! -d ${XAPOLICYMGR_DIR}/ews/logs ]; then log "[I] ${XAPOLICYMGR_DIR}/ews/logs folder" mkdir -p ${XAPOLICYMGR_DIR}/ews/logs - chown -R ${unix_user} ${XAPOLICYMGR_DIR}/ews/logs fi - if [ -d ${XAPOLICYMGR_DIR}/ews/logs ]; then chown -R ${unix_user} ${XAPOLICYMGR_DIR}/ews/logs + chown -R ${unix_user} ${XAPOLICYMGR_DIR}/ews/logs/* fi log "[I] Setting up installation files and directory DONE"; diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index b86087773c9..572323f495e 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -242,38 +242,47 @@ public void assignPermissionToUser(VXPortalUser vXPortalUser, boolean isCreate) if (role.equals(RangerConstants.ROLE_USER)) { - createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate); - createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate); + createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate); + createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate); } else if (role.equals(RangerConstants.ROLE_SYS_ADMIN)) { - createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate); - createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate); - createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_AUDIT), isCreate); - createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_USER_GROUPS), isCreate); + createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate); + createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate); + createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_AUDIT), isCreate); + createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_USER_GROUPS), isCreate); } else if (role.equals(RangerConstants.ROLE_KEY_ADMIN)) { - createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_KEY_MANAGER), isCreate); - createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate); - createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate); + createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_KEY_MANAGER), isCreate); + createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate); + createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate); } } } // Insert or Updating Mapping permissions depending upon roles - private void createOrUpdateUserPermisson(Long portalUserId, Long moduleId, boolean isCreate) { + private void createOrUpdateUserPermisson(VXPortalUser portalUser, Long moduleId, boolean isCreate) { VXUserPermission vXUserPermission; - XXUserPermission xUserPermission = daoManager.getXXUserPermission().findByModuleIdAndUserId(portalUserId, moduleId); + XXUserPermission xUserPermission = daoManager.getXXUserPermission().findByModuleIdAndPortalUserId(portalUser.getId(), moduleId); if (xUserPermission == null) { vXUserPermission = new VXUserPermission(); - vXUserPermission.setUserId(portalUserId); + + // When Creating XXUserPermission UI sends xUserId, to keep it consistent here xUserId should be used + XXUser xUser = daoManager.getXXUser().findByPortalUserId(portalUser.getId()); + if (xUser == null) { + logger.warn("Could not found corresponding xUser for username: [" + portalUser.getLoginId() + "], So not assigning permission to this user"); + return; + } else { + vXUserPermission.setUserId(xUser.getId()); + } + vXUserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED); vXUserPermission.setModuleId(moduleId); try { vXUserPermission = this.createXUserPermission(vXUserPermission); logger.info("Permission assigned to user: [" + vXUserPermission.getUserName() + "] For Module: [" + vXUserPermission.getModuleName() + "]"); } catch (Exception e) { - logger.error("Error while assigning permission to user: [" + portalUserId + "] for module: [" + moduleId + "]", e); + logger.error("Error while assigning permission to user: [" + portalUser.getLoginId() + "] for module: [" + moduleId + "]", e); } } else if (isCreate) { vXUserPermission = xUserPermissionService.populateViewBean(xUserPermission); diff --git a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java index 59e55f3e1db..175459c0636 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java +++ b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java @@ -128,7 +128,8 @@ public void setRangerUserPermission(RangerUserPermission rangerUserPermission) { - public static class RangerUserPermission { + public static class RangerUserPermission implements Serializable { + private static final long serialVersionUID = 1L; protected CopyOnWriteArraySet userPermissions; protected Long lastUpdatedTime; diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXPortalUserDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXPortalUserDao.java index d3467f86aef..393252c5101 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXPortalUserDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXPortalUserDao.java @@ -21,9 +21,10 @@ import java.util.List; +import javax.persistence.NoResultException; + import org.apache.ranger.common.db.BaseDao; import org.apache.ranger.entity.XXPortalUser; -import org.apache.ranger.entity.XXPortalUserRole; public class XXPortalUserDao extends BaseDao { @@ -76,16 +77,16 @@ public List getUserAddedReport(){ .getResultList(); } - - public XXPortalUser findByXUserId(Long id) { - - List resultList = getEntityManager() - .createNamedQuery("XXPortalUser.findByXUserId") - .setParameter("id", id).getResultList(); - if (resultList.size() != 0) { - return (XXPortalUser) resultList.get(0); + public XXPortalUser findByXUserId(Long xUserId) { + if (xUserId == null) { + return null; + } + try { + return getEntityManager().createNamedQuery("XXPortalUser.findByXUserId", tClass) + .setParameter("id", xUserId).getSingleResult(); + } catch (NoResultException e) { + return null; } - return null; } @SuppressWarnings("unchecked") diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXUserDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXUserDao.java index 08875946960..225e733f492 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXUserDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXUserDao.java @@ -64,4 +64,16 @@ public List findByPolicyItemId(Long polItemId) { return null; } } + + public XXUser findByPortalUserId(Long portalUserId) { + if (portalUserId == null) { + return null; + } + try { + return getEntityManager().createNamedQuery("XXUser.findByPortalUserId", tClass) + .setParameter("portalUserId", portalUserId).getSingleResult(); + } catch (NoResultException e) { + return null; + } + } } diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java index e10dc14fdcb..2db6fd69640 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java @@ -25,7 +25,6 @@ import org.apache.log4j.Logger; import org.apache.ranger.common.RangerCommonEnums; import org.apache.ranger.common.db.BaseDao; -import org.apache.ranger.entity.XXGroupUser; import org.apache.ranger.entity.XXUserPermission; public class XXUserPermissionDao extends BaseDao{ @@ -99,10 +98,10 @@ public List findByUserPermissionId(Long userId) { return null; } - public XXUserPermission findByModuleIdAndUserId(Long userId, Long moduleId) { + public XXUserPermission findByModuleIdAndPortalUserId(Long userId, Long moduleId) { if (userId != null) { try { - return getEntityManager().createNamedQuery("XXUserPermission.findByModuleIdAndUserId", XXUserPermission.class) + return getEntityManager().createNamedQuery("XXUserPermission.findByModuleIdAndPortalUserId", XXUserPermission.class) .setParameter("userId", userId) .setParameter("moduleId", moduleId) .getSingleResult(); diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java index f0aa938dd91..804d08e08d1 100644 --- a/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java +++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java @@ -84,9 +84,9 @@ public void assignPermissionToExistingUsers() { vPortalUser.setUserRoleList(daoManager.getXXPortalUser().findXPortalUserRolebyXPortalUserId(vPortalUser.getId())); xUserMgr.assignPermissionToUser(vPortalUser, false); countUserPermissionUpdated += 1; - logger.info(" Permission was assigned to UserId - " + xPortalUser.getId()); + logger.info("Permissions assigned/updated on base of User's Role, UserId [" + xPortalUser.getId() + "]"); } - logger.info(countUserPermissionUpdated + " permissions where assigned"); + logger.info(countUserPermissionUpdated + " permissions were assigned"); } @Override diff --git a/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java b/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java index 3ff9c8d0ac0..bd3a50df9dc 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java @@ -17,7 +17,6 @@ package org.apache.ranger.service; -import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.SearchField; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.entity.XXModuleDef; @@ -47,36 +46,23 @@ public XUserPermissionService() { @Override protected void validateForCreate(VXUserPermission vObj) { - XXUserPermission xUserPerm = daoManager.getXXUserPermission().findByModuleIdAndUserId(vObj.getUserId(), vObj.getModuleId()); - if (xUserPerm != null) { - throw restErrorUtil.createRESTException("User with ID [" + vObj.getUserId() + "] " + "is already " + "assigned to the module with ID [" + vObj.getModuleId() + "]", - MessageEnums.ERROR_DUPLICATE_OBJECT); - } + } @Override protected void validateForUpdate(VXUserPermission vObj, XXUserPermission mObj) { - XXUserPermission xUserPerm = daoManager.getXXUserPermission().findByModuleIdAndUserId(vObj.getUserId(), vObj.getModuleId()); - if (xUserPerm != null && !xUserPerm.getId().equals(vObj.getId())) { - throw restErrorUtil.createRESTException("User with ID [" + vObj.getUserId() + "] " + "is already " + "assigned to the module with ID [" + vObj.getModuleId() + "]", - MessageEnums.ERROR_DUPLICATE_OBJECT); - } + } @Override public VXUserPermission populateViewBean(XXUserPermission xObj) { VXUserPermission vObj = super.populateViewBean(xObj); - XXPortalUser xUser = rangerDaoManager.getXXPortalUser().getById(xObj.getUserId()); - if (xUser == null) { - xUser=rangerDaoManager.getXXPortalUser().findByXUserId(xObj.getUserId()); - if(xUser==null) - throw restErrorUtil.createRESTException(xUser + " is Not Found", - MessageEnums.DATA_NOT_FOUND); + XXPortalUser xPortalUser = rangerDaoManager.getXXPortalUser().getById(xObj.getUserId()); + if (xPortalUser != null) { + vObj.setUserName(xPortalUser.getLoginId()); } - vObj.setUserName(xUser.getLoginId()); - XXModuleDef xModuleDef = daoManager.getXXModuleDef().getById(xObj.getModuleId()); if (xModuleDef != null) { vObj.setModuleName(xModuleDef.getModule()); diff --git a/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionServiceBase.java b/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionServiceBase.java index 59c082d2760..a5a1213810b 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionServiceBase.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionServiceBase.java @@ -20,7 +20,10 @@ import java.util.ArrayList; import java.util.List; +import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.SearchCriteria; +import org.apache.ranger.entity.XXPortalUser; +import org.apache.ranger.entity.XXUser; import org.apache.ranger.entity.XXUserPermission; import org.apache.ranger.view.VXUserPermission; import org.apache.ranger.view.VXUserPermissionList; @@ -34,20 +37,48 @@ public XUserPermissionServiceBase() { } - @SuppressWarnings("unchecked") @Override - protected XXUserPermission mapViewToEntityBean(VXUserPermission vObj, - XXUserPermission mObj, int OPERATION_CONTEXT) { - mObj.setUserId(vObj.getUserId()); + @SuppressWarnings("unchecked") + protected XXUserPermission mapViewToEntityBean(VXUserPermission vObj, XXUserPermission mObj, int OPERATION_CONTEXT) { + + // Assuming that vObj.userId coming from UI/Client would be of XXUser, but in DB it should be of XXPortalUser so + // have to map XXUser.ID to XXPortalUser.ID and if portalUser does not exist then not allowing to create/update + + XXPortalUser portalUser = daoManager.getXXPortalUser().findByXUserId(vObj.getUserId()); + if (portalUser == null) { + throw restErrorUtil.createRESTException("Invalid UserId: [" + vObj.getUserId() + + "], Please make sure while create/update given userId should be of x_user", + MessageEnums.INVALID_INPUT_DATA); + } + + mObj.setUserId(portalUser.getId()); mObj.setModuleId(vObj.getModuleId()); mObj.setIsAllowed(vObj.getIsAllowed()); + + if (OPERATION_CONTEXT == OPERATION_CREATE_CONTEXT) { + validateXUserPermForCreate(mObj); + } else if (OPERATION_CONTEXT == OPERATION_UPDATE_CONTEXT) { + validateXUserPermForUpdate(mObj); + } + return mObj; } - @SuppressWarnings("unchecked") @Override + @SuppressWarnings("unchecked") protected VXUserPermission mapEntityToViewBean(VXUserPermission vObj, XXUserPermission mObj) { - vObj.setUserId(mObj.getUserId()); + + // As XXUserPermission.userID refers to XXPortalUser.ID, But UI/Client expects XXUser.ID so have to map + // XXUserPermission.userID from XXPortalUser.ID to XXUser.ID + XXUser xUser = daoManager.getXXUser().findByPortalUserId(mObj.getUserId()); + Long userId; + if (xUser != null) { + userId = xUser.getId(); + } else { + // In this case rather throwing exception, send it as null + userId = null; + } + vObj.setUserId(userId); vObj.setModuleId(mObj.getModuleId()); vObj.setIsAllowed(mObj.getIsAllowed()); return vObj; @@ -75,4 +106,26 @@ public VXUserPermissionList searchXUserPermission(SearchCriteria searchCriteria) returnList.setvXModuleDef(vXUserPermissions); return returnList; } + + protected void validateXUserPermForCreate(XXUserPermission mObj) { + XXUserPermission xUserPerm = daoManager.getXXUserPermission().findByModuleIdAndPortalUserId(mObj.getUserId(), + mObj.getModuleId()); + if (xUserPerm != null) { + throw restErrorUtil.createRESTException("User with ID [" + mObj.getUserId() + "] " + "is already " + + "assigned to the module with ID [" + mObj.getModuleId() + "]", + MessageEnums.ERROR_DUPLICATE_OBJECT); + } + } + + protected void validateXUserPermForUpdate(XXUserPermission mObj) { + + XXUserPermission xUserPerm = daoManager.getXXUserPermission().findByModuleIdAndPortalUserId(mObj.getUserId(), + mObj.getModuleId()); + if (xUserPerm != null && !xUserPerm.getId().equals(mObj.getId())) { + throw restErrorUtil.createRESTException("User with ID [" + mObj.getUserId() + "] " + "is already " + + "assigned to the module with ID [" + mObj.getModuleId() + "]", + MessageEnums.ERROR_DUPLICATE_OBJECT); + } + } + } \ No newline at end of file diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml index 0370e9abe60..12c4c6ddba4 100644 --- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml +++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml @@ -192,6 +192,11 @@ where polItemUser.policyItemId = :polItemId and polItemUser.userId = obj.id + + select obj from XXUser obj, XXPortalUser portalUser where portalUser.id = :portalUserId and + obj.name = portalUser.loginId + + select obj.name from XXGroup obj, XXPolicyItemGroupPerm polItemGrp where polItemGrp.policyItemId = :polItemId and polItemGrp.groupId = obj.id @@ -489,7 +494,7 @@ - + SELECT XXUserPermObj FROM XXUserPermission XXUserPermObj WHERE XXUserPermObj.moduleId = :moduleId AND XXUserPermObj.userId =:userId From c82c0c8c5c1f5d4b7e5673c5c32df9d345961f69 Mon Sep 17 00:00:00 2001 From: Madhan Neethiraj Date: Wed, 14 Oct 2015 23:39:45 -0700 Subject: [PATCH 077/202] RANGER-687: Service update should ignore user provided values for internal fields - like policyVersion (cherry picked from commit 8f07737f97c111eb6c088917076a2d86eb117a86) --- .../src/main/java/org/apache/ranger/biz/ServiceDBStore.java | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index d7964564489..dad652d6050 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -1121,6 +1121,12 @@ public RangerService updateService(RangerService service) throws Exception { service = svcServiceWithAssignedId.update(service); svcServiceWithAssignedId.setPopulateExistingBaseFields(false); } else { + service.setCreateTime(existing.getCreateTime()); + service.setGuid(existing.getGuid()); + service.setVersion(existing.getVersion()); + service.setPolicyUpdateTime(existing.getPolicyUpdateTime()); + service.setPolicyVersion(existing.getPolicyVersion()); + service = svcService.update(service); } From c0a5f531e32c84fe8345e17b47b02991bae9043d Mon Sep 17 00:00:00 2001 From: Velmurugan Periasamy Date: Thu, 15 Oct 2015 23:47:53 -0400 Subject: [PATCH 078/202] RANGER-652: Include ldapconfigcheck tool in main pom.xml --- pom.xml | 1 + ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 2ae8d3d0b6c..0ccf12e55d9 100644 --- a/pom.xml +++ b/pom.xml @@ -92,6 +92,7 @@ security-admin plugin-solr ugsync + ugsync/ldapconfigchecktool/ldapconfigcheck unixauthclient unixauthservice ranger-util diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml b/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml index a0971f2ee31..4ac823f6d81 100644 --- a/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml @@ -24,7 +24,7 @@ org.apache.ranger ranger 0.5.0 - .. + ../../../pom.xml ldapconfigcheck From 47c1f94ff1e92491a1583119936eccb36849cb71 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Mon, 26 Oct 2015 13:46:42 +0530 Subject: [PATCH 079/202] RANGER-701 : Update setup scripts to allow special characters in passwords --- kms/scripts/db_setup.py | 14 +- kms/scripts/dba_script.py | 23 ++- kms/scripts/setup.sh | 158 ++++++++++----- security-admin/scripts/db_setup.py | 16 +- security-admin/scripts/dba_script.py | 28 ++- security-admin/scripts/set_globals.sh | 26 ++- security-admin/scripts/setup.sh | 180 +++++++++++++----- .../apache/ranger/common/RESTErrorUtil.java | 26 +++ .../service/AbstractBaseResourceService.java | 5 +- .../permissions/ModulePermissionCreate.js | 1 - .../webapp/scripts/views/users/GroupCreate.js | 3 +- .../webapp/scripts/views/users/UserCreate.js | 2 - unixauthservice/scripts/set_globals.sh | 27 ++- unixauthservice/scripts/setup.py | 54 +++--- 14 files changed, 417 insertions(+), 146 deletions(-) mode change 100755 => 100644 kms/scripts/db_setup.py diff --git a/kms/scripts/db_setup.py b/kms/scripts/db_setup.py old mode 100755 new mode 100644 index 5e2f9506a99..bdac333b918 --- a/kms/scripts/db_setup.py +++ b/kms/scripts/db_setup.py @@ -100,9 +100,9 @@ def get_jisql_cmd(self, user, password ,db_name): path = RANGER_KMS_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p %s -noheader -trim -c \;" %(self.JAVA_BIN,self.SQL_CONNECTOR_JAR,path,self.host,db_name,user,password) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u '%s' -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN,self.SQL_CONNECTOR_JAR,path,self.host,db_name,user,password) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p %s -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) + jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -327,9 +327,9 @@ def get_jisql_cmd(self, user, password, db_name): path = RANGER_KMS_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, user, password, self.host,db_name) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, user, password, self.host,db_name) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -392,9 +392,9 @@ def get_jisql_cmd(self, user, password, db_name): path = RANGER_KMS_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -527,6 +527,8 @@ def main(argv): xa_db_core_file = os.path.join(RANGER_KMS_HOME ,oracle_core_file) elif XA_DB_FLAVOR == "POSTGRES": + db_user=db_user.lower() + db_name=db_name.lower() POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN) xa_db_core_file = os.path.join(RANGER_KMS_HOME , postgres_core_file) diff --git a/kms/scripts/dba_script.py b/kms/scripts/dba_script.py index 950b8c36031..d1da5d1513a 100755 --- a/kms/scripts/dba_script.py +++ b/kms/scripts/dba_script.py @@ -94,6 +94,17 @@ def logFile(msg): print("Invalid input! Provide file path to write DBA scripts:") sys.exit() +def password_validation(password, userType): + if password: + if re.search("[\\\`'\"]",password): + log("[E] "+userType+" user password contains one of the unsupported special characters like \" ' \ `","error") + sys.exit(1) + else: + log("[I] "+userType+" user password validated","info") + else: + log("[E] Blank password is not allowed,please enter valid password.","error") + sys.exit(1) + class BaseDB(object): def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password,dryMode): @@ -866,9 +877,9 @@ def get_jisql_cmd(self, user, password, db_name): path = RANGER_KMS_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) return jisql_cmd def verify_user(self, root_user, db_root_password, db_user,dryMode): if dryMode == False: @@ -1036,6 +1047,10 @@ def main(argv): dryMode=False is_revoke=False + if len(argv) == 3: + password_validation(argv[1],argv[2]); + return; + if len(argv) > 1: for i in range(len(argv)): if str(argv[i]) == "-q": @@ -1200,6 +1215,8 @@ def main(argv): xa_db_core_file = os.path.join(RANGER_KMS_HOME,oracle_core_file) elif XA_DB_FLAVOR == "POSTGRES": + db_user=db_user.lower() + db_name=db_name.lower() POSTGRES_CONNECTOR_JAR=CONNECTOR_JAR xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN) xa_db_core_file = os.path.join(RANGER_KMS_HOME,postgres_core_file) @@ -1222,6 +1239,8 @@ def main(argv): log("[E] ---------- NO SUCH SUPPORTED DB FLAVOUR.. ----------", "error") sys.exit(1) + log("[I] ---------- Verifing Ranger KMS db user password ---------- ","info") + password_validation(db_password,"KMS"); # Methods Begin if DBA_MODE == "TRUE" : diff --git a/kms/scripts/setup.sh b/kms/scripts/setup.sh index 96bf6a0d4da..94b6e233d3e 100755 --- a/kms/scripts/setup.sh +++ b/kms/scripts/setup.sh @@ -31,10 +31,6 @@ then exit 1; fi -eval `grep -v '^XAAUDIT.' ${PROPFILE} | grep -v '^$' | grep -v '^#'` - -DB_HOST="${db_host}" - usage() { [ "$*" ] && echo "$0: $*" sed -n '/^##/,/^$/s/^## \{0,1\}//p' "$0" @@ -46,6 +42,50 @@ log() { echo "${prefix} $@" >> $LOGFILE echo "${prefix} $@" } +#eval `grep -v '^XAAUDIT.' ${PROPFILE} | grep -v '^$' | grep -v '^#'` +get_prop(){ + validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation + if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi + value=$(echo $validateProperty | cut -d "=" -f2-) + echo $value +} + +PYTHON_COMMAND_INVOKER=$(get_prop 'PYTHON_COMMAND_INVOKER' $PROPFILE) +DB_FLAVOR=$(get_prop 'DB_FLAVOR' $PROPFILE) +SQL_COMMAND_INVOKER=$(get_prop 'SQL_COMMAND_INVOKER' $PROPFILE) +SQL_CONNECTOR_JAR=$(get_prop 'SQL_CONNECTOR_JAR' $PROPFILE) +db_root_user=$(get_prop 'db_root_user' $PROPFILE) +db_root_password=$(get_prop 'db_root_password' $PROPFILE) +db_host=$(get_prop 'db_host' $PROPFILE) +db_name=$(get_prop 'db_name' $PROPFILE) +db_user=$(get_prop 'db_user' $PROPFILE) +db_password=$(get_prop 'db_password' $PROPFILE) +KMS_MASTER_KEY_PASSWD=$(get_prop 'KMS_MASTER_KEY_PASSWD' $PROPFILE) +unix_user=$(get_prop 'unix_user' $PROPFILE) +unix_group=$(get_prop 'unix_group' $PROPFILE) +POLICY_MGR_URL=$(get_prop 'POLICY_MGR_URL' $PROPFILE) +REPOSITORY_NAME=$(get_prop 'REPOSITORY_NAME' $PROPFILE) +SSL_KEYSTORE_FILE_PATH=$(get_prop 'SSL_KEYSTORE_FILE_PATH' $PROPFILE) +SSL_KEYSTORE_PASSWORD=$(get_prop 'SSL_KEYSTORE_PASSWORD' $PROPFILE) +SSL_TRUSTSTORE_FILE_PATH=$(get_prop 'SSL_TRUSTSTORE_FILE_PATH' $PROPFILE) +SSL_TRUSTSTORE_PASSWORD=$(get_prop 'SSL_TRUSTSTORE_PASSWORD' $PROPFILE) +KMS_DIR=$(eval echo "$(get_prop 'KMS_DIR' $PROPFILE)") +app_home=$(eval echo "$(get_prop 'app_home' $PROPFILE)") +TMPFILE=$(eval echo "$(get_prop 'TMPFILE' $PROPFILE)") +LOGFILE=$(eval echo "$(get_prop 'LOGFILE' $PROPFILE)") +LOGFILES=$(eval echo "$(get_prop 'LOGFILES' $PROPFILE)") +JAVA_BIN=$(get_prop 'JAVA_BIN' $PROPFILE) +JAVA_VERSION_REQUIRED=$(get_prop 'JAVA_VERSION_REQUIRED' $PROPFILE) +JAVA_ORACLE=$(get_prop 'JAVA_ORACLE' $PROPFILE) +mysql_core_file=$(get_prop 'mysql_core_file' $PROPFILE) +oracle_core_file=$(get_prop 'oracle_core_file' $PROPFILE) +postgres_core_file=$(get_prop 'postgres_core_file' $PROPFILE) +sqlserver_core_file=$(get_prop 'sqlserver_core_file' $PROPFILE) +sqlanywhere_core_file=$(get_prop 'sqlanywhere_core_file' $PROPFILE) +cred_keystore_filename=$(eval echo "$(get_prop 'cred_keystore_filename' $PROPFILE)") +KMS_BLACKLIST_DECRYPT_EEK=$(get_prop 'KMS_BLACKLIST_DECRYPT_EEK' $PROPFILE) + +DB_HOST="${db_host}" check_ret_status(){ if [ $1 -ne 0 ]; then @@ -82,29 +122,25 @@ get_distro(){ #Get Properties from File without erroring out if property is not there #$1 -> propertyName $2 -> fileName $3 -> variableName $4 -> failIfNotFound getPropertyFromFileNoExit(){ - validateProperty=$(sed '/^\#/d' $2 | grep "^$1" | tail -n 1) # for validation + validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation if test -z "$validateProperty" ; then - log "[E] '$1' not found in $2 file while getting....!!"; - if [ $4 == "true" ] ; then - exit 1; - else - value="" - fi - else - value=`sed '/^\#/d' $2 | grep "^$1" | tail -n 1 | cut -d "=" -f2-` - fi - #echo 'value:'$value + log "[E] '$1' not found in $2 file while getting....!!"; + if [ $4 == "true" ] ; then + exit 1; + else + value="" + fi + else + value=$(echo $validateProperty | cut -d "=" -f2-) + fi eval $3="'$value'" } #Get Properties from File #$1 -> propertyName $2 -> fileName $3 -> variableName getPropertyFromFile(){ - validateProperty=$(sed '/^\#/d' $2 | grep "^$1" | tail -n 1) # for validation + validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi - value=`sed '/^\#/d' $2 | grep "^$1" | tail -n 1 | cut -d "=" -f2-` - #echo 'value:'$value - #validate=$(sed '/^\#/d' $2 | grep "^$1" | tail -n 1 | cut -d "=" -f2-) # for validation - #if test -z "$validate" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi + value=$(echo $validateProperty | cut -d "=" -f2-) eval $3="'$value'" } @@ -132,7 +168,21 @@ init_logfiles () { touch $f done } - +password_validation() { + if [ -z "$1" ] + then + log "[I] Blank password is not allowed for" $2". Please enter valid password." + exit 1 + else + if [[ $1 =~ [\"\'\`\\\] ]] + then + log "[E]" $2 "password contains one of the unsupported special characters:\" ' \` \\" + exit 1 + else + log "[I]" $2 "password validated." + fi + fi +} init_variables(){ curDt=`date '+%Y%m%d%H%M%S'` @@ -157,11 +207,11 @@ init_variables(){ DB_FLAVOR="MYSQL" fi log "[I] DB_FLAVOR=${DB_FLAVOR}" - - getPropertyFromFile 'db_root_user' $PROPFILE db_root_user - getPropertyFromFile 'db_root_password' $PROPFILE db_user - getPropertyFromFile 'db_user' $PROPFILE db_user - getPropertyFromFile 'db_password' $PROPFILE db_password + password_validation "$KMS_MASTER_KEY_PASSWD" "KMS Master key" + #getPropertyFromFile 'db_root_user' $PROPFILE db_root_user + #getPropertyFromFile 'db_root_password' $PROPFILE db_user + #getPropertyFromFile 'db_user' $PROPFILE db_user + #getPropertyFromFile 'db_password' $PROPFILE db_password #if [ -L ${CONF_FILE} ] # then @@ -345,11 +395,6 @@ update_properties() { log "[E] $to_file does not exists" ; exit 1; fi - - propertyName=ranger.ks.jpa.jdbc.user - newPropertyValue="${db_user}" - updatePropertyToFilePy $propertyName $newPropertyValue $to_file - if [ "${DB_FLAVOR}" == "MYSQL" ] then propertyName=ranger.ks.jpa.jdbc.url @@ -382,6 +427,9 @@ update_properties() { fi if [ "${DB_FLAVOR}" == "POSTGRES" ] then + db_name=`echo ${db_name} | tr '[:upper:]' '[:lower:]'` + db_user=`echo ${db_user} | tr '[:upper:]' '[:lower:]'` + propertyName=ranger.ks.jpa.jdbc.url newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}" updatePropertyToFilePy $propertyName $newPropertyValue $to_file @@ -424,6 +472,10 @@ update_properties() { newPropertyValue="sap.jdbc4.sqlanywhere.IDriver" updatePropertyToFilePy $propertyName $newPropertyValue $to_file fi + propertyName=ranger.ks.jpa.jdbc.user + newPropertyValue="${db_user}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file + keystore="${cred_keystore_filename}" echo "Starting configuration for XA DB credentials:" @@ -438,8 +490,10 @@ update_properties() { then mkdir -p `dirname "${keystore}"` - $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "${DB_CREDENTIAL_ALIAS}" -value "$db_password" -provider jceks://file$keystore - $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "${MK_CREDENTIAL_ALIAS}" -value "${KMS_MASTER_KEY_PASSWD}" -provider jceks://file$keystore + $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "${DB_CREDENTIAL_ALIAS}" -v "${db_password}" -c 1 + $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "${MK_CREDENTIAL_ALIAS}" -v "${KMS_MASTER_KEY_PASSWD}" -c 1 + #$JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "${DB_CREDENTIAL_ALIAS}" -value "$db_password" -provider jceks://file$keystore + #$JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "${MK_CREDENTIAL_ALIAS}" -value "${KMS_MASTER_KEY_PASSWD}" -provider jceks://file$keystore propertyName=ranger.ks.jpa.jdbc.credential.alias newPropertyValue="${DB_CREDENTIAL_ALIAS}" @@ -524,23 +578,24 @@ setup_install_files(){ if [ ! -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then log "[I] Copying ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist ${WEBAPP_ROOT}/WEB-INF/classes/conf" mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/conf + cp ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist/* ${WEBAPP_ROOT}/WEB-INF/classes/conf fi - cp ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist/* ${WEBAPP_ROOT}/WEB-INF/classes/conf + if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf/ + fi if [ ! -d ${WEBAPP_ROOT}/WEB-INF/classes/lib ]; then log "[I] Creating ${WEBAPP_ROOT}/WEB-INF/classes/lib" mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/lib + fi + if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/lib ]; then chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/lib fi if [ -d /etc/init.d ]; then log "[I] Setting up init.d" cp ${INSTALL_DIR}/${RANGER_KMS}-initd /etc/init.d/${RANGER_KMS} - if [ "${unix_user}" != "kms" ]; then - sed 's/LINUX_USER=kms/LINUX_USER='${unix_user}'/g' -i /etc/init.d/${RANGER_KMS} - fi chmod ug+rx /etc/init.d/${RANGER_KMS} if [ -d /etc/rc2.d ] @@ -579,16 +634,20 @@ setup_install_files(){ ln -s /etc/init.d/${RANGER_KMS} $RC_DIR/K90${RANGER_KMS} fi fi + if [ -f /etc/init.d/${RANGER_KMS} ]; then + if [ "${unix_user}" != "" ]; then + sed 's/^LINUX_USER=.*$/LINUX_USER='${unix_user}'/g' -i /etc/init.d/${RANGER_KMS} + fi + fi if [ ! -d ${KMS_DIR}/ews/logs ]; then log "[I] ${KMS_DIR}/ews/logs folder" mkdir -p ${KMS_DIR}/ews/logs - chown -R ${unix_user} ${KMS_DIR}/ews/logs fi - if [ -d ${KMS_DIR}/ews/logs ]; then chown -R ${unix_user} ${KMS_DIR}/ews/logs fi + log "[I] Setting up installation files and directory DONE"; if [ ! -f ${INSTALL_DIR}/rpm ]; then @@ -617,13 +676,17 @@ setup_install_files(){ ln -sf ${INSTALL_DIR}/ranger-kms-initd ${INSTALL_DIR}/ranger-kms-services.sh chmod ug+rx ${INSTALL_DIR}/ranger-kms-services.sh fi - - if [ ! -d /var/log/ranger/kms ] - then + if [ ! -d /var/log/ranger/kms ]; then mkdir -p /var/log/ranger/kms + if [ -d ews/logs ]; then + cp -r ews/logs/* /var/log/ranger/kms + fi + fi + if [ -d /var/log/ranger/kms ]; then + chmod 755 /var/log/ranger/kms + chown -R $unix_user:$unix_group /var/log/ranger/kms fi - chgrp ${unix_group} /var/log/ranger/kms - chmod g+rwx /var/log/ranger/kms + } init_logfiles @@ -640,7 +703,12 @@ sanity_check_files copy_db_connector check_python_command run_dba_steps -$PYTHON_COMMAND_INVOKER db_setup.py +if [ "$?" == "0" ] +then + $PYTHON_COMMAND_INVOKER db_setup.py +else + exit 1 +fi if [ "$?" == "0" ] then update_properties diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py index 1edc628d96d..07a06557c7d 100644 --- a/security-admin/scripts/db_setup.py +++ b/security-admin/scripts/db_setup.py @@ -161,9 +161,9 @@ def get_jisql_cmd(self, user, password ,db_name): path = RANGER_ADMIN_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p %s -noheader -trim -c \;" %(self.JAVA_BIN,self.SQL_CONNECTOR_JAR,path,self.host,db_name,user,password) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u '%s' -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN,self.SQL_CONNECTOR_JAR,path,self.host,db_name,user,password) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p %s -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) + jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -939,9 +939,9 @@ def get_jisql_cmd(self, user, password, db_name): path = RANGER_ADMIN_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -1173,9 +1173,9 @@ def get_jisql_cmd(self, user, password, db_name): path = RANGER_ADMIN_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -1506,6 +1506,8 @@ def main(argv): audit_patch_file = os.path.join(RANGER_ADMIN_HOME ,oracle_auditdb_patches) elif XA_DB_FLAVOR == "POSTGRES": + db_user=db_user.lower() + db_name=db_name.lower() POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN) xa_db_version_file = os.path.join(RANGER_ADMIN_HOME , postgres_dbversion_catalog) @@ -1548,6 +1550,8 @@ def main(argv): audit_db_file = os.path.join(RANGER_ADMIN_HOME , oracle_audit_file) elif AUDIT_DB_FLAVOR == "POSTGRES": + audit_db_user=audit_db_user.lower() + audit_db_name=audit_db_name.lower() POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] audit_sqlObj = PostgresConf(audit_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN) audit_db_file = os.path.join(RANGER_ADMIN_HOME , postgres_audit_file) diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py index 4fd55938941..40a6c496abc 100644 --- a/security-admin/scripts/dba_script.py +++ b/security-admin/scripts/dba_script.py @@ -96,6 +96,17 @@ def logFile(msg): print("Invalid input! Provide file path to write DBA scripts:") sys.exit() +def password_validation(password, userType): + if password: + if re.search("[\\\`'\"]",password): + log("[E] "+userType+" user password contains one of the unsupported special characters like \" ' \ `","error") + sys.exit(1) + else: + log("[I] "+userType+" user password validated","info") + else: + log("[E] Blank password is not allowed,please enter valid password.","error") + sys.exit(1) + class BaseDB(object): def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password,dryMode): @@ -1085,9 +1096,9 @@ def get_jisql_cmd(self, user, password, db_name): path = RANGER_ADMIN_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) return jisql_cmd def verify_user(self, root_user, db_root_password, db_user,dryMode): @@ -1270,6 +1281,10 @@ def main(argv): dryMode=False is_revoke=False + if len(argv) == 3: + password_validation(argv[1],argv[2]); + return; + if len(argv) > 1: for i in range(len(argv)): if str(argv[i]) == "-q": @@ -1503,6 +1518,8 @@ def main(argv): elif XA_DB_FLAVOR == "POSTGRES": #POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] #POSTGRES_CONNECTOR_JAR='/usr/share/java/postgresql.jar' + db_user=db_user.lower() + db_name=db_name.lower() POSTGRES_CONNECTOR_JAR=CONNECTOR_JAR xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN) xa_db_version_file = os.path.join(RANGER_ADMIN_HOME,postgres_dbversion_catalog) @@ -1553,6 +1570,8 @@ def main(argv): elif AUDIT_DB_FLAVOR == "POSTGRES": #POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] #POSTGRES_CONNECTOR_JAR='/usr/share/java/postgresql.jar' + audit_db_user=audit_db_user.lower() + audit_db_name=audit_db_name.lower() POSTGRES_CONNECTOR_JAR=CONNECTOR_JAR audit_sqlObj = PostgresConf(audit_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN) audit_db_file = os.path.join(RANGER_ADMIN_HOME,postgres_audit_file) @@ -1580,6 +1599,11 @@ def main(argv): if audit_store is None or audit_store == "": audit_store = "db" audit_store=audit_store.lower() + + log("[I] ---------- Verifing Ranger Admin db user password ---------- ","info") + password_validation(db_password,"admin"); + log("[I] ---------- Verifing Ranger Audit db user password ---------- ","info") + password_validation(audit_db_password,"audit"); # Methods Begin if DBA_MODE == "TRUE" : if (dryMode==True): diff --git a/security-admin/scripts/set_globals.sh b/security-admin/scripts/set_globals.sh index 9a4159ca8e3..5e985e28237 100755 --- a/security-admin/scripts/set_globals.sh +++ b/security-admin/scripts/set_globals.sh @@ -21,6 +21,20 @@ #This will also create the ranger linux user and groups if required. #This script needs to be run as root +PROPFILE=$PWD/install.properties +propertyValue='' + +if [ ! $? = "0" ];then + log "$PROPFILE file not found....!!"; + exit 1; +fi +get_prop(){ + validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation + if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi + value=$(echo $validateProperty | cut -d "=" -f2-) + echo $value +} + if [ ! -w /etc/passwd ]; then echo "ERROR: Please run this script as root" exit 1 @@ -43,8 +57,8 @@ log() { } #Create the ranger users and groups (if needed) -unix_user=ranger -unix_group=ranger +unix_user=$(get_prop 'unix_user' $PROPFILE) +unix_group=$(get_prop 'unix_group' $PROPFILE) groupadd ${unix_group} ret=$? @@ -88,14 +102,14 @@ if [ ! -d /var/log/ranger/admin ]; then if [ -d ews/logs ]; then cp -r ews/logs/* /var/log/ranger/admin fi - chmod 755 /var/log/ranger/admin - chown -R $unix_user:$unix_group /var/log/ranger fi if [ -d /var/log/ranger/admin ]; then - chown -R $unix_user:$unix_group /var/log/ranger/admin + chown -R $unix_user:$unix_group /var/log/ranger + chown -R $unix_user:$unix_group /var/log/ranger/admin + chmod 755 /var/log/ranger + chmod 755 /var/log/ranger/admin fi - mv -f ews/logs ews/webapp/logs.$curDt 2> /dev/null ln -sf /var/log/ranger/admin ews/logs diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index cd5d2bfa8a8..11b72b4eca0 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -22,14 +22,11 @@ PROPFILE=$PWD/install.properties propertyValue='' -. $PROPFILE +#. $PROPFILE if [ ! $? = "0" ];then log "$PROPFILE file not found....!!"; exit 1; fi - -DB_HOST="${db_host}" - usage() { [ "$*" ] && echo "$0: $*" sed -n '/^##/,/^$/s/^## \{0,1\}//p' "$0" @@ -41,6 +38,77 @@ log() { echo "${prefix} $@" >> $LOGFILE echo "${prefix} $@" } +get_prop(){ + validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation + if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi + value=$(echo $validateProperty | cut -d "=" -f2-) + echo $value +} + +PYTHON_COMMAND_INVOKER=$(get_prop 'PYTHON_COMMAND_INVOKER' $PROPFILE) +DB_FLAVOR=$(get_prop 'DB_FLAVOR' $PROPFILE) +SQL_COMMAND_INVOKER=$(get_prop 'SQL_COMMAND_INVOKER' $PROPFILE) +SQL_CONNECTOR_JAR=$(get_prop 'SQL_CONNECTOR_JAR' $PROPFILE) +db_root_user=$(get_prop 'db_root_user' $PROPFILE) +db_root_password=$(get_prop 'db_root_password' $PROPFILE) +db_host=$(get_prop 'db_host' $PROPFILE) +db_name=$(get_prop 'db_name' $PROPFILE) +db_user=$(get_prop 'db_user' $PROPFILE) +db_password=$(get_prop 'db_password' $PROPFILE) +audit_store=$(get_prop 'audit_store' $PROPFILE) +audit_solr_urls=$(get_prop 'audit_solr_urls' $PROPFILE) +audit_solr_user=$(get_prop 'audit_solr_user' $PROPFILE) +audit_solr_password=$(get_prop 'audit_solr_password' $PROPFILE) +audit_solr_zookeepers=$(get_prop 'audit_solr_zookeepers' $PROPFILE) +audit_db_name=$(get_prop 'audit_db_name' $PROPFILE) +audit_db_user=$(get_prop 'audit_db_user' $PROPFILE) +audit_db_password=$(get_prop 'audit_db_password' $PROPFILE) +policymgr_external_url=$(get_prop 'policymgr_external_url' $PROPFILE) +policymgr_http_enabled=$(get_prop 'policymgr_http_enabled' $PROPFILE) +unix_user=$(get_prop 'unix_user' $PROPFILE) +unix_group=$(get_prop 'unix_group' $PROPFILE) +authentication_method=$(get_prop 'authentication_method' $PROPFILE) +remoteLoginEnabled=$(get_prop 'remoteLoginEnabled' $PROPFILE) +authServiceHostName=$(get_prop 'authServiceHostName' $PROPFILE) +authServicePort=$(get_prop 'authServicePort' $PROPFILE) +xa_ldap_url=$(get_prop 'xa_ldap_url' $PROPFILE) +xa_ldap_userDNpattern=$(get_prop 'xa_ldap_userDNpattern' $PROPFILE) +xa_ldap_groupSearchBase=$(get_prop 'xa_ldap_groupSearchBase' $PROPFILE) +xa_ldap_groupSearchFilter=$(get_prop 'xa_ldap_groupSearchFilter' $PROPFILE) +xa_ldap_groupRoleAttribute=$(get_prop 'xa_ldap_groupRoleAttribute' $PROPFILE) +xa_ldap_base_dn=$(get_prop 'xa_ldap_base_dn' $PROPFILE) +xa_ldap_bind_dn=$(get_prop 'xa_ldap_bind_dn' $PROPFILE) +xa_ldap_bind_password=$(get_prop 'xa_ldap_bind_password' $PROPFILE) +xa_ldap_referral=$(get_prop 'xa_ldap_referral' $PROPFILE) +xa_ldap_userSearchFilter=$(get_prop 'xa_ldap_userSearchFilter' $PROPFILE) +xa_ldap_ad_domain=$(get_prop 'xa_ldap_ad_domain' $PROPFILE) +xa_ldap_ad_url=$(get_prop 'xa_ldap_ad_url' $PROPFILE) +xa_ldap_ad_base_dn=$(get_prop 'xa_ldap_ad_base_dn' $PROPFILE) +xa_ldap_ad_bind_dn=$(get_prop 'xa_ldap_ad_bind_dn' $PROPFILE) +xa_ldap_ad_bind_password=$(get_prop 'xa_ldap_ad_bind_password' $PROPFILE) +xa_ldap_ad_referral=$(get_prop 'xa_ldap_ad_referral' $PROPFILE) +xa_ldap_ad_userSearchFilter=$(get_prop 'xa_ldap_ad_userSearchFilter' $PROPFILE) +XAPOLICYMGR_DIR=$(eval echo "$(get_prop 'XAPOLICYMGR_DIR' $PROPFILE)") +app_home=$(eval echo "$(get_prop 'app_home' $PROPFILE)") +TMPFILE=$(eval echo "$(get_prop 'TMPFILE' $PROPFILE)") +LOGFILE=$(eval echo " $(get_prop 'LOGFILE' $PROPFILE)") +LOGFILES=$(eval echo "$(get_prop 'LOGFILES' $PROPFILE)") +JAVA_BIN=$(get_prop 'JAVA_BIN' $PROPFILE) +JAVA_VERSION_REQUIRED=$(get_prop 'JAVA_VERSION_REQUIRED' $PROPFILE) +JAVA_ORACLE=$(get_prop 'JAVA_ORACLE' $PROPFILE) +mysql_core_file=$(get_prop 'mysql_core_file' $PROPFILE) +mysql_audit_file=$(get_prop 'mysql_audit_file' $PROPFILE) +oracle_core_file=$(get_prop 'oracle_core_file' $PROPFILE) +oracle_audit_file=$(get_prop 'oracle_audit_file' $PROPFILE) +postgres_core_file=$(get_prop 'postgres_core_file' $PROPFILE) +postgres_audit_file=$(get_prop 'postgres_audit_file' $PROPFILE) +sqlserver_core_file=$(get_prop 'sqlserver_core_file' $PROPFILE) +sqlserver_audit_file=$(get_prop 'sqlserver_audit_file' $PROPFILE) +sqlanywhere_core_file=$(get_prop 'sqlanywhere_core_file' $PROPFILE) +sqlanywhere_audit_file=$(get_prop 'sqlanywhere_audit_file' $PROPFILE) +cred_keystore_filename=$(eval echo "$(get_prop 'cred_keystore_filename' $PROPFILE)") + +DB_HOST="${db_host}" check_ret_status(){ if [ $1 -ne 0 ]; then @@ -77,29 +145,25 @@ get_distro(){ #Get Properties from File without erroring out if property is not there #$1 -> propertyName $2 -> fileName $3 -> variableName $4 -> failIfNotFound getPropertyFromFileNoExit(){ - validateProperty=$(sed '/^\#/d' $2 | grep "^$1" | tail -n 1) # for validation + validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation if test -z "$validateProperty" ; then - log "[E] '$1' not found in $2 file while getting....!!"; - if [ $4 == "true" ] ; then - exit 1; - else - value="" - fi - else - value=`sed '/^\#/d' $2 | grep "^$1" | tail -n 1 | cut -d "=" -f2-` - fi - #echo 'value:'$value + log "[E] '$1' not found in $2 file while getting....!!"; + if [ $4 == "true" ] ; then + exit 1; + else + value="" + fi + else + value=$(echo $validateProperty | cut -d "=" -f2-) + fi eval $3="'$value'" } #Get Properties from File #$1 -> propertyName $2 -> fileName $3 -> variableName getPropertyFromFile(){ - validateProperty=$(sed '/^\#/d' $2 | grep "^$1" | tail -n 1) # for validation + validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi - value=`sed '/^\#/d' $2 | grep "^$1" | tail -n 1 | cut -d "=" -f2-` - #echo 'value:'$value - #validate=$(sed '/^\#/d' $2 | grep "^$1" | tail -n 1 | cut -d "=" -f2-) # for validation - #if test -z "$validate" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi + value=$(echo $validateProperty | cut -d "=" -f2-) eval $3="'$value'" } @@ -151,20 +215,20 @@ init_variables(){ fi log "[I] DB_FLAVOR=${DB_FLAVOR}" - getPropertyFromFile 'db_root_user' $PROPFILE db_root_user - getPropertyFromFile 'db_root_password' $PROPFILE db_user - getPropertyFromFile 'db_user' $PROPFILE db_user - getPropertyFromFile 'db_password' $PROPFILE db_password - if [ "${audit_store}" == "solr" ] - then - getPropertyFromFile 'audit_solr_urls' $PROPFILE audit_solr_urls - getPropertyFromFile 'audit_solr_user' $PROPFILE audit_solr_user - getPropertyFromFile 'audit_solr_password' $PROPFILE audit_solr_password - getPropertyFromFile 'audit_solr_zookeepers' $PROPFILE audit_solr_zookeepers - else - getPropertyFromFile 'audit_db_user' $PROPFILE audit_db_user - getPropertyFromFile 'audit_db_password' $PROPFILE audit_db_password - fi + #getPropertyFromFile 'db_root_user' $PROPFILE db_root_user + #getPropertyFromFile 'db_root_password' $PROPFILE db_user + #getPropertyFromFile 'db_user' $PROPFILE db_user + #getPropertyFromFile 'db_password' $PROPFILE db_password + #if [ "${audit_store}" == "solr" ] + #then + # getPropertyFromFile 'audit_solr_urls' $PROPFILE audit_solr_urls + # getPropertyFromFile 'audit_solr_user' $PROPFILE audit_solr_user + # getPropertyFromFile 'audit_solr_password' $PROPFILE audit_solr_password + # getPropertyFromFile 'audit_solr_zookeepers' $PROPFILE audit_solr_zookeepers + #else + # getPropertyFromFile 'audit_db_user' $PROPFILE audit_db_user + # getPropertyFromFile 'audit_db_password' $PROPFILE audit_db_password + #fi } wait_for_tomcat_shutdown() { @@ -835,6 +899,11 @@ update_properties() { fi if [ "${DB_FLAVOR}" == "POSTGRES" ] then + db_name=`echo ${db_name} | tr '[:upper:]' '[:lower:]'` + audit_db_name=`echo ${audit_db_name} | tr '[:upper:]' '[:lower:]'` + db_user=`echo ${db_user} | tr '[:upper:]' '[:lower:]'` + audit_db_user=`echo ${audit_db_user} | tr '[:upper:]' '[:lower:]'` + propertyName=ranger.jpa.jdbc.url newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger @@ -952,8 +1021,8 @@ update_properties() { if [ "${keystore}" != "" ] then mkdir -p `dirname "${keystore}"` - - $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$db_password_alias" -value "$db_password" -provider jceks://file$keystore + $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$db_password_alias" -v "$db_password" -c 1 + #$JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$db_password_alias" -value "$db_password" -provider jceks://file$keystore propertyName=ranger.credential.provider.path newPropertyValue="${keystore}" @@ -995,7 +1064,8 @@ update_properties() { if [ "${keystore}" != "" ] then - $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$audit_db_password_alias" -value "$audit_db_password" -provider jceks://file$keystore + $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$audit_db_password_alias" -v "$audit_db_password" -c 1 + #$JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$audit_db_password_alias" -value "$audit_db_password" -provider jceks://file$keystore propertyName=ranger.jpa.audit.jdbc.credential.alias newPropertyValue="${audit_db_password_alias}" @@ -1046,7 +1116,8 @@ update_properties() { mkdir -p `dirname "${keystore}"` audit_solr_password_alias=ranger.solr.password - $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$audit_solr_password_alias" -value "$audit_solr_password" -provider jceks://file$keystore + $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$audit_solr_password_alias" -v "$audit_solr_password" -c 1 +# $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$audit_solr_password_alias" -value "$audit_solr_password" -provider jceks://file$keystore propertyName=ranger.solr.audit.credential.alias newPropertyValue="${audit_solr_password_alias}" @@ -1318,6 +1389,12 @@ do_authentication_setup(){ if [ "${xa_ldap_base_dn}" != "" ] && [ "${xa_ldap_bind_dn}" != "" ] && [ "${xa_ldap_bind_password}" != "" ] then + $PYTHON_COMMAND_INVOKER dba_script.py ${xa_ldap_bind_password} 'LDAP' + if [ "$?" != "0" ] + then + exit 1 + fi + propertyName=ranger.ldap.base.dn newPropertyValue="${xa_ldap_base_dn}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file @@ -1341,7 +1418,8 @@ do_authentication_setup(){ mkdir -p `dirname "${keystore}"` ldap_password_alias=ranger.ldap.binddn.password - $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$ldap_password_alias" -value "$xa_ldap_bind_password" -provider jceks://file$keystore + $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$ldap_password_alias" -v "$xa_ldap_bind_password" -c 1 +# $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$ldap_password_alias" -value "$xa_ldap_bind_password" -provider jceks://file$keystore to_file_default=$app_home/WEB-INF/classes/conf/ranger-admin-default-site.xml @@ -1403,6 +1481,11 @@ do_authentication_setup(){ if [ "${xa_ldap_ad_base_dn}" != "" ] && [ "${xa_ldap_ad_bind_dn}" != "" ] && [ "${xa_ldap_ad_bind_password}" != "" ] then + $PYTHON_COMMAND_INVOKER dba_script.py ${xa_ldap_ad_bind_password} 'AD' + if [ "$?" != "0" ] + then + exit 1 + fi propertyName=ranger.ldap.ad.base.dn newPropertyValue="${xa_ldap_ad_base_dn}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file @@ -1426,7 +1509,8 @@ do_authentication_setup(){ mkdir -p `dirname "${keystore}"` ad_password_alias=ranger.ad.binddn.password - $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$ad_password_alias" -value "$xa_ldap_ad_bind_password" -provider jceks://file$keystore + $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$ad_password_alias" -v "$xa_ldap_ad_bind_password" -c 1 +# $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$ad_password_alias" -value "$xa_ldap_ad_bind_password" -provider jceks://file$keystore to_file_default=$app_home/WEB-INF/classes/conf/ranger-admin-default-site.xml @@ -1568,7 +1652,7 @@ setup_install_files(){ fi fi if [ -f /etc/init.d/${RANGER_ADMIN} ]; then - if [ "${unix_user}" != "ranger" ]; then + if [ "${unix_user}" != "" ]; then sed 's/^LINUX_USER=.*$/LINUX_USER='${unix_user}'/g' -i /etc/init.d/${RANGER_ADMIN} fi fi @@ -1702,17 +1786,27 @@ copy_db_connector #create_audit_db_user check_python_command run_dba_steps +if [ "$?" == "0" ] +then $PYTHON_COMMAND_INVOKER db_setup.py +else + exit 1 +fi if [ "$?" == "0" ] then update_properties do_authentication_setup -$PYTHON_COMMAND_INVOKER db_setup.py -javapatch -#execute_java_patches else log "[E] DB schema setup failed! Please contact Administrator." exit 1 fi +#execute_java_patches +$PYTHON_COMMAND_INVOKER db_setup.py -javapatch +if [ "$?" == "0" ] +then echo "ln -sf ${WEBAPP_ROOT}/WEB-INF/classes/conf ${INSTALL_DIR}/conf" ln -sf ${WEBAPP_ROOT}/WEB-INF/classes/conf ${INSTALL_DIR}/conf echo "Installation of Ranger PolicyManager Web Application is completed." +else + exit 1 +fi diff --git a/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java b/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java index c46964c2d89..3f92d8d5c64 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java @@ -375,4 +375,30 @@ public Boolean parseBoolean(String value, String errorMessage, fieldName, value); } } + + public WebApplicationException createRESTException(String errorMessage, + MessageEnums messageEnum, Long objectId, String fieldName, + String logMessage,int statusCode) + { + List messageList = new ArrayList(); + messageList.add(messageEnum.getMessage(objectId, fieldName)); + VXResponse vResponse = new VXResponse(); + vResponse.setStatusCode(vResponse.STATUS_ERROR); + vResponse.setMsgDesc(errorMessage); + vResponse.setMessageList(messageList); + Response errorResponse = Response.status(statusCode).entity(vResponse).build(); + WebApplicationException restException = new WebApplicationException(errorResponse); + restException.fillInStackTrace(); + UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + Long sessionId = null; + String loginId = null; + if (userSession != null) { + loginId = userSession.getLoginId(); + sessionId = userSession.getSessionId(); + } + logger.info("Request failed. SessionId=" + sessionId + ", loginId=" + + loginId + ", logMessage=" + vResponse.getMsgDesc(), + restException); + return restException; + } } diff --git a/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java b/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java index 0ddfb0ed0f6..49f5ddeffc8 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java @@ -37,6 +37,7 @@ import javax.persistence.criteria.Path; import javax.persistence.criteria.Predicate; import javax.persistence.criteria.Root; +import javax.servlet.http.HttpServletResponse; import org.apache.log4j.Logger; import org.apache.ranger.biz.RangerBizUtil; @@ -318,10 +319,10 @@ public V readResource(Long id) { T resource = getDao().getById(id); if (resource == null) { - // Returns code 400 with DATA_NOT_FOUND as the error message + // Returns code 404 with DATA_NOT_FOUND as the error message throw restErrorUtil.createRESTException(getResourceName() + " not found", MessageEnums.DATA_NOT_FOUND, id, null, - "preRead: " + id + " not found."); + "preRead: " + id + " not found.",HttpServletResponse.SC_NOT_FOUND); } V viewBean = readResource(resource); diff --git a/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionCreate.js b/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionCreate.js index 7981d34c3c1..3e03d807ef4 100644 --- a/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionCreate.js +++ b/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionCreate.js @@ -145,7 +145,6 @@ define(function(require){ } , error : function(model,resp){ XAUtil.blockUI('unblock'); - console.log('error'); if(!_.isUndefined(resp.responseJSON) && !_.isUndefined(resp.responseJSON.msgDesc)){ XAUtil.notifyError('Error',resp.responseJSON.msgDesc); }else diff --git a/security-admin/src/main/webapp/scripts/views/users/GroupCreate.js b/security-admin/src/main/webapp/scripts/views/users/GroupCreate.js index 40e68374187..dca6b13912a 100644 --- a/security-admin/src/main/webapp/scripts/views/users/GroupCreate.js +++ b/security-admin/src/main/webapp/scripts/views/users/GroupCreate.js @@ -160,8 +160,7 @@ define(function(require){ else XAUtil.notifyError('Error', response.responseJSON.msgDesc); }else - XAUtil.notifyError('Error', 'Error creating Policy!'); - console.log('error'); + XAUtil.notifyError('Error', 'Error occurred while creating/updating group!'); } }); }, diff --git a/security-admin/src/main/webapp/scripts/views/users/UserCreate.js b/security-admin/src/main/webapp/scripts/views/users/UserCreate.js index a37fd887617..817831df4c4 100644 --- a/security-admin/src/main/webapp/scripts/views/users/UserCreate.js +++ b/security-admin/src/main/webapp/scripts/views/users/UserCreate.js @@ -194,7 +194,6 @@ define(function(require){ } , error : function(model,resp){ XAUtil.blockUI('unblock'); - console.log('error'); if(!_.isUndefined(resp.responseJSON) && !_.isUndefined(resp.responseJSON.msgDesc)){ if(resp.responseJSON.msgDesc == "XUser already exists") XAUtil.notifyError('Error',"User already exists."); @@ -226,7 +225,6 @@ define(function(require){ XAUtil.notifyError('Error',resp.responseJSON.msgDesc); }else XAUtil.notifyError('Error', "Error occurred while creating/updating user."); - console.log('error'); } }); }, diff --git a/unixauthservice/scripts/set_globals.sh b/unixauthservice/scripts/set_globals.sh index c92dfdcff79..7774e48fa04 100755 --- a/unixauthservice/scripts/set_globals.sh +++ b/unixauthservice/scripts/set_globals.sh @@ -21,6 +21,19 @@ #This will also create the ranger linux user and groups if required. #This script needs to be run as root +PROPFILE=$PWD/install.properties +propertyValue='' + +if [ ! $? = "0" ];then + log "$PROPFILE file not found....!!"; + exit 1; +fi +get_prop(){ + validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation + if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi + value=$(echo $validateProperty | cut -d "=" -f2-) + echo $value +} if [ ! -w /etc/passwd ]; then echo "ERROR: Please run this script as root" exit 1 @@ -43,8 +56,8 @@ log() { } #Create the ranger users and groups (if needed) -unix_user=ranger -unix_group=ranger +unix_user=$(get_prop 'unix_user' $PROPFILE) +unix_group=$(get_prop 'unix_group' $PROPFILE) groupadd ${unix_group} ret=$? @@ -83,16 +96,16 @@ ln -sf /etc/ranger/usersync/conf conf #Create the log folder if [ ! -d /var/log/ranger/usersync ]; then mkdir -p /var/log/ranger/usersync - if [ -d logs ]; then - cp -r logs/* /var/log/ranger/usersync + if [ -d ews/logs ]; then + cp -r ews/logs/* /var/log/ranger/usersync fi - chmod 755 /var/log/ranger/usersync - chown -R $unix_user:$unix_group /var/log/ranger fi if [ -d /var/log/ranger/usersync ]; then - chown -R $unix_user:$unix_group /var/log/ranger/usersync + chown -R $unix_user:$unix_group /var/log/ranger/usersync + chmod 755 /var/log/ranger/usersync fi + mv -f logs logs.$curDt 2> /dev/null ln -sf /var/log/ranger/usersync logs diff --git a/unixauthservice/scripts/setup.py b/unixauthservice/scripts/setup.py index 31c486eecb4..b35a2617215 100755 --- a/unixauthservice/scripts/setup.py +++ b/unixauthservice/scripts/setup.py @@ -81,7 +81,7 @@ SYNC_SOURCE_UNIX = 'unix' SYNC_SOURCE_LDAP = 'ldap' SYNC_SOURCE_LIST = [ SYNC_SOURCE_UNIX, SYNC_SOURCE_LDAP ] - +SYNC_LDAP_BIND_PASSWORD_KEY = 'ranger.usersync.ldap.ldapbindpassword' credUpdateClassName = 'org.apache.ranger.credentialapi.buildks' #credUpdateClassName = 'com.hortonworks.credentialapi.buildks' @@ -166,6 +166,17 @@ def updateProppertyInJCKSFile(jcksFileName,propName,value): sys.exit(1) return ret +def password_validation(password, userType): + if password: + if re.search("[\\\`'\"]",password): + print "[E] "+userType+" proprty contains one of the unsupported special characters like \" ' \ `" + sys.exit(1) + else: + print "[I] "+userType+" proprty is verified." + else: + print "[E] Blank password is not allowed for proprty " +userType+ ",please enter valid password." + sys.exit(1) + def convertInstallPropsToXML(props): directKeyMap = getPropertiesConfigMap(join(installTemplateDirName,install2xmlMapFileName)) @@ -190,6 +201,8 @@ def convertInstallPropsToXML(props): # if (key.startswith("ranger.usersync.ldap") or key.startswith("ranger.usersync.group") or key.startswith("ranger.usersync.paged")): # del ret[key] elif (syncSource == SYNC_SOURCE_LDAP): + ldapPass=ret[SYNC_LDAP_BIND_PASSWORD_KEY] + password_validation(ldapPass, SYNC_LDAP_BIND_PASSWORD_KEY) ret['ranger.usersync.source.impl.class'] = 'org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder' if (SYNC_INTERVAL_NEW_KEY not in ret or len(str(ret[SYNC_INTERVAL_NEW_KEY])) == 0): ret[SYNC_INTERVAL_NEW_KEY] = "3600000" @@ -237,20 +250,18 @@ def initializeInitD(ownerName): fn = join(installPropDirName,initdProgramName) initdFn = join(initdDirName,initdProgramName) shutil.copy(fn, initdFn) - if (ownerName != 'ranger'): - f = open(initdFn,'r') - filedata = f.read() - f.close() - find_str = "LINUX_USER=ranger" - replace_str = "LINUX_USER="+ ownerName - newdata = filedata.replace(find_str,replace_str) - - f = open(initdFn,'w') - f.write(newdata) - f.close() - - os.chmod(initdFn,0550) - rcDirList = [ "/etc/rc2.d", "/etc/rc3.d", "/etc/rc.d/rc2.d", "/etc/rc.d/rc3.d" ] + if (ownerName != 'ranger'): + f = open(initdFn,'r') + filedata = f.read() + f.close() + find_str = "LINUX_USER=ranger" + replace_str = "LINUX_USER="+ ownerName + newdata = filedata.replace(find_str,replace_str) + f = open(initdFn,'w') + f.write(newdata) + f.close() + os.chmod(initdFn,0550) + rcDirList = [ "/etc/rc2.d", "/etc/rc3.d", "/etc/rc.d/rc2.d", "/etc/rc.d/rc3.d" ] for rcDir in rcDirList: if (os.path.isdir(rcDir)): for prefix in initPrefixList: @@ -258,14 +269,13 @@ def initializeInitD(ownerName): scriptName = join(rcDir, scriptFn) if isfile(scriptName): os.remove(scriptName) - #print "+ ln -sf %s %s" % (initdFn, scriptName) os.symlink(initdFn,scriptName) - userSyncScriptName = "ranger-usersync-services.sh" - localScriptName = os.path.abspath(join(installPropDirName,userSyncScriptName)) - ubinScriptName = join("/usr/bin",initdProgramName) - if isfile(ubinScriptName): - os.remove(ubinScriptName) - os.symlink(localScriptName,ubinScriptName) + userSyncScriptName = "ranger-usersync-services.sh" + localScriptName = os.path.abspath(join(installPropDirName,userSyncScriptName)) + ubinScriptName = join("/usr/bin",initdProgramName) + if isfile(ubinScriptName): + os.remove(ubinScriptName) + os.symlink(localScriptName,ubinScriptName) def createJavaKeystoreForSSL(fn,passwd): From 2885928065e04e8956e92bff5f0304d4a347b9a6 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Thu, 1 Oct 2015 16:38:58 +0530 Subject: [PATCH 080/202] RANGER-674 : Ranger public rest api gives 200 response for wrong credential instead of 401 --- .../src/main/resources/conf.dist/ranger-admin-default-site.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml index bd21365fedc..3333827d48e 100644 --- a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml +++ b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml @@ -183,7 +183,7 @@ ranger.servlet.mapping.url.pattern - false + service From 3b848bd84983cda6f4890e0d9e8f1524d1da8c96 Mon Sep 17 00:00:00 2001 From: rmani Date: Tue, 27 Oct 2015 11:36:53 -0700 Subject: [PATCH 081/202] RANGER-705:Ranger Usersync should provide summary logs on the sync progress instead of not loggin any details after 2000 users --- .../ldapusersync/process/LdapUserGroupBuilder.java | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java index 66c6e284bbe..63643c0675f 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java @@ -378,11 +378,18 @@ public void updateSink(UserGroupSink sink) throws Throwable { + ", userName: " + userName + ", groupList: " + groupList); } + if ( counter == 2000 ) { + LOG.info("===> 2000 user records have been synchronized so far. From now on, only a summary progress log will be written for every 100 users. To continue to see detailed log for every user, please enable Trace level logging. <==="); + } } else { if (LOG.isTraceEnabled()) { LOG.trace("Updating user count: " + counter - + ", userName: " + userName + ", groupList: " - + groupList); + + ", userName: " + userName + ", groupList: " + + groupList); + } else { + if ( counter % 100 == 0) { + LOG.info("Synced " + counter + " users till now"); + } } } try { From fac88a20d61aaf75f56eab9b9cf28f32887f33d8 Mon Sep 17 00:00:00 2001 From: rmani Date: Tue, 27 Oct 2015 16:30:08 -0700 Subject: [PATCH 082/202] RANGER-586:Ranger plugins should not add dependent libraries to component's CLASSPATH --- agents-common/scripts/enable-agent.sh | 24 +- hbase-agent/pom.xml | 5 + plugin-kafka/pom.xml | 5 + .../authorizer/RangerKafkaAuthorizer.java | 6 +- pom.xml | 16 +- ranger-hbase-plugin-shim/pom.xml | 73 + .../XaSecureAuthorizationCoprocessor.java | 6 +- .../access/RangerAccessControlLists.java | 0 .../hbase/RangerAuthorizationCoprocessor.java | 3701 +++++++++++++++++ .../access/RangerAccessControlListsTest.java | 0 ranger-hdfs-plugin-shim/pom.xml | 74 + .../hadoop/RangerHdfsAuthorizer.java | 191 + ranger-hive-plugin-shim/pom.xml | 105 + .../XaSecureHiveAuthorizerFactory.java | 32 + .../RangerHiveAuthorizerFactory.java | 121 + ranger-kafka-plugin-shim/pom.xml | 56 + .../authorizer/RangerKafkaAuthorizer.java | 248 ++ ranger-knox-plugin-shim/pom.xml | 91 + .../knox/filter/XASecurePDPKnoxFilter.java | 0 .../knox/RangerPDPKnoxFilter.java | 153 + ranger-plugin-classloader/pom.xml | 55 + .../classloader/RangerPluginClassLoader.java | 292 ++ .../RangerPluginClassLoaderUtil.java | 150 + .../test/Impl/TestChildFistClassLoader.java | 56 + .../classloader/test/Impl/TestPluginImpl.java | 32 + .../classloader/test/Impl/TestPrint.java | 28 + .../plugin/classloader/test/TestPlugin.java | 24 + .../classloader/test/TestPrintParent.java | 29 + ranger-storm-plugin-shim/pom.xml | 76 + .../authorizer/XaSecureStormAuthorizer.java | 0 .../authorizer/RangerStormAuthorizer.java | 138 + ranger-yarn-plugin-shim/pom.xml | 66 + .../yarn/authorizer/RangerYarnAuthorizer.java | 205 + src/main/assembly/hbase-agent.xml | 25 +- src/main/assembly/hdfs-agent.xml | 65 +- src/main/assembly/hive-agent.xml | 25 +- src/main/assembly/knox-agent.xml | 22 +- src/main/assembly/plugin-kafka.xml | 40 +- src/main/assembly/plugin-yarn.xml | 24 +- src/main/assembly/storm-agent.xml | 23 +- 40 files changed, 6202 insertions(+), 80 deletions(-) create mode 100644 ranger-hbase-plugin-shim/pom.xml rename {hbase-agent => ranger-hbase-plugin-shim}/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java (86%) rename {hbase-agent => ranger-hbase-plugin-shim}/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java (100%) create mode 100644 ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java rename {hbase-agent/src/test/java => ranger-hbase-plugin-shim/src/main/test}/org/apache/hadoop/hbase/security/access/RangerAccessControlListsTest.java (100%) create mode 100644 ranger-hdfs-plugin-shim/pom.xml create mode 100644 ranger-hdfs-plugin-shim/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java create mode 100644 ranger-hive-plugin-shim/pom.xml create mode 100644 ranger-hive-plugin-shim/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerFactory.java create mode 100644 ranger-hive-plugin-shim/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerFactory.java create mode 100644 ranger-kafka-plugin-shim/pom.xml create mode 100644 ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java create mode 100644 ranger-knox-plugin-shim/pom.xml rename {knox-agent => ranger-knox-plugin-shim}/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java (100%) create mode 100644 ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java create mode 100644 ranger-plugin-classloader/pom.xml create mode 100644 ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java create mode 100644 ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoaderUtil.java create mode 100644 ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/Impl/TestChildFistClassLoader.java create mode 100644 ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/Impl/TestPluginImpl.java create mode 100644 ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/Impl/TestPrint.java create mode 100644 ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/TestPlugin.java create mode 100644 ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/TestPrintParent.java create mode 100644 ranger-storm-plugin-shim/pom.xml rename {storm-agent => ranger-storm-plugin-shim}/src/main/java/com/xasecure/authorization/storm/authorizer/XaSecureStormAuthorizer.java (100%) create mode 100644 ranger-storm-plugin-shim/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java create mode 100644 ranger-yarn-plugin-shim/pom.xml create mode 100644 ranger-yarn-plugin-shim/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java diff --git a/agents-common/scripts/enable-agent.sh b/agents-common/scripts/enable-agent.sh index f3db1253f20..32e922d93b8 100755 --- a/agents-common/scripts/enable-agent.sh +++ b/agents-common/scripts/enable-agent.sh @@ -121,6 +121,9 @@ INSTALL_ARGS="${PROJ_INSTALL_DIR}/install.properties" COMPONENT_INSTALL_ARGS="${PROJ_INSTALL_DIR}/${COMPONENT_NAME}-install.properties" JAVA=$JAVA_HOME/bin/java +PLUGIN_DEPENDENT_LIB_DIR=lib/"${PROJ_NAME}-${COMPONENT_NAME}-impl" +PROJ_LIB_PLUGIN_DIR=${PROJ_INSTALL_DIR}/${PLUGIN_DEPENDENT_LIB_DIR} + HCOMPONENT_INSTALL_DIR_NAME=$(getInstallProperty 'COMPONENT_INSTALL_DIR_NAME') @@ -179,6 +182,8 @@ elif [ "${HCOMPONENT_NAME}" = "solr" ]; then HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/solr-webapp/webapp/WEB-INF/lib elif [ "${HCOMPONENT_NAME}" = "kafka" ]; then HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/libs +elif [ "${HCOMPONENT_NAME}" = "storm" ]; then + HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/extlib-daemon fi HCOMPONENT_CONF_DIR=${HCOMPONENT_INSTALL_DIR}/conf @@ -496,8 +501,7 @@ then #if [ -d "${PROJ_LIB_DIR}" ] #then dt=`date '+%Y%m%d%H%M%S'` - dbJar=$(getInstallProperty 'SQL_CONNECTOR_JAR') - for f in ${PROJ_LIB_DIR}/*.jar ${dbJar} + for f in ${PROJ_LIB_DIR}/*.jar do if [ -f "${f}" ] then @@ -513,6 +517,22 @@ then fi fi done + + # ADD SQL CONNECTOR JAR TO PLUGIN DEPENDENCY JAR FOLDER + dbJar=$(getInstallProperty 'SQL_CONNECTOR_JAR') + if [ -f "${dbJar}" ] + then + bn=`basename ${dbJar}` + if [ -f ${PROJ_LIB_PLUGIN_DIR}/${bn} ] + then + rm ${PROJ_LIB_PLUGIN_DIR}/${bn} + fi + if [ ! -f ${PROJ_LIB_PLUGIN_DIR}/${bn} ] + then + ln -s ${dbJar} ${PROJ_LIB_PLUGIN_DIR}/${bn} + fi + fi + #fi # diff --git a/hbase-agent/pom.xml b/hbase-agent/pom.xml index b4664f3766b..edad495bbcf 100644 --- a/hbase-agent/pom.xml +++ b/hbase-agent/pom.xml @@ -47,6 +47,11 @@ ranger-plugins-common ${project.version} + + security_plugins.ranger-hbase-plugin-shim + ranger-hbase-plugin-shim + ${project.version} + security_plugins.ranger-plugins-audit ranger-plugins-audit diff --git a/plugin-kafka/pom.xml b/plugin-kafka/pom.xml index afee47d4213..e14e48c45b4 100644 --- a/plugin-kafka/pom.xml +++ b/plugin-kafka/pom.xml @@ -47,5 +47,10 @@ kafka_2.10 ${kafka.version} + + org.apache.hadoop + hadoop-hdfs + ${hadoop.version} + diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java index dbb2723709b..c5e955d30b0 100644 --- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java +++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java @@ -19,10 +19,7 @@ package org.apache.ranger.authorization.kafka.authorizer; -import java.io.IOException; -import java.security.Principal; import java.util.Date; - import javax.security.auth.Subject; import kafka.security.auth.Acl; @@ -104,8 +101,7 @@ public void initialize(KafkaConfig kafkaConfig) { } @Override - public boolean authorize(Session session, Operation operation, - Resource resource) { + public boolean authorize(Session session, Operation operation, Resource resource) { if (rangerPlugin == null) { MiscUtil.logErrorMessageByInterval(logger, diff --git a/pom.xml b/pom.xml index 0ccf12e55d9..835894da66a 100644 --- a/pom.xml +++ b/pom.xml @@ -14,8 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ---> - +--> 4.0.0 org.apache @@ -97,6 +96,13 @@ unixauthservice ranger-util plugin-kms + ranger-hdfs-plugin-shim + ranger-plugin-classloader + ranger-hive-plugin-shim + ranger-hbase-plugin-shim + ranger-knox-plugin-shim + ranger-yarn-plugin-shim + ranger-storm-plugin-shim 1.7 @@ -151,7 +157,7 @@ 2.6 4.11 0.8.2.0 - + 1.8.4 1.3 0.6.0 @@ -505,7 +511,7 @@ process-resources - + @@ -524,4 +530,4 @@ - + \ No newline at end of file diff --git a/ranger-hbase-plugin-shim/pom.xml b/ranger-hbase-plugin-shim/pom.xml new file mode 100644 index 00000000000..39fa139aae8 --- /dev/null +++ b/ranger-hbase-plugin-shim/pom.xml @@ -0,0 +1,73 @@ + + + + 4.0.0 + security_plugins.ranger-hbase-plugin-shim + ranger-hbase-plugin-shim + HBase Security Plugin Shim + HBase Security Plugins Shim + jar + + UTF-8 + + + org.apache.ranger + ranger + 0.5.0 + .. + + + + org.apache.hbase + hbase-server + ${hbase.version} + + + org.apache.hadoop + hadoop-hdfs + ${hadoop.version} + + + security_plugins.ranger-plugins-common + ranger-plugins-common + ${project.version} + + + security_plugins.ranger-plugins-audit + ranger-plugins-audit + ${project.version} + + + security_plugins.ranger-plugin-classloader + ranger-plugin-classloader + ${project.version} + + + com.google.code.gson + gson + + + org.mockito + mockito-core + + + org.hamcrest + hamcrest-integration + + + diff --git a/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java b/ranger-hbase-plugin-shim/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java similarity index 86% rename from hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java rename to ranger-hbase-plugin-shim/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java index 2a4f440cabb..bc01e517c44 100644 --- a/hbase-agent/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java +++ b/ranger-hbase-plugin-shim/src/main/java/com/xasecure/authorization/hbase/XaSecureAuthorizationCoprocessor.java @@ -18,8 +18,9 @@ */ package com.xasecure.authorization.hbase; +import org.apache.hadoop.hbase.coprocessor.CoprocessorService; +import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService; import org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor; - /** * This class exists only to provide for seamless upgrade/downgrade capabilities. Coprocessor name is in hbase config files in /etc/.../conf which * is not only out of bounds for any upgrade script but also must be of a form to allow for downgrad! Thus when class names were changed XaSecure* -> Ranger* @@ -28,6 +29,5 @@ * This class is final because if one needs to customize coprocessor it is expected that RangerAuthorizationCoprocessor would be modified/extended as that is * the "real" coprocessor! This class, hence, should NEVER be more than an EMPTY shell! */ -public final class XaSecureAuthorizationCoprocessor extends RangerAuthorizationCoprocessor { - +public final class XaSecureAuthorizationCoprocessor extends RangerAuthorizationCoprocessor implements AccessControlService.Interface, CoprocessorService { } diff --git a/hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java b/ranger-hbase-plugin-shim/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java similarity index 100% rename from hbase-agent/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java rename to ranger-hbase-plugin-shim/src/main/java/org/apache/hadoop/hbase/security/access/RangerAccessControlLists.java diff --git a/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java new file mode 100644 index 00000000000..a9b3cad20bb --- /dev/null +++ b/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java @@ -0,0 +1,3701 @@ +/** + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.ranger.authorization.hbase; + +import java.io.IOException; +import java.util.List; +import java.util.NavigableSet; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.fs.FileSystem; +import org.apache.hadoop.fs.Path; +import org.apache.hadoop.hbase.Cell; +import org.apache.hadoop.hbase.CellScanner; +import org.apache.hadoop.hbase.Coprocessor; +import org.apache.hadoop.hbase.CoprocessorEnvironment; +import org.apache.hadoop.hbase.HColumnDescriptor; +import org.apache.hadoop.hbase.HRegionInfo; +import org.apache.hadoop.hbase.HTableDescriptor; +import org.apache.hadoop.hbase.NamespaceDescriptor; +import org.apache.hadoop.hbase.ServerName; +import org.apache.hadoop.hbase.TableName; +import org.apache.hadoop.hbase.client.Append; +import org.apache.hadoop.hbase.client.Delete; +import org.apache.hadoop.hbase.client.Durability; +import org.apache.hadoop.hbase.client.Get; +import org.apache.hadoop.hbase.client.Increment; +import org.apache.hadoop.hbase.client.Mutation; +import org.apache.hadoop.hbase.client.Put; +import org.apache.hadoop.hbase.client.Result; +import org.apache.hadoop.hbase.client.Scan; +import org.apache.hadoop.hbase.coprocessor.BulkLoadObserver; +import org.apache.hadoop.hbase.coprocessor.CoprocessorService; +import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment; +import org.apache.hadoop.hbase.coprocessor.MasterObserver; +import org.apache.hadoop.hbase.coprocessor.ObserverContext; +import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment; +import org.apache.hadoop.hbase.coprocessor.RegionObserver; +import org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessorEnvironment; +import org.apache.hadoop.hbase.coprocessor.RegionServerObserver; +import org.apache.hadoop.hbase.filter.ByteArrayComparable; +import org.apache.hadoop.hbase.filter.CompareFilter.CompareOp; +import org.apache.hadoop.hbase.io.FSDataInputStreamWrapper; +import org.apache.hadoop.hbase.io.Reference; +import org.apache.hadoop.hbase.io.hfile.CacheConfig; +import org.apache.hadoop.hbase.master.RegionPlan; +import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos; +import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.CheckPermissionsRequest; +import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.CheckPermissionsResponse; +import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.GetUserPermissionsRequest; +import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.GetUserPermissionsResponse; +import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.GrantRequest; +import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.GrantResponse; +import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.RevokeRequest; +import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.RevokeResponse; +import org.apache.hadoop.hbase.protobuf.generated.AdminProtos.WALEntry; +import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos.SnapshotDescription; +import org.apache.hadoop.hbase.protobuf.generated.QuotaProtos.Quotas; +import org.apache.hadoop.hbase.protobuf.generated.SecureBulkLoadProtos.CleanupBulkLoadRequest; +import org.apache.hadoop.hbase.protobuf.generated.SecureBulkLoadProtos.PrepareBulkLoadRequest; +import org.apache.hadoop.hbase.regionserver.DeleteTracker; +import org.apache.hadoop.hbase.regionserver.InternalScanner; +import org.apache.hadoop.hbase.regionserver.KeyValueScanner; +import org.apache.hadoop.hbase.regionserver.MiniBatchOperationInProgress; +import org.apache.hadoop.hbase.regionserver.Region; +import org.apache.hadoop.hbase.regionserver.Region.Operation; +import org.apache.hadoop.hbase.regionserver.RegionScanner; +import org.apache.hadoop.hbase.regionserver.ScanType; +import org.apache.hadoop.hbase.regionserver.Store; +import org.apache.hadoop.hbase.regionserver.StoreFile; +import org.apache.hadoop.hbase.regionserver.StoreFile.Reader; +import org.apache.hadoop.hbase.regionserver.compactions.CompactionRequest; +import org.apache.hadoop.hbase.regionserver.wal.HLogKey; +import org.apache.hadoop.hbase.regionserver.wal.WALEdit; +import org.apache.hadoop.hbase.replication.ReplicationEndpoint; +import org.apache.hadoop.hbase.security.access.RangerAccessControlLists; +import org.apache.hadoop.hbase.util.Pair; +import org.apache.hadoop.hbase.wal.WALKey; +import org.apache.ranger.plugin.classloader.RangerPluginClassLoader; + +import com.google.common.collect.ImmutableList; +import com.google.protobuf.RpcCallback; +import com.google.protobuf.RpcController; +import com.google.protobuf.Service; + +public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObserver, RegionServerObserver, BulkLoadObserver, AccessControlProtos.AccessControlService.Interface, CoprocessorService, Coprocessor { + + public static final Log LOG = LogFactory.getLog(RangerAuthorizationCoprocessor.class); + private static final String RANGER_PLUGIN_TYPE = "hbase"; + private static final String[] RANGER_PLUGIN_LIB_DIR = new String[] {"lib/ranger-hbase-plugin"}; + private static final String RANGER_HBASE_AUTHORIZER_IMPL_CLASSNAME = "org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor"; + private static final String ACCESSCONTROLLISTS_CLASSNAME = "org.apache.hadoop.hbase.security.access.AccessControlLists"; + + private static RangerPluginClassLoader rangerPluginClassLoader = null; + + private Object impl = null; + private MasterObserver implMasterObserver = null; + private RegionObserver implRegionObserver = null; + private RegionServerObserver implRegionServerObserver = null; + private BulkLoadObserver implBulkLoadObserver = null; + private AccessControlProtos.AccessControlService.Interface implAccessControlService = null; + private CoprocessorService implCoprocessorService = null; + + public RangerAuthorizationCoprocessor() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.RangerAuthorizationCoprocessor()"); + } + + this.init(); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.RangerAuthorizationCoprocessor()"); + } + } + + private void init(){ + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.init()"); + } + + try { + + rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass()); + + @SuppressWarnings("unchecked") + Class cls = Class.forName(RANGER_HBASE_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader); + + activatePluginClassLoader(); + + impl = cls.newInstance(); + implMasterObserver = (MasterObserver)impl; + implRegionObserver = (RegionObserver)impl; + implRegionServerObserver = (RegionServerObserver)impl; + implBulkLoadObserver = (BulkLoadObserver)impl; + implAccessControlService = (AccessControlProtos.AccessControlService.Interface)impl; + implCoprocessorService = (CoprocessorService)impl; + + } catch (Exception e) { + // check what need to be done + LOG.error("Error Enabling RangerHdfsPluing", e); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.init()"); + } + } + + @Override + public Service getService() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.getService()"); + } + Service ret = null; + try { + activatePluginClassLoader(); + ret = implCoprocessorService.getService(); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.getService()" + ret); + } + + return ret; + } + + + @Override + public void postScannerClose(ObserverContext c, InternalScanner s) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postScannerClose()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postScannerClose(c, s); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postScannerClose()"); + } + } + + @Override + public RegionScanner postScannerOpen(ObserverContext c, Scan scan, RegionScanner s) throws IOException { + RegionScanner ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postScannerOpen()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.postScannerOpen(c, scan, s); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postScannerOpen()"); + } + + return ret; + } + + @Override + public void postStartMaster(ObserverContext ctx) throws IOException { + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postStartMaster()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postStartMaster(ctx); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postStartMaster()"); + } + + } + + @Override + public void preAddColumn(ObserverContext c,TableName tableName, HColumnDescriptor column) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preAddColumn()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preAddColumn(c, tableName, column); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preAddColumn()"); + } + } + + @Override + public Result preAppend(ObserverContext c, Append append) throws IOException { + Result ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preAppend()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.preAppend(c, append); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preAppend()"); + } + + return ret; + } + + @Override + public void preAssign(ObserverContext c, HRegionInfo regionInfo) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preAssign()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preAssign(c, regionInfo); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preAssign()"); + } + } + + @Override + public void preBalance(ObserverContext c) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preBalance()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preBalance(c); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preBalance()"); + } + } + + @Override + public boolean preBalanceSwitch(ObserverContext c, boolean newValue) throws IOException { + boolean ret = false; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preBalanceSwitch()"); + } + + try { + activatePluginClassLoader(); + ret = implMasterObserver.preBalanceSwitch(c, newValue); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preBalanceSwitch()"); + } + + return ret; + } + + @Override + public void preBulkLoadHFile(ObserverContext ctx, List> familyPaths) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preBulkLoadHFile()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preBulkLoadHFile(ctx, familyPaths); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preBulkLoadHFile()"); + } + + } + + @Override + public boolean preCheckAndDelete(ObserverContext c, byte[] row, byte[] family, byte[] qualifier, CompareOp compareOp, ByteArrayComparable comparator, Delete delete, boolean result) throws IOException { + boolean ret = false; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preCheckAndDelete()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.preCheckAndDelete(c, row, family, qualifier, compareOp,comparator, delete, result); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preCheckAndDelete()"); + } + + return ret; + } + + @Override + public boolean preCheckAndPut(ObserverContext c, byte[] row, byte[] family, byte[] qualifier, CompareOp compareOp, ByteArrayComparable comparator, Put put, boolean result) throws IOException { + boolean ret = false; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preCheckAndPut()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.preCheckAndPut(c, row, family, qualifier, compareOp, comparator,put, result); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preCheckAndPut()"); + } + + return ret; + } + + @Override + public void preCloneSnapshot(ObserverContext ctx, SnapshotDescription snapshot, HTableDescriptor hTableDescriptor) throws IOException { + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preCloneSnapshot()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preCloneSnapshot(ctx, snapshot, hTableDescriptor); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preCloneSnapshot()"); + } + } + + @Override + public void preClose(ObserverContext e,boolean abortRequested) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preClose()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preClose(e, abortRequested); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preClose()"); + } + } + + @Override + public InternalScanner preCompact(ObserverContext e, Store store, InternalScanner scanner, ScanType scanType) throws IOException { + InternalScanner ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preCompact()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.preCompact(e, store, scanner, scanType); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preCompact()"); + } + + return ret; + } + + @Override + public void preCompactSelection(ObserverContext e, Store store,List candidates) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preCompactSelection()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preCompactSelection(e, store, candidates); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preCompactSelection()"); + } + } + + @Override + public void preCreateTable(ObserverContext c, HTableDescriptor desc, HRegionInfo[] regions) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preCreateTable()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preCreateTable(c, desc, regions); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preCreateTable()"); + } + } + + @Override + public void preDelete(ObserverContext c, Delete delete, WALEdit edit, Durability durability) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preDelete()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preDelete(c, delete, edit, durability); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preDelete()"); + } + } + + @Override + public void preDeleteColumn(ObserverContext c,TableName tableName, byte[] col) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preDeleteColumn()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preDeleteColumn(c, tableName, col); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preDeleteColumn()"); + } + } + + @Override + public void preDeleteSnapshot(ObserverContext ctx, SnapshotDescription snapshot) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preDeleteSnapshot()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preDeleteSnapshot(ctx, snapshot); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preDeleteSnapshot()"); + } + } + + @Override + public void preDeleteTable(ObserverContext c, TableName tableName) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preDeleteTable()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preDeleteTable(c, tableName); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preDeleteTable()"); + } + } + + @Override + public void preDisableTable(ObserverContext c, TableName tableName) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preDisableTable()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preDisableTable(c, tableName); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preDisableTable()"); + } + } + + @Override + public void preEnableTable(ObserverContext c, TableName tableName) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preEnableTable()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preEnableTable(c, tableName); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preEnableTable()"); + } + } + + @Override + public boolean preExists(ObserverContext c, Get get, boolean exists) throws IOException { + boolean ret = false; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preExists()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.preExists(c, get, exists); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preExists()"); + } + + return ret; + } + + @Override + public void preFlush(ObserverContext e) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preFlush()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preFlush(e); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preFlush()"); + } + } + + @Override + public void preGetClosestRowBefore( ObserverContext c, byte[] row, byte[] family, Result result) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preGetClosestRowBefore()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preGetClosestRowBefore(c, row, family, result); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preGetClosestRowBefore()"); + } + } + + @Override + public Result preIncrement(ObserverContext c, Increment increment) throws IOException { + Result ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preIncrement()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.preIncrement(c, increment); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preIncrement()"); + } + + return ret; + } + + @Override + public long preIncrementColumnValue(ObserverContext c, byte[] row,byte[] family, byte[] qualifier, long amount, boolean writeToWAL) throws IOException { + long ret; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preIncrementColumnValue()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.preIncrementColumnValue(c, row, family, qualifier, amount,writeToWAL); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preIncrementColumnValue()"); + } + + return ret; + } + + @Override + public void preModifyColumn( ObserverContext c, TableName tableName, HColumnDescriptor descriptor) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preModifyColumn()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preModifyColumn(c, tableName, descriptor); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preModifyColumn()"); + } + } + + @Override + public void preModifyTable(ObserverContext c, TableName tableName, HTableDescriptor htd) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preModifyTable()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preModifyTable(c, tableName, htd); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preModifyTable()"); + } + } + + @Override + public void preMove(ObserverContext c, HRegionInfo region, ServerName srcServer, ServerName destServer) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preMove()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preMove(c, region, srcServer, destServer); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preMove()"); + } + } + + @Override + public void preOpen(ObserverContext e) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preOpen()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preOpen(e); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preOpen()"); + } + } + + @Override + public void preRestoreSnapshot( ObserverContext ctx, SnapshotDescription snapshot, HTableDescriptor hTableDescriptor) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preRestoreSnapshot()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preRestoreSnapshot(ctx, snapshot, hTableDescriptor); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preRestoreSnapshot()"); + } + } + + @Override + public void preScannerClose(ObserverContext c, InternalScanner s) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preScannerClose()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preScannerClose(c, s); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preScannerClose()"); + } + } + + @Override + public boolean preScannerNext(ObserverContext c, InternalScanner s, List result, int limit, boolean hasNext) throws IOException { + boolean ret = false; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preScannerNext()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.preScannerNext(c, s, result, limit, hasNext); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preScannerNext()"); + } + + return ret; + } + + @Override + public RegionScanner preScannerOpen(ObserverContext c, Scan scan, RegionScanner s) throws IOException { + RegionScanner ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preScannerOpen()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.preScannerOpen(c, scan, s); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preScannerOpen()"); + } + + return ret; + } + + @Override + public void preShutdown(ObserverContext c) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preShutdown()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preShutdown(c); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preShutdown()"); + } + } + + @Override + public void preSnapshot(ObserverContext ctx, SnapshotDescription snapshot, HTableDescriptor hTableDescriptor) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preSnapshot()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preSnapshot(ctx, snapshot, hTableDescriptor); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preSnapshot()"); + } + } + + @Override + public void preSplit(ObserverContext e) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preSplit()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preSplit(e); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preSplit()"); + } + } + + @Override + public void preStopMaster(ObserverContext c) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preStopMaster()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preStopMaster(c); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preStopMaster()"); + } + } + + @Override + public void preStopRegionServer( ObserverContext env) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preStopRegionServer()"); + } + + try { + activatePluginClassLoader(); + implRegionServerObserver.preStopRegionServer(env); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preStopRegionServer()"); + } + } + + @Override + public void preUnassign(ObserverContext c, HRegionInfo regionInfo, boolean force) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preUnassign()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preUnassign(c, regionInfo, force); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preUnassign()"); + } + } + + @Override + public void preSetUserQuota(ObserverContext ctx, String userName, Quotas quotas) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preSetUserQuota()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preSetUserQuota(ctx, userName, quotas); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preSetUserQuota()"); + } + } + + @Override + public void preSetUserQuota( ObserverContext ctx, String userName, TableName tableName, Quotas quotas) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preSetUserQuota()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preSetUserQuota(ctx, userName, tableName, quotas); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preSetUserQuota()"); + } + } + + @Override + public void preSetUserQuota(ObserverContext ctx, String userName, String namespace, Quotas quotas) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preSetUserQuota()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preSetUserQuota(ctx, userName, namespace, quotas); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preSetUserQuota()"); + } + } + + @Override + public void preSetTableQuota(ObserverContext ctx, TableName tableName, Quotas quotas) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preSetTableQuota()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preSetTableQuota(ctx, tableName, quotas); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preSetTableQuota()"); + } + } + + @Override + public void preSetNamespaceQuota(ObserverContext ctx, String namespace, Quotas quotas) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preSetNamespaceQuota()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preSetNamespaceQuota(ctx, namespace, quotas); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preSetNamespaceQuota()"); + } + } + + @Override + public void start(CoprocessorEnvironment env) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.start()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.start(env); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.start()"); + } + } + + @Override + public void prePut(ObserverContext c, Put put, WALEdit edit, Durability durability) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.prePut()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.prePut(c, put, edit, durability); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.prePut()"); + } + } + + @Override + public void preGetOp(ObserverContext rEnv, Get get, List result) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preGetOp()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preGetOp(rEnv, get, result); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preGetOp()"); + } + } + + @Override + public void preRegionOffline( ObserverContext c,HRegionInfo regionInfo) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preRegionOffline()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preRegionOffline(c, regionInfo); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preRegionOffline()"); + } + } + + @Override + public void preCreateNamespace(ObserverContext ctx,NamespaceDescriptor ns) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preCreateNamespace()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preCreateNamespace(ctx, ns); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preCreateNamespace()"); + } + } + + @Override + public void preDeleteNamespace( ObserverContext ctx, String namespace) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preDeleteNamespace()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preDeleteNamespace(ctx, namespace); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preDeleteNamespace()"); + } + } + + @Override + public void preModifyNamespace(ObserverContext ctx, NamespaceDescriptor ns) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preModifyNamespace()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preModifyNamespace(ctx, ns); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preModifyNamespace()"); + } + } + + @Override + public void postGetTableDescriptors(ObserverContext ctx, List tableNamesList, List descriptors, String regex) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postGetTableDescriptors()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postGetTableDescriptors(ctx, tableNamesList, descriptors, regex); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postGetTableDescriptors()"); + } + } + + @Override + public void preMerge(ObserverContext ctx, Region regionA, Region regionB) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preMerge()"); + } + + try { + activatePluginClassLoader(); + implRegionServerObserver.preMerge(ctx, regionA, regionB); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preMerge()"); + } + } + + @Override + public void prePrepareBulkLoad(ObserverContext ctx, PrepareBulkLoadRequest request) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.prePrepareBulkLoad()"); + } + + try { + activatePluginClassLoader(); + implBulkLoadObserver.prePrepareBulkLoad(ctx, request); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.prePrepareBulkLoad()"); + } + } + + @Override + public void preCleanupBulkLoad(ObserverContext ctx, CleanupBulkLoadRequest request) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preCleanupBulkLoad()"); + } + + try { + activatePluginClassLoader(); + implBulkLoadObserver.preCleanupBulkLoad(ctx, request); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preCleanupBulkLoad()"); + } + } + + @Override + public void grant(RpcController controller, GrantRequest request, RpcCallback done) { + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.grant()"); + } + + try { + activatePluginClassLoader(); + implAccessControlService.grant(controller, request, done); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.grant()"); + } + } + + @Override + public void revoke(RpcController controller, RevokeRequest request, RpcCallback done) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.revoke()"); + } + + try { + activatePluginClassLoader(); + implAccessControlService.revoke(controller, request, done); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.revoke()"); + } + } + + @Override + public void checkPermissions(RpcController controller, CheckPermissionsRequest request, RpcCallback done) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.checkPermissions()"); + } + + try { + activatePluginClassLoader(); + implAccessControlService.checkPermissions(controller, request, done); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.checkPermissions()"); + } + } + + @Override + public void getUserPermissions(RpcController controller, GetUserPermissionsRequest request, RpcCallback done) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.getUserPermissions()"); + } + + try { + activatePluginClassLoader(); + implAccessControlService.getUserPermissions(controller, request, done); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.getUserPermissions()"); + } + } + + @Override + public void stop(CoprocessorEnvironment env) throws IOException { + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.stop()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.stop(env); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.stop()"); + } + } + + @Override + public void postMerge(ObserverContext c, Region regionA, Region regionB, Region mergedRegion) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postMerge()"); + } + + try { + activatePluginClassLoader(); + implRegionServerObserver.postMerge(c,regionA, regionB, mergedRegion); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postMerge()"); + } + } + + @Override + public void preMergeCommit(ObserverContext ctx, Region regionA, Region regionB, List metaEntries) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preMergeCommit()"); + } + + try { + activatePluginClassLoader(); + implRegionServerObserver.preMergeCommit(ctx ,regionA, regionB, metaEntries); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preMergeCommit()"); + } + } + + @Override + public void postMergeCommit(ObserverContext ctx, Region regionA, Region regionB, Region mergedRegion) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postMergeCommit()"); + } + + try { + activatePluginClassLoader(); + implRegionServerObserver.postMergeCommit(ctx ,regionA, regionB, mergedRegion); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postMergeCommit()"); + } + } + + @Override + public void preRollBackMerge(ObserverContext ctx,Region regionA, Region regionB) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preRollBackMerge()"); + } + + try { + activatePluginClassLoader(); + implRegionServerObserver.preRollBackMerge(ctx ,regionA, regionB); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preRollBackMerge()"); + } + } + + @Override + public void postRollBackMerge(ObserverContext ctx, Region regionA, Region regionB) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postRollBackMerge()"); + } + + try { + activatePluginClassLoader(); + implRegionServerObserver.postRollBackMerge(ctx ,regionA, regionB); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postRollBackMerge()"); + } + } + + @Override + public void preRollWALWriterRequest(ObserverContext ctx) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preRollWALWriterRequest()"); + } + + try { + activatePluginClassLoader(); + implRegionServerObserver.preRollWALWriterRequest(ctx); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preRollWALWriterRequest()"); + } + } + + @Override + public void postRollWALWriterRequest(ObserverContext ctx) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postRollWALWriterRequest()"); + } + + try { + activatePluginClassLoader(); + implRegionServerObserver.postRollWALWriterRequest(ctx); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postRollWALWriterRequest()"); + } + } + + @Override + public ReplicationEndpoint postCreateReplicationEndPoint(ObserverContext ctx, ReplicationEndpoint endpoint) { + + ReplicationEndpoint ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postCreateReplicationEndPoint()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionServerObserver.postCreateReplicationEndPoint(ctx,endpoint); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postCreateReplicationEndPoint()"); + } + + return ret; + } + + @Override + public void preReplicateLogEntries(ObserverContext ctx, List entries, CellScanner cells) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preReplicateLogEntries()"); + } + + try { + activatePluginClassLoader(); + implRegionServerObserver.preReplicateLogEntries(ctx, entries, cells); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preReplicateLogEntries()"); + } + } + + @Override + public void postReplicateLogEntries(ObserverContext ctx, List entries, CellScanner cells) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postReplicateLogEntries()"); + } + + try { + activatePluginClassLoader(); + implRegionServerObserver.postReplicateLogEntries(ctx, entries, cells); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postReplicateLogEntries()"); + } + } + + @Override + public void postOpen(ObserverContext c) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postOpen()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postOpen(c); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postOpen()"); + } + } + + @Override + public void postLogReplay(ObserverContext c) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postLogReplay()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postLogReplay(c); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postLogReplay()"); + } + } + + @Override + public InternalScanner preFlushScannerOpen( ObserverContext c, Store store, KeyValueScanner memstoreScanner, InternalScanner s) throws IOException { + + InternalScanner ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preFlushScannerOpen()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.preFlushScannerOpen(c, store, memstoreScanner, s); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preFlushScannerOpen()"); + } + + return ret; + } + + @Override + public InternalScanner preFlush(ObserverContext c, Store store, InternalScanner scanner) throws IOException { + + InternalScanner ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preFlush()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.preFlush(c, store, scanner); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preFlush()"); + } + + return ret; + } + + @Override + public void postFlush(ObserverContext c) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postFlush()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postFlush(c); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postFlush()"); + } + } + + @Override + public void postFlush(ObserverContext c, Store store, StoreFile resultFile) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postFlush()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postFlush(c, store, resultFile); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postFlush()"); + } + } + + @Override + public void preCompactSelection(ObserverContext c, Store store, List candidates, CompactionRequest request) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preCompactSelection()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preCompactSelection(c, store, candidates, request); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preCompactSelection()"); + } + } + + @Override + public void postCompactSelection(ObserverContext c, Store store, ImmutableList selected, CompactionRequest request) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postCompactSelection()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postCompactSelection(c, store, selected, request); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postCompactSelection()"); + } + } + + @Override + public void postCompactSelection( ObserverContext c, Store store, ImmutableList selected) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postCompactSelection()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postCompactSelection(c, store, selected); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postCompactSelection()"); + } + } + + @Override + public InternalScanner preCompact(ObserverContext c, Store store, InternalScanner scanner, ScanType scanType, CompactionRequest request) throws IOException { + + InternalScanner ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preCompact()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preCompact(c, store, scanner, scanType, request); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preCompact()"); + } + + return ret; + } + + @Override + public InternalScanner preCompactScannerOpen(ObserverContext c, Store store, List scanners, ScanType scanType, + long earliestPutTs, InternalScanner s, CompactionRequest request) throws IOException { + InternalScanner ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preCompactScannerOpen()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preCompactScannerOpen(c, store, scanners, scanType, earliestPutTs, s,request); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preCompactScannerOpen()"); + } + + return ret; + } + + @Override + public InternalScanner preCompactScannerOpen(ObserverContext c, Store store, List scanners, ScanType scanType, + long earliestPutTs, InternalScanner s) throws IOException { + InternalScanner ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preCompactScannerOpen()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preCompactScannerOpen(c, store, scanners, scanType, earliestPutTs, s); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preCompactScannerOpen()"); + } + + return ret; + } + + @Override + public void postCompact(ObserverContext c, Store store, StoreFile resultFile, CompactionRequest request) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postCompact()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postCompact(c, store, resultFile, request); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postCompact()"); + } + } + + @Override + public void postCompact(ObserverContext c, Store store, StoreFile resultFile) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postCompact()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postCompact(c, store, resultFile); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postCompact()"); + } + } + + @Override + public void preSplit(ObserverContext c, byte[] splitRow) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preSplit()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preSplit(c, splitRow); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preSplit()"); + } + } + + @Override + public void postSplit(ObserverContext c, Region l, Region r) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postSplit()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postSplit(c, l, r); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postSplit()"); + } + } + + @Override + public void preSplitBeforePONR(ObserverContext ctx, byte[] splitKey, List metaEntries) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preSplitBeforePONR()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preSplitBeforePONR(ctx, splitKey, metaEntries); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preSplitBeforePONR()"); + } + } + + @Override + public void preSplitAfterPONR(ObserverContext ctx) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preSplitAfterPONR()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preSplitAfterPONR(ctx); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preSplitAfterPONR()"); + } + } + + @Override + public void preRollBackSplit(ObserverContext ctx) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preRollBackSplit()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preRollBackSplit(ctx); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preRollBackSplit()"); + } + } + + @Override + public void postRollBackSplit(ObserverContext ctx) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postRollBackSplit()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postRollBackSplit(ctx); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postRollBackSplit()"); + } + } + + @Override + public void postCompleteSplit(ObserverContext ctx) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postCompleteSplit()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postCompleteSplit(ctx); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postCompleteSplit()"); + } + } + + @Override + public void postClose(ObserverContext c, boolean abortRequested) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postClose()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postClose(c,abortRequested); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postClose()"); + } + } + + @Override + public void postGetClosestRowBefore(ObserverContext c, byte[] row, byte[] family, Result result) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postGetClosestRowBefore()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postGetClosestRowBefore(c, row, family, result); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postGetClosestRowBefore()"); + } + } + + @Override + public void postGetOp(ObserverContext c, Get get, List result) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postGetOp()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postGetOp(c, get, result); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postGetOp()"); + } + } + + @Override + public boolean postExists(ObserverContext c, Get get, boolean exists) throws IOException { + + boolean ret = false; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postExists()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.postExists(c, get, exists); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postExists()"); + } + + return ret; + } + + @Override + public void postPut(ObserverContext c, Put put, WALEdit edit, Durability durability) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postPut()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postPut(c, put, edit, durability); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postPut()"); + } + } + + @Override + public void prePrepareTimeStampForDeleteVersion( ObserverContext c, Mutation mutation, Cell cell, byte[] byteNow, Get get) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.prePrepareTimeStampForDeleteVersion()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.prePrepareTimeStampForDeleteVersion(c, mutation, cell, byteNow, get); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.prePrepareTimeStampForDeleteVersion()"); + } + } + + @Override + public void postDelete(ObserverContext c, Delete delete, WALEdit edit, Durability durability) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postDelete()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postDelete(c, delete, edit, durability); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postDelete()"); + } + } + + @Override + public void preBatchMutate(ObserverContext c, MiniBatchOperationInProgress miniBatchOp) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preBatchMutate()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preBatchMutate(c, miniBatchOp); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preBatchMutate()"); + } + } + + @Override + public void postBatchMutate(ObserverContext c, MiniBatchOperationInProgress miniBatchOp) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postBatchMutate()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postBatchMutate(c, miniBatchOp); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postBatchMutate()"); + } + } + + @Override + public void postStartRegionOperation(ObserverContext ctx, Operation operation) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postStartRegionOperation()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postStartRegionOperation(ctx, operation); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postStartRegionOperation()"); + } + } + + @Override + public void postCloseRegionOperation(ObserverContext ctx, Operation operation) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postCloseRegionOperation()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postCloseRegionOperation(ctx, operation); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postCloseRegionOperation()"); + } + } + + @Override + public void postBatchMutateIndispensably(ObserverContext ctx, MiniBatchOperationInProgress miniBatchOp, boolean success) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postBatchMutateIndispensably()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postBatchMutateIndispensably(ctx, miniBatchOp, success); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postBatchMutateIndispensably()"); + } + } + + @Override + public boolean preCheckAndPutAfterRowLock(ObserverContext c, byte[] row, byte[] family, byte[] qualifier, CompareOp compareOp, + ByteArrayComparable comparator, Put put, boolean result) throws IOException { + boolean ret = false; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preCheckAndPutAfterRowLock()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.preCheckAndPutAfterRowLock(c, row, family, qualifier, compareOp, comparator, put, result); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preCheckAndPutAfterRowLock()"); + } + return ret; + } + + @Override + public boolean postCheckAndPut(ObserverContext c, byte[] row, byte[] family, byte[] qualifier, CompareOp compareOp, + ByteArrayComparable comparator, Put put, boolean result) throws IOException { + boolean ret = false; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postCheckAndPut()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.postCheckAndPut(c, row, family, qualifier, compareOp, comparator, put, result); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postCheckAndPut()"); + } + return ret; + } + + @Override + public boolean preCheckAndDeleteAfterRowLock(ObserverContext c, byte[] row, byte[] family, byte[] qualifier, CompareOp compareOp, + ByteArrayComparable comparator, Delete delete, boolean result) throws IOException { + boolean ret = false; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preCheckAndDeleteAfterRowLock()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.preCheckAndDeleteAfterRowLock(c, row, family, qualifier, compareOp, comparator, delete, result); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preCheckAndDeleteAfterRowLock()"); + } + return ret; + } + + @Override + public boolean postCheckAndDelete(ObserverContext c, byte[] row,byte[] family, byte[] qualifier, CompareOp compareOp, + ByteArrayComparable comparator, Delete delete, boolean result) throws IOException { + boolean ret = false; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postCheckAndDelete()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.postCheckAndDelete(c, row, family, qualifier, compareOp, comparator, delete, result); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postCheckAndDelete()"); + } + return ret; + } + + @Override + public long postIncrementColumnValue(ObserverContext c, byte[] row, byte[] family, byte[] qualifier, long amount, boolean writeToWAL, long result) throws IOException { + long ret = 0; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postIncrementColumnValue()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.postIncrementColumnValue(c, row, family, qualifier, amount, writeToWAL, result); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postIncrementColumnValue()"); + } + return ret; + } + + @Override + public Result preAppendAfterRowLock(ObserverContext c, Append append) throws IOException { + Result ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preAppendAfterRowLock()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.preAppendAfterRowLock(c, append); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preAppendAfterRowLock()"); + } + return ret; + } + + @Override + public Result postAppend(ObserverContext c, Append append, Result result) throws IOException { + Result ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postAppend()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.postAppend(c, append, result); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postAppend()"); + } + + return ret; + } + + @Override + public Result preIncrementAfterRowLock(ObserverContext c, Increment increment) throws IOException { + Result ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preIncrementAfterRowLock()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.preIncrementAfterRowLock(c, increment); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preIncrementAfterRowLock()"); + } + + return ret; + } + + @Override + public Result postIncrement(ObserverContext c, Increment increment, Result result) throws IOException { + Result ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postIncrement()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.postIncrement(c, increment, result ); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postIncrement()"); + } + + return ret; + } + + @Override + public KeyValueScanner preStoreScannerOpen(ObserverContext c, Store store, Scan scan, NavigableSet targetCols, KeyValueScanner s) throws IOException { + KeyValueScanner ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preStoreScannerOpen()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.preStoreScannerOpen(c, store, scan, targetCols, s); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preStoreScannerOpen()"); + } + + return ret; + } + + @Override + public boolean postScannerNext( ObserverContext c, InternalScanner s, List result, int limit, boolean hasNext) throws IOException { + boolean ret = false; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postScannerNext()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.postScannerNext(c, s, result, limit, hasNext); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postScannerNext()"); + } + + return ret; + } + + @Override + public boolean postScannerFilterRow( ObserverContext c, InternalScanner s, byte[] currentRow, int offset, short length, boolean hasMore) throws IOException { + + boolean ret = false; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postScannerFilterRow()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.postScannerFilterRow(c, s, currentRow, offset, length, hasMore); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postScannerFilterRow()"); + } + + return ret; + } + + @Override + public void preWALRestore(ObserverContext ctx, HRegionInfo info, WALKey logKey, WALEdit logEdit) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preWALRestore()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preWALRestore(ctx, info, logKey, logEdit); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preWALRestore()"); + } + } + + @Override + public void postWALRestore( ObserverContext ctx, HRegionInfo info, WALKey logKey, WALEdit logEdit) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postWALRestore()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postWALRestore(ctx, info, logKey, logEdit); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postWALRestore()"); + } + } + + @Override + public boolean postBulkLoadHFile(ObserverContext ctx, List> familyPaths, boolean hasLoaded) throws IOException { + + boolean ret = false; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postBulkLoadHFile()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.postBulkLoadHFile(ctx, familyPaths, hasLoaded); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postBulkLoadHFile()"); + } + + return ret; + } + + @Override + public Reader preStoreFileReaderOpen(ObserverContext ctx, FileSystem fs, Path p, FSDataInputStreamWrapper in, long size, + CacheConfig cacheConf, Reference r, Reader reader) throws IOException { + Reader ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preStoreFileReaderOpen()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.preStoreFileReaderOpen(ctx, fs, p, in, size, cacheConf, r, reader); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preStoreFileReaderOpen()"); + } + + return ret; + } + + @Override + public Reader postStoreFileReaderOpen(ObserverContext ctx, FileSystem fs, Path p, FSDataInputStreamWrapper in, long size, + CacheConfig cacheConf, Reference r, Reader reader) throws IOException { + Reader ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postStoreFileReaderOpen()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.postStoreFileReaderOpen(ctx, fs, p, in, size, cacheConf, r, reader); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postStoreFileReaderOpen()"); + } + + return ret; + } + + @Override + public Cell postMutationBeforeWAL(ObserverContext ctx, MutationType opType, Mutation mutation, Cell oldCell, Cell newCell) throws IOException { + Cell ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postMutationBeforeWAL()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.postMutationBeforeWAL(ctx, opType, mutation, oldCell, newCell); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postMutationBeforeWAL()"); + } + + return ret; + } + + @Override + public DeleteTracker postInstantiateDeleteTracker( ObserverContext ctx, DeleteTracker delTracker) throws IOException { + DeleteTracker ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postInstantiateDeleteTracker()"); + } + + try { + activatePluginClassLoader(); + ret = implRegionObserver.postInstantiateDeleteTracker(ctx, delTracker); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postInstantiateDeleteTracker()"); + } + + return ret; + } + + @Override + public void postCreateTable(ObserverContext ctx, HTableDescriptor desc, HRegionInfo[] regions) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postCreateTable()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postCreateTable(ctx, desc, regions); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postCreateTable()"); + } + } + + @Override + public void preCreateTableHandler(ObserverContext ctx, HTableDescriptor desc, HRegionInfo[] regions) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preCreateTableHandler()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preCreateTableHandler(ctx, desc, regions); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preCreateTableHandler()"); + } + } + + @Override + public void postCreateTableHandler(ObserverContext ctx, HTableDescriptor desc, HRegionInfo[] regions) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postCreateTableHandler()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postCreateTableHandler(ctx, desc, regions); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postCreateTableHandler()"); + } + } + + @Override + public void postDeleteTable(ObserverContext ctx, TableName tableName) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postDeleteTable()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postDeleteTable(ctx, tableName); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postDeleteTable()"); + } + } + + @Override + public void preDeleteTableHandler(ObserverContext ctx,TableName tableName) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preDeleteTableHandler()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preDeleteTableHandler(ctx, tableName); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preDeleteTableHandler()"); + } + } + + @Override + public void postDeleteTableHandler(ObserverContext ctx, TableName tableName) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postDeleteTableHandler()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postDeleteTableHandler(ctx, tableName); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postDeleteTableHandler()"); + } + } + + @Override + public void preTruncateTable(ObserverContext ctx, TableName tableName) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preTruncateTable()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preTruncateTable(ctx, tableName); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preTruncateTable()"); + } + } + + @Override + public void postTruncateTable(ObserverContext ctx, TableName tableName) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postTruncateTable()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postTruncateTable(ctx, tableName); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postTruncateTable()"); + } + } + + @Override + public void preTruncateTableHandler(ObserverContext ctx, TableName tableName) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preTruncateTableHandler()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preTruncateTableHandler(ctx, tableName); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preTruncateTableHandler()"); + } + } + + @Override + public void postTruncateTableHandler(ObserverContext ctx, TableName tableName) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postTruncateTableHandler()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postTruncateTableHandler(ctx, tableName); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postTruncateTableHandler()"); + } + } + + @Override + public void postModifyTable(ObserverContext ctx, TableName tableName, HTableDescriptor htd) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postModifyTable()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postModifyTable(ctx, tableName, htd); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postModifyTable()"); + } + } + + @Override + public void preModifyTableHandler(ObserverContext ctx,TableName tableName, HTableDescriptor htd) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preModifyTableHandler()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preModifyTableHandler(ctx, tableName, htd); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preModifyTableHandler()"); + } + } + + @Override + public void postModifyTableHandler(ObserverContext ctx, TableName tableName, HTableDescriptor htd) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postModifyTableHandler()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postModifyTableHandler(ctx, tableName, htd); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postModifyTableHandler()"); + } + } + + @Override + public void postAddColumn(ObserverContext ctx, TableName tableName, HColumnDescriptor column) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postAddColumn()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postAddColumn(ctx, tableName, column); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postAddColumn()"); + } + } + + @Override + public void preAddColumnHandler(ObserverContext ctx, TableName tableName, HColumnDescriptor column) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preAddColumnHandler()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preAddColumnHandler(ctx, tableName, column); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preAddColumnHandler()"); + } + } + + @Override + public void postAddColumnHandler(ObserverContext ctx, TableName tableName, HColumnDescriptor column) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postAddColumnHandler()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postAddColumnHandler(ctx, tableName, column); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postAddColumnHandler()"); + } + } + + @Override + public void postModifyColumn(ObserverContext ctx, TableName tableName, HColumnDescriptor descriptor) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postModifyColumn()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postModifyColumn(ctx, tableName, descriptor); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postModifyColumn()"); + } + } + + @Override + public void preModifyColumnHandler(ObserverContext ctx, TableName tableName, HColumnDescriptor descriptor) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preModifyColumnHandler()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preModifyColumnHandler(ctx, tableName, descriptor); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preModifyColumnHandler()"); + } + } + + @Override + public void postModifyColumnHandler(ObserverContext ctx, TableName tableName, HColumnDescriptor descriptor) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postModifyColumnHandler()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postModifyColumnHandler(ctx, tableName, descriptor); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postModifyColumnHandler()"); + } + } + + @Override + public void postDeleteColumn(ObserverContext ctx, TableName tableName, byte[] c) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postDeleteColumn()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postDeleteColumn(ctx, tableName, c); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postDeleteColumn()"); + } + } + + @Override + public void preDeleteColumnHandler(ObserverContext ctx, TableName tableName, byte[] c) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preDeleteColumnHandler()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preDeleteColumnHandler(ctx, tableName, c); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preDeleteColumnHandler()"); + } + } + + @Override + public void postDeleteColumnHandler(ObserverContext ctx, TableName tableName, byte[] c) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postDeleteColumnHandler()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postDeleteColumnHandler(ctx, tableName, c); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postDeleteColumnHandler()"); + } + } + + @Override + public void postEnableTable(ObserverContext ctx, TableName tableName) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postEnableTable()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postEnableTable(ctx, tableName); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postEnableTable()"); + } + } + + @Override + public void preEnableTableHandler(ObserverContext ctx, TableName tableName) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preEnableTableHandler()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preEnableTableHandler(ctx, tableName); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preEnableTableHandler()"); + } + } + + @Override + public void postEnableTableHandler(ObserverContext ctx, TableName tableName) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postEnableTableHandler()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postEnableTableHandler(ctx, tableName); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postEnableTableHandler()"); + } + } + + @Override + public void postDisableTable( ObserverContext ctx, TableName tableName) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postDisableTable()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postDisableTable(ctx, tableName); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postDisableTable()"); + } + } + + @Override + public void preDisableTableHandler(ObserverContext ctx, TableName tableName) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preDisableTableHandler()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preDisableTableHandler(ctx, tableName); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preDisableTableHandler()"); + } + } + + @Override + public void postDisableTableHandler(ObserverContext ctx, TableName tableName) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postDisableTableHandler()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postDisableTableHandler(ctx, tableName); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postDisableTableHandler()"); + } + } + + @Override + public void postMove(ObserverContext ctx, HRegionInfo region, ServerName srcServer, ServerName destServer) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postMove()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postMove(ctx, region, srcServer, destServer); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postMove()"); + } + } + + @Override + public void postAssign(ObserverContext ctx, HRegionInfo regionInfo) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postAssign()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postAssign(ctx, regionInfo); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postAssign()"); + } + } + + @Override + public void postUnassign(ObserverContext ctx, HRegionInfo regionInfo, boolean force) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postUnassign()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postUnassign(ctx, regionInfo, force); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postUnassign()"); + } + } + + @Override + public void postRegionOffline(ObserverContext ctx, HRegionInfo regionInfo) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postRegionOffline()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postRegionOffline(ctx, regionInfo); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postRegionOffline()"); + } + } + + @Override + public void postBalance(ObserverContext ctx, List plans) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postBalance()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postBalance(ctx, plans); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postBalance()"); + } + } + + @Override + public void postBalanceSwitch(ObserverContext ctx, boolean oldValue, boolean newValue) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postBalanceSwitch()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postBalanceSwitch(ctx, oldValue, newValue); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postBalanceSwitch()"); + } + } + + @Override + public void preMasterInitialization(ObserverContext ctx) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preMasterInitialization()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preMasterInitialization(ctx); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preMasterInitialization()"); + } + } + + @Override + public void postSnapshot(ObserverContext ctx, SnapshotDescription snapshot, HTableDescriptor hTableDescriptor) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postSnapshot()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postSnapshot(ctx, snapshot, hTableDescriptor ); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postSnapshot()"); + } + } + + @Override + public void preListSnapshot(ObserverContext ctx, SnapshotDescription snapshot) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preListSnapshot()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preListSnapshot(ctx, snapshot); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preListSnapshot()"); + } + } + + @Override + public void postListSnapshot(ObserverContext ctx, SnapshotDescription snapshot) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postListSnapshot()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postListSnapshot(ctx, snapshot); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postListSnapshot()"); + } + } + + @Override + public void postCloneSnapshot(ObserverContext ctx, SnapshotDescription snapshot, HTableDescriptor hTableDescriptor) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postCloneSnapshot()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postCloneSnapshot(ctx, snapshot, hTableDescriptor); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postCloneSnapshot()"); + } + } + + @Override + public void postRestoreSnapshot(ObserverContext ctx, SnapshotDescription snapshot, HTableDescriptor hTableDescriptor) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postRestoreSnapshot()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postRestoreSnapshot(ctx, snapshot, hTableDescriptor); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postRestoreSnapshot()"); + } + } + + @Override + public void postDeleteSnapshot(ObserverContext ctx,SnapshotDescription snapshot) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postDeleteSnapshot()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postDeleteSnapshot(ctx, snapshot); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postDeleteSnapshot()"); + } + } + + @Override + public void preGetTableDescriptors(ObserverContext ctx, List tableNamesList, List descriptors) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preGetTableDescriptors()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preGetTableDescriptors(ctx, tableNamesList,descriptors ); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preGetTableDescriptors()"); + } + } + + @Override + public void postGetTableDescriptors(ObserverContext ctx, List descriptors) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postGetTableDescriptors()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postGetTableDescriptors(ctx, descriptors ); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postGetTableDescriptors()"); + } + } + + @Override + public void preGetTableDescriptors(ObserverContext ctx, List tableNamesList, List descriptors, String regex) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preGetTableDescriptors()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preGetTableDescriptors(ctx, tableNamesList, descriptors, regex ); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preGetTableDescriptors()"); + } + } + + @Override + public void preGetTableNames(ObserverContext ctx, List descriptors, String regex) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preGetTableNames()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preGetTableNames(ctx, descriptors, regex ); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preGetTableNames()"); + } + } + + @Override + public void postGetTableNames(ObserverContext ctx, List descriptors, String regex) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postGetTableNames()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postGetTableNames(ctx, descriptors, regex ); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postGetTableNames()"); + } + } + + @Override + public void postCreateNamespace(ObserverContext ctx, NamespaceDescriptor ns) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postCreateNamespace()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postCreateNamespace(ctx, ns ); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postCreateNamespace()"); + } + } + + @Override + public void postDeleteNamespace(ObserverContext ctx, String namespace) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postDeleteNamespace()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postDeleteNamespace(ctx, namespace ); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postDeleteNamespace()"); + } + } + + @Override + public void postModifyNamespace(ObserverContext ctx, NamespaceDescriptor ns) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postModifyNamespace()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postModifyNamespace(ctx, ns ); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postModifyNamespace()"); + } + } + + @Override + public void preGetNamespaceDescriptor( ObserverContext ctx, String namespace) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preGetNamespaceDescriptor()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preGetNamespaceDescriptor(ctx, namespace ); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preGetNamespaceDescriptor()"); + } + } + + @Override + public void postGetNamespaceDescriptor( ObserverContext ctx, NamespaceDescriptor ns) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postGetNamespaceDescriptor()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postGetNamespaceDescriptor(ctx, ns ); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postGetNamespaceDescriptor()"); + } + } + + @Override + public void preListNamespaceDescriptors(ObserverContext ctx, List descriptors) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preListNamespaceDescriptors()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preListNamespaceDescriptors(ctx, descriptors ); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preListNamespaceDescriptors()"); + } + } + + @Override + public void postListNamespaceDescriptors(ObserverContext ctx, List descriptors) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postListNamespaceDescriptors()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postListNamespaceDescriptors(ctx, descriptors ); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postListNamespaceDescriptors()"); + } + } + + @Override + public void preTableFlush(ObserverContext ctx, TableName tableName) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preTableFlush()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.preTableFlush(ctx, tableName ); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preTableFlush()"); + } + } + + @Override + public void postTableFlush(ObserverContext ctx, TableName tableName) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postTableFlush()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postTableFlush(ctx, tableName ); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postTableFlush()"); + } + } + + @Override + public void postSetUserQuota(ObserverContext ctx, String userName, Quotas quotas) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postSetUserQuota()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postSetUserQuota(ctx, userName, quotas); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postSetUserQuota()"); + } + } + + @Override + public void postSetUserQuota(ObserverContext ctx, String userName,TableName tableName, Quotas quotas) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postSetUserQuota()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postSetUserQuota(ctx, userName, tableName, quotas); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postSetUserQuota()"); + } + } + + @Override + public void postSetUserQuota(ObserverContext ctx, String userName, String namespace, Quotas quotas) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postSetUserQuota()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postSetUserQuota(ctx, userName, quotas); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postSetUserQuota()"); + } + } + + @Override + public void postSetTableQuota(ObserverContext ctx, TableName tableName, Quotas quotas) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postSetTableQuota()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postSetTableQuota(ctx, tableName, quotas); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postSetTableQuota()"); + } + } + + @Override + public void postSetNamespaceQuota(ObserverContext ctx,String namespace, Quotas quotas) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postSetNamespaceQuota()"); + } + + try { + activatePluginClassLoader(); + implMasterObserver.postSetNamespaceQuota(ctx, namespace, quotas); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postSetNamespaceQuota()"); + } + } + + @Override + public void preWALRestore(ObserverContext ctx,HRegionInfo info, HLogKey logKey, WALEdit logEdit) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.preWALRestore()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.preWALRestore(ctx, info, logKey, logEdit); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.preWALRestore()"); + } + } + + @Override + public void postWALRestore(ObserverContext ctx, HRegionInfo info, HLogKey logKey, WALEdit logEdit) throws IOException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAuthorizationCoprocessor.postWALRestore()"); + } + + try { + activatePluginClassLoader(); + implRegionObserver.postWALRestore(ctx, info, logKey, logEdit); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAuthorizationCoprocessor.postWALRestore()"); + } + } + + private void activatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.activate(); + } + } + + private void deactivatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.deactivate(); + } + } +} \ No newline at end of file diff --git a/hbase-agent/src/test/java/org/apache/hadoop/hbase/security/access/RangerAccessControlListsTest.java b/ranger-hbase-plugin-shim/src/main/test/org/apache/hadoop/hbase/security/access/RangerAccessControlListsTest.java similarity index 100% rename from hbase-agent/src/test/java/org/apache/hadoop/hbase/security/access/RangerAccessControlListsTest.java rename to ranger-hbase-plugin-shim/src/main/test/org/apache/hadoop/hbase/security/access/RangerAccessControlListsTest.java diff --git a/ranger-hdfs-plugin-shim/pom.xml b/ranger-hdfs-plugin-shim/pom.xml new file mode 100644 index 00000000000..a44abb3595f --- /dev/null +++ b/ranger-hdfs-plugin-shim/pom.xml @@ -0,0 +1,74 @@ + + + + 4.0.0 + security_plugins.ranger-hdfs-plugin-shim + ranger-hdfs-plugin-shim + Hdfs Security Plugin Shim + Hdfs Security Plugins Shim + jar + + UTF-8 + + + org.apache.ranger + ranger + 0.5.0 + .. + + + + commons-logging + commons-logging + ${commons.logging.version} + + + org.apache.hadoop + hadoop-common + ${hadoop.version} + + + org.apache.hadoop + hadoop-hdfs + ${hadoop.version} + + + junit + junit + + + org.mockito + mockito-core + + + security_plugins.ranger-plugins-audit + ranger-plugins-audit + ${project.version} + + + security_plugins.ranger-plugins-common + ranger-plugins-common + ${project.version} + + + security_plugins.ranger-plugin-classloader + ranger-plugin-classloader + ${project.version} + + + diff --git a/ranger-hdfs-plugin-shim/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/ranger-hdfs-plugin-shim/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java new file mode 100644 index 00000000000..a19d0724920 --- /dev/null +++ b/ranger-hdfs-plugin-shim/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java @@ -0,0 +1,191 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.authorization.hadoop; + + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.hdfs.server.namenode.INodeAttributeProvider; +import org.apache.hadoop.hdfs.server.namenode.INodeAttributes; +import org.apache.ranger.plugin.classloader.RangerPluginClassLoader; + +public class RangerHdfsAuthorizer extends INodeAttributeProvider { + private static final Log LOG = LogFactory.getLog(RangerHdfsAuthorizer.class); + + private static final String RANGER_PLUGIN_TYPE = "hdfs"; + private static final String[] RANGER_PLUGIN_LIB_DIR = new String[] {"lib/ranger-hdfs-plugin"}; + private static final String RANGER_HDFS_AUTHORIZER_IMPL_CLASSNAME = "org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer"; + + private INodeAttributeProvider rangerHdfsAuthorizerImpl = null; + private static RangerPluginClassLoader rangerPluginClassLoader = null; + + public RangerHdfsAuthorizer() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerHdfsAuthorizer.RangerHdfsAuthorizer()"); + } + + this.init(); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerHdfsAuthorizer.RangerHdfsAuthorizer()"); + } + } + + public void init(){ + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerHdfsAuthorizer.init()"); + } + + try { + + rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass()); + + @SuppressWarnings("unchecked") + Class cls = (Class) Class.forName(RANGER_HDFS_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader); + + activatePluginClassLoader(); + + rangerHdfsAuthorizerImpl = cls.newInstance(); + } catch (Exception e) { + // check what need to be done + LOG.error("Error Enabling RangerHdfsPluing", e); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerHdfsAuthorizer.init()"); + } + } + + @Override + public void start() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerHdfsAuthorizer.start()"); + } + + try { + activatePluginClassLoader(); + + rangerHdfsAuthorizerImpl.start(); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerHdfsAuthorizer.start()"); + } + } + + @Override + public void stop() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerHdfsAuthorizer.stop()"); + } + + try { + activatePluginClassLoader(); + + rangerHdfsAuthorizerImpl.stop(); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerHdfsAuthorizer.stop()"); + } + } + + @Override + public INodeAttributes getAttributes(String fullPath, INodeAttributes inode) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerHdfsAuthorizer.getAttributes(" + fullPath + ")"); + } + + INodeAttributes ret = null; + + try { + activatePluginClassLoader(); + + ret = rangerHdfsAuthorizerImpl.getAttributes(fullPath,inode); // return default attributes + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerHdfsAuthorizer.getAttributes(" + fullPath + "): " + ret); + } + + return ret; + } + + @Override + public INodeAttributes getAttributes(String[] pathElements, INodeAttributes inode) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerHdfsAuthorizer.getAttributes(pathElementsCount=" + (pathElements == null ? 0 : pathElements.length) + ")"); + } + + INodeAttributes ret = null; + + try { + activatePluginClassLoader(); + + ret = rangerHdfsAuthorizerImpl.getAttributes(pathElements,inode); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerHdfsAuthorizer.getAttributes(pathElementsCount=" + (pathElements == null ? 0 : pathElements.length) + "): " + ret); + } + + return ret; + } + + @Override + public AccessControlEnforcer getExternalAccessControlEnforcer(AccessControlEnforcer defaultEnforcer) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerHdfsAuthorizer.getExternalAccessControlEnforcer()"); + } + + AccessControlEnforcer ret = null; + + ret = rangerHdfsAuthorizerImpl.getExternalAccessControlEnforcer(defaultEnforcer); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerHdfsAuthorizer.getExternalAccessControlEnforcer()"); + } + + return ret; + } + + private void activatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.activate(); + } + } + + private void deactivatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.deactivate(); + } + } +} + diff --git a/ranger-hive-plugin-shim/pom.xml b/ranger-hive-plugin-shim/pom.xml new file mode 100644 index 00000000000..1ff8349a559 --- /dev/null +++ b/ranger-hive-plugin-shim/pom.xml @@ -0,0 +1,105 @@ + + + + 4.0.0 + security_plugins.ranger-hive-plugin-shim + ranger-hive-plugin-shim + Hive Security Plugin Shim + Hive Security Plugins Shim + jar + + UTF-8 + + + org.apache.ranger + ranger + 0.5.0 + .. + + + + commons-logging + commons-logging + ${commons.logging.version} + + + org.apache.hadoop + hadoop-common + ${hadoop.version} + + + org.apache.hadoop + hadoop-hdfs + ${hadoop.version} + + + org.apache.hive + hive-common + ${hive.version} + + + org.apache.hive + hive-service + ${hive.version} + + + org.apache.hive + hive-exec + ${hive.version} + + + org.apache.hive + hive-metastore + ${hive.version} + + + org.apache.hive + hive-jdbc + ${hive.version} + + + org.apache.hive + hive-jdbc + ${hive.version} + standalone + + + security_plugins.ranger-plugins-audit + ranger-plugins-audit + ${project.version} + + + security_plugins.ranger-plugins-common + ranger-plugins-common + ${project.version} + + + security_plugins.ranger-plugin-classloader + ranger-plugin-classloader + ${project.version} + + + junit + junit + + + org.mockito + mockito-core + + + diff --git a/ranger-hive-plugin-shim/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerFactory.java b/ranger-hive-plugin-shim/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerFactory.java new file mode 100644 index 00000000000..592b6675042 --- /dev/null +++ b/ranger-hive-plugin-shim/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerFactory.java @@ -0,0 +1,32 @@ +/** + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.xasecure.authorization.hive.authorizer; + +import org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory; + +/** + * This class exists only to provide for seamless upgrade/downgrade capabilities. Coprocessor name is in hbase config files in /etc/.../conf which + * is not only out of bounds for any upgrade script but also must be of a form to allow for downgrad! Thus when class names were changed XaSecure* -> Ranger* + * this shell class serves to allow for seamles upgrade as well as downgrade. + * + * This class is final because if one needs to customize coprocessor it is expected that RangerAuthorizationCoprocessor would be modified/extended as that is + * the "real" coprocessor! This class, hence, should NEVER be more than an EMPTY shell! + */ +public final class XaSecureHiveAuthorizerFactory extends RangerHiveAuthorizerFactory { +} diff --git a/ranger-hive-plugin-shim/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerFactory.java b/ranger-hive-plugin-shim/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerFactory.java new file mode 100644 index 00000000000..02d6db3e099 --- /dev/null +++ b/ranger-hive-plugin-shim/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerFactory.java @@ -0,0 +1,121 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.authorization.hive.authorizer; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.ranger.plugin.classloader.RangerPluginClassLoader; + + +public class RangerHiveAuthorizerFactory implements HiveAuthorizerFactory { + + private static final Log LOG = LogFactory.getLog(RangerHiveAuthorizerFactory.class); + + private static final String RANGER_PLUGIN_TYPE = "hive"; + private static final String[] RANGER_PLUGIN_LIB_DIR = new String[] {"lib/ranger-hive-plugin"}; + private static final String RANGER_HIVE_AUTHORIZER_IMPL_CLASSNAME = "org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory"; + + private HiveAuthorizerFactory rangerHiveAuthorizerFactoryImpl = null; + private RangerPluginClassLoader rangerPluginClassLoader = null; + + + public RangerHiveAuthorizerFactory() { + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerHiveAuthorizerFactory.RangerHiveAuthorizerFactory()"); + } + + this.init(); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerHiveAuthorizerFactory.RangerHiveAuthorizerFactory()"); + } + } + + public void init(){ + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerHiveAuthorizerFactory.init()"); + } + + try { + + rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass()); + + @SuppressWarnings("unchecked") + Class cls = (Class) Class.forName(RANGER_HIVE_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader); + + activatePluginClassLoader(); + + rangerHiveAuthorizerFactoryImpl = cls.newInstance(); + + } catch (Exception e) { + // check what need to be done + LOG.error("Error Enabling RangerHivePluing", e); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerHiveAuthorizerFactory.init()"); + } + } + + @Override + public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, + HiveConf conf, + HiveAuthenticationProvider hiveAuthenticator, + HiveAuthzSessionContext sessionContext) + throws HiveAuthzPluginException { + + HiveAuthorizer ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerHiveAuthorizerFactory.createHiveAuthorizer()"); + } + + ret = rangerHiveAuthorizerFactoryImpl.createHiveAuthorizer(metastoreClientFactory, conf, hiveAuthenticator, sessionContext); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerHiveAuthorizerFactory.createHiveAuthorizer()"); + } + + return ret; + } + + private void activatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.activate(); + } + } + + private void deactivatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.deactivate(); + } + } + +} \ No newline at end of file diff --git a/ranger-kafka-plugin-shim/pom.xml b/ranger-kafka-plugin-shim/pom.xml new file mode 100644 index 00000000000..2d298687132 --- /dev/null +++ b/ranger-kafka-plugin-shim/pom.xml @@ -0,0 +1,56 @@ + + + + 4.0.0 + security_plugins.ranger-kafka-plugin-shim + ranger-kafka-plugin-shim + KAFKA Security Plugin Shim + KAFKA Security Plugin shim + jar + + UTF-8 + + + org.apache.ranger + ranger + 0.5.0 + .. + + + + security_plugins.ranger-plugins-common + ranger-plugins-common + ${project.version} + + + security_plugins.ranger-plugins-audit + ranger-plugins-audit + ${project.version} + + + security_plugins.ranger-plugin-classloader + ranger-plugin-classloader + ${project.version} + + + org.apache.ranger + credentialbuilder + ${project.version} + + + org.apache.kafka + kafka_2.10 + ${kafka.version} + + + diff --git a/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java new file mode 100644 index 00000000000..d39cac2841c --- /dev/null +++ b/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java @@ -0,0 +1,248 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.authorization.kafka.authorizer; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.classloader.RangerPluginClassLoader; + +import scala.collection.immutable.Set; +import kafka.network.RequestChannel.Session; +import kafka.security.auth.Acl; +import kafka.security.auth.Authorizer; +import kafka.security.auth.KafkaPrincipal; +import kafka.security.auth.Operation; +import kafka.security.auth.Resource; +import kafka.server.KafkaConfig; + + +//public class RangerKafkaAuthorizer extends Authorizer { +public class RangerKafkaAuthorizer implements Authorizer { + private static final Log LOG = LogFactory.getLog(RangerKafkaAuthorizer.class); + + private static final String RANGER_PLUGIN_TYPE = "kafka"; + private static final String[] RANGER_PLUGIN_LIB_DIR = new String[] {"lib/ranger-kafka-plugin"}; + private static final String RANGER_KAFKA_AUTHORIZER_IMPL_CLASSNAME = "org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer"; + + private Authorizer rangerKakfaAuthorizerImpl = null; + private static RangerPluginClassLoader rangerPluginClassLoader = null; + + public RangerKafkaAuthorizer() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKafkaAuthorizer.RangerKafkaAuthorizer()"); + } + + this.init(); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKafkaAuthorizer.RangerKafkaAuthorizer()"); + } + } + + private void init(){ + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKafkaAuthorizer.init()"); + } + + try { + + rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass()); + + @SuppressWarnings("unchecked") + Class cls = (Class) Class.forName(RANGER_KAFKA_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader); + + activatePluginClassLoader(); + + rangerKakfaAuthorizerImpl = cls.newInstance(); + } catch (Exception e) { + // check what need to be done + LOG.error("Error Enabling RangerKafkaPluing", e); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKafkaAuthorizer.init()"); + } + } + + + @Override + public void initialize(KafkaConfig kafkaConfig) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKafkaAuthorizer.initialize()"); + } + + try { + activatePluginClassLoader(); + + rangerKakfaAuthorizerImpl.initialize(kafkaConfig); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKafkaAuthorizer.initialize()"); + } + } + + @Override + public boolean authorize(Session session, Operation operation,Resource resource) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKafkaAuthorizer.authorize()"); + } + + boolean ret = false; + + try { + activatePluginClassLoader(); + + ret = rangerKakfaAuthorizerImpl.authorize(session, operation, resource); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKafkaAuthorizer.authorize()"); + } + + return ret; + } + + @Override + public void addAcls(Set acls, Resource resource) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKafkaAuthorizer.addAcls()"); + } + + try { + activatePluginClassLoader(); + + rangerKakfaAuthorizerImpl.addAcls(acls, resource); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKafkaAuthorizer.addAcls()"); + } + } + + @Override + public boolean removeAcls(Set acls, Resource resource) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKafkaAuthorizer.removeAcls()"); + } + boolean ret = false; + try { + activatePluginClassLoader(); + + ret = rangerKakfaAuthorizerImpl.removeAcls(acls, resource); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKafkaAuthorizer.removeAcls()"); + } + + return ret; + } + + @Override + public boolean removeAcls(Resource resource) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKafkaAuthorizer.removeAcls()"); + } + boolean ret = false; + try { + activatePluginClassLoader(); + + ret = rangerKakfaAuthorizerImpl.removeAcls(resource); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKafkaAuthorizer.removeAcls()"); + } + + return ret; + } + + @Override + public Set getAcls(Resource resource) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKafkaAuthorizer.getAcls()"); + } + + Set ret = null; + + try { + activatePluginClassLoader(); + + ret = rangerKakfaAuthorizerImpl.getAcls(resource); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKafkaAuthorizer.getAcls()"); + } + + return ret; + } + + @Override + public Set getAcls(KafkaPrincipal principal) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKafkaAuthorizer.getAcls()"); + } + + Set ret = null; + + try { + activatePluginClassLoader(); + + ret = rangerKakfaAuthorizerImpl.getAcls(principal); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKafkaAuthorizer.getAcls()"); + } + + return ret; + } + + private void activatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.activate(); + } + } + + private void deactivatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.deactivate(); + } + } + +} \ No newline at end of file diff --git a/ranger-knox-plugin-shim/pom.xml b/ranger-knox-plugin-shim/pom.xml new file mode 100644 index 00000000000..eef7913c7f9 --- /dev/null +++ b/ranger-knox-plugin-shim/pom.xml @@ -0,0 +1,91 @@ + + + + 4.0.0 + security_plugins.ranger-knox-plugin-shim + ranger-knox-plugin-shim + Knox Security Plugin Shim + Knox Security Plugins Shim + jar + + UTF-8 + + + org.apache.ranger + ranger + 0.5.0 + .. + + + + org.apache.knox + gateway-spi + 0.5.0 + + + javax.servlet + javax.servlet-api + ${javax.servlet.version} + + + org.glassfish.jersey.core + jersey-client + + + com.google.code.gson + gson + + + junit + junit + + + org.mockito + mockito-core + + + org.hamcrest + hamcrest-integration + + + org.codehaus.jackson + jackson-mapper-asl + ${codehaus.jackson.version} + + + org.codehaus.jackson + jackson-core-asl + ${codehaus.jackson.version} + + + security_plugins.ranger-plugins-common + ranger-plugins-common + ${project.version} + + + security_plugins.ranger-plugin-classloader + ranger-plugin-classloader + ${project.version} + + + security_plugins.ranger-plugins-audit + ranger-plugins-audit + ${project.version} + + + diff --git a/knox-agent/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java b/ranger-knox-plugin-shim/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java similarity index 100% rename from knox-agent/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java rename to ranger-knox-plugin-shim/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java diff --git a/ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java b/ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java new file mode 100644 index 00000000000..af4d9476d52 --- /dev/null +++ b/ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java @@ -0,0 +1,153 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ranger.authorization.knox; + +import java.io.IOException; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.classloader.RangerPluginClassLoader; + +public class RangerPDPKnoxFilter implements Filter { + + private static final Log LOG = LogFactory.getLog(RangerPDPKnoxFilter.class); + + private static final String RANGER_PLUGIN_TYPE = "knox"; + private static final String[] RANGER_PLUGIN_LIB_DIR = new String[] {"lib/ranger-hdfs-plugin"}; + private static final String RANGER_PDP_KNOX_FILTER_IMPL_CLASSNAME = "org.apache.ranger.authorization.knox.RangerPDPKnoxFilter"; + + private RangerPDPKnoxFilter rangerPDPKnoxFilteImpl = null; + private static RangerPluginClassLoader rangerPluginClassLoader = null; + + public RangerPDPKnoxFilter() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPDPKnoxFilter.RangerPDPKnoxFilter()"); + } + + this.init0(); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPDPKnoxFilter.RangerPDPKnoxFilter()"); + } + } + + private void init0(){ + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPDPKnoxFilter.init()"); + } + + try { + rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass()); + + @SuppressWarnings("unchecked") + Class cls = (Class) Class.forName(RANGER_PDP_KNOX_FILTER_IMPL_CLASSNAME, true, rangerPluginClassLoader); + + activatePluginClassLoader(); + + rangerPDPKnoxFilteImpl = (RangerPDPKnoxFilter) cls.newInstance(); + } catch (Exception e) { + // check what need to be done + LOG.error("Error Enabling RangerKnoxPlugin", e); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPDPKnoxFilter.init()"); + } + } + + @Override + public void destroy() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPDPKnoxFilter.destroy()"); + } + + try { + activatePluginClassLoader(); + + rangerPDPKnoxFilteImpl.destroy(); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPDPKnoxFilter.destroy()"); + } + } + + @Override + public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPDPKnoxFilter.doFilter()"); + } + + try { + activatePluginClassLoader(); + + rangerPDPKnoxFilteImpl.doFilter(servletRequest, servletResponse, filterChain); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPDPKnoxFilter.doFilter()"); + } + } + + @Override + public void init(FilterConfig fiterConfig) throws ServletException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPDPKnoxFilter.init()"); + } + + try { + activatePluginClassLoader(); + + rangerPDPKnoxFilteImpl.init(fiterConfig); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPDPKnoxFilter.init()"); + } + } + + + private void activatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.activate(); + } + } + + private void deactivatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.deactivate(); + } + } +} + diff --git a/ranger-plugin-classloader/pom.xml b/ranger-plugin-classloader/pom.xml new file mode 100644 index 00000000000..d8504e6950a --- /dev/null +++ b/ranger-plugin-classloader/pom.xml @@ -0,0 +1,55 @@ + + + + 4.0.0 + security_plugins.ranger-plugin-classloader + ranger-plugin-classloader + 0.5.0 + ranger-plugin-classloader + Ranger Plugin ClassLoader + jar + http://maven.apache.org + + UTF-8 + + + org.apache.ranger + ranger + 0.5.0 + + + + junit + junit + test + + + + org.slf4j + slf4j-api + ${slf4j-api.version} + + + diff --git a/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java b/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java new file mode 100644 index 00000000000..eafcd274ba4 --- /dev/null +++ b/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java @@ -0,0 +1,292 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.classloader; + +import java.io.IOException; +import java.net.URL; +import java.net.URLClassLoader; +import java.util.Enumeration; + +//import org.apache.commons.logging.Log; +//import org.apache.commons.logging.LogFactory; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class RangerPluginClassLoader extends URLClassLoader { + private static Logger LOG = LoggerFactory.getLogger(RangerPluginClassLoader.class); + + private static volatile RangerPluginClassLoader me = null; + private static MyClassLoader componentClassLoader = null; + //private static ThreadLocal componentClassLoader = new ThreadLocal(); + + public RangerPluginClassLoader(String pluginType, Class pluginClass ) throws Exception { + super(RangerPluginClassLoaderUtil.getInstance().getPluginFilesForServiceTypeAndPluginclass(pluginType, pluginClass), null); + //componentClassLoader.set(new MyClassLoader(Thread.currentThread().getContextClassLoader())); + componentClassLoader = new MyClassLoader(Thread.currentThread().getContextClassLoader()); + } + + public static RangerPluginClassLoader getInstance(String pluginType, Class pluginClass ) throws Exception { + RangerPluginClassLoader ret = me; + if ( ret == null) { + synchronized(RangerPluginClassLoader.class) { + ret = me; + if ( ret == null){ + me = ret = new RangerPluginClassLoader(pluginType,pluginClass); + } + } + } + return ret; + } + + @Override + public Class findClass(String name) throws ClassNotFoundException { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPluginClassLoader.findClass(" + name + ")"); + } + + Class ret = null; + + try { + // first we try to find a class inside the child classloader + if(LOG.isDebugEnabled()) { + LOG.debug("RangerPluginClassLoader.findClass(" + name + "): calling childClassLoader().findClass() "); + } + + ret = super.findClass(name); + } catch( Throwable e ) { + // Use the Component ClassLoader findclass to load when childClassLoader fails to find + if(LOG.isDebugEnabled()) { + LOG.debug("RangerPluginClassLoader.findClass(" + name + "): calling componentClassLoader.findClass()"); + } + + MyClassLoader savedClassLoader = getComponentClassLoader(); + if (savedClassLoader != null) { + ret = savedClassLoader.findClass(name); + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPluginClassLoader.findClass(" + name + "): " + ret); + } + return ret; + } + + @Override + public synchronized Class loadClass(String name) throws ClassNotFoundException { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerPluginClassLoader.loadClass(" + name + ")" ); + } + + Class ret = null; + + try { + // first we try to load a class inside the child classloader + if (LOG.isDebugEnabled()) { + LOG.debug("RangerPluginClassLoader.loadClass(" + name + "): calling childClassLoader.findClass()"); + } + ret = super.loadClass(name); + } catch(Throwable e) { + // Use the Component ClassLoader loadClass to load when childClassLoader fails to find + if (LOG.isDebugEnabled()) { + LOG.debug("RangerPluginClassLoader.loadClass(" + name + "): calling componentClassLoader.loadClass()"); + } + + MyClassLoader savedClassLoader = getComponentClassLoader(); + + if(savedClassLoader != null) { + ret = savedClassLoader.loadClass(name); + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPluginClassLoader.loadClass" + name + "): " + ret); + } + + return ret; + } + + @Override + public URL findResource(String name) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPluginClassLoader.findResource(" + name + ") "); + } + + URL ret = super.findResource(name); + + if (ret == null) { + if(LOG.isDebugEnabled()) { + LOG.debug("RangerPluginClassLoader.findResource(" + name + "): calling componentClassLoader.getResources()"); + } + + MyClassLoader savedClassLoader = getComponentClassLoader(); + if (savedClassLoader != null) { + ret = savedClassLoader.getResource(name); + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPluginClassLoader.findResource(" + name + "): " + ret); + } + + return ret; + } + + @Override + public Enumeration findResources(String name) throws IOException { + Enumeration ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPluginClassLoader.findResources(" + name + ") "); + } + + ret = new MergeEnumeration(findResourcesUsingChildClassLoader(name),findResourcesUsingComponentClassLoader(name)); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPluginClassLoader.findResources(" + name + ") "); + } + + return ret; + } + + public Enumeration findResourcesUsingChildClassLoader(String name) { + + Enumeration ret = null; + + try { + if(LOG.isDebugEnabled()) { + LOG.debug("RangerPluginClassLoader.findResourcesUsingChildClassLoader(" + name + "): calling childClassLoader.findResources()"); + } + + ret = super.findResources(name); + + } catch ( Throwable t) { + //Ignore any exceptions. Null / Empty return is handle in following statements + if(LOG.isDebugEnabled()) { + LOG.debug("RangerPluginClassLoader.findResourcesUsingChildClassLoader(" + name + "): class not found in child. Falling back to componentClassLoader", t); + } + } + return ret; + } + + public Enumeration findResourcesUsingComponentClassLoader(String name) { + + Enumeration ret = null; + + try { + + if(LOG.isDebugEnabled()) { + LOG.debug("RangerPluginClassLoader.findResourcesUsingComponentClassLoader(" + name + "): calling componentClassLoader.getResources()"); + } + + MyClassLoader savedClassLoader = getComponentClassLoader(); + + if (savedClassLoader != null) { + ret = savedClassLoader.getResources(name); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPluginClassLoader.findResourcesUsingComponentClassLoader(" + name + "): " + ret); + } + } catch( Throwable t) { + if(LOG.isDebugEnabled()) { + LOG.debug("RangerPluginClassLoader.findResourcesUsingComponentClassLoader(" + name + "): class not found in componentClassLoader.", t); + } + } + + return ret; + } + + public void activate() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPluginClassLoader.activate()"); + } + + //componentClassLoader.set(new MyClassLoader(Thread.currentThread().getContextClassLoader())); + + Thread.currentThread().setContextClassLoader(this); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPluginClassLoader.activate()"); + } + } + + public void deactivate() { + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPluginClassLoader.deactivate()"); + } + + MyClassLoader savedClassLoader = getComponentClassLoader(); + + if(savedClassLoader != null && savedClassLoader.getParent() != null) { + Thread.currentThread().setContextClassLoader(savedClassLoader.getParent()); + } else { + LOG.warn("RangerPluginClassLoader.deactivate() was not successful.Couldn't not get the saved componentClassLoader..."); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPluginClassLoader.deactivate()"); + } + } + + private MyClassLoader getComponentClassLoader() { + return componentClassLoader; + //return componentClassLoader.get(); + } + + static class MyClassLoader extends ClassLoader { + public MyClassLoader(ClassLoader realClassLoader) { + super(realClassLoader); + } + + @Override + public Class findClass(String name) throws ClassNotFoundException { + return super.findClass(name); + } + } + + class MergeEnumeration implements Enumeration { + + Enumeration e1 = null; + Enumeration e2 = null; + + public MergeEnumeration(Enumeration e1, Enumeration e2 ) { + this.e1 = e1; + this.e2 = e2; + } + + @Override + public boolean hasMoreElements() { + return ( (e1 != null && e1.hasMoreElements() ) || ( e2 != null && e2.hasMoreElements()) ); + } + + @Override + public URL nextElement() { + URL ret = null; + if (e1 != null && e1.hasMoreElements()) + ret = e1.nextElement(); + else if ( e2 != null && e2.hasMoreElements() ) { + ret = e2.nextElement(); + } + return ret; + } + } +} \ No newline at end of file diff --git a/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoaderUtil.java b/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoaderUtil.java new file mode 100644 index 00000000000..ea188831465 --- /dev/null +++ b/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoaderUtil.java @@ -0,0 +1,150 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.classloader; + + +import java.io.File; +import java.net.URI; +import java.net.URL; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.util.ArrayList; +import java.util.List; + +//import org.apache.commons.logging.Log; +//import org.apache.commons.logging.LogFactory; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class RangerPluginClassLoaderUtil { + + private static final Logger LOG = LoggerFactory.getLogger(RangerPluginClassLoaderUtil.class) ; + + private static RangerPluginClassLoaderUtil config = null; + private static String rangerPluginLibDir = "ranger-%-plugin-impl"; + + public static RangerPluginClassLoaderUtil getInstance() { + RangerPluginClassLoaderUtil result = config; + if (result == null) { + synchronized (RangerPluginClassLoaderUtil.class) { + result = config; + if (result == null) { + config = result = new RangerPluginClassLoaderUtil(); + } + } + } + return result; + } + + + public URL[] getPluginFilesForServiceTypeAndPluginclass( String serviceType, Class pluginClass) throws Exception { + + URL[] ret = null; + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPluginClassLoaderUtil.getPluginFilesForServiceTypeAndPluginclass(" + serviceType + ")" + " Pluging Class :" + pluginClass.getName()); + } + + String[] libDirs = new String[] { getPluginImplLibPath(serviceType, pluginClass) }; + + ret = getPluginFiles(libDirs); + + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPluginClassLoaderUtil.getPluginFilesForServiceTypeAndPluginclass(" + serviceType + ")" + " Pluging Class :" + pluginClass.getName()); + } + + return ret; + + } + + private URL[] getPluginFiles(String[] libDirs) throws Exception { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPluginClassLoaderUtil.getPluginFiles()"); + } + + List ret = new ArrayList(); + for ( String libDir : libDirs) { + getFilesInDirectory(libDir,ret); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPluginClassLoaderUtil.getPluginFilesForServiceType(): " + ret.size() + " files"); + } + + return ret.toArray(new URL[] { }); + } + + private void getFilesInDirectory(String dirPath, List files) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPluginClassLoaderUtil.getPluginFiles()"); + } + + if ( dirPath != null) { + try { + + File[] dirFiles = new File(dirPath).listFiles(); + + if(dirFiles != null) { + for(File dirFile : dirFiles) { + try { + URL jarPath = dirFile.toURI().toURL(); + + LOG.info("getFilesInDirectory('" + dirPath + "'): adding " + dirFile.getAbsolutePath()); + + files.add(jarPath); + } catch(Exception excp) { + LOG.warn("getFilesInDirectory('" + dirPath + "'): failed to get URI for file " + dirFile.getAbsolutePath(), excp); + } + } + } + } catch(Exception excp) { + LOG.warn("getFilesInDirectory('" + dirPath + "'): error", excp); + } + } else { + LOG.warn("getFilesInDirectory('" + dirPath + "'): could not find directory in path " + dirPath); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPluginClassLoaderUtil.getFilesInDirectory(" + dirPath + ")"); + } + } + + private String getPluginImplLibPath(String serviceType, Class pluginClass) throws Exception { + + String ret = null; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPluginClassLoaderUtil.getPluginImplLibPath for Class (" + pluginClass.getName() + ")"); + } + + URI uri = pluginClass.getProtectionDomain().getCodeSource().getLocation().toURI(); + + Path path = Paths.get(URI.create(uri.toString())); + + ret = path.getParent().toString() + File.separatorChar + rangerPluginLibDir.replaceAll("%", serviceType); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPluginClassLoaderUtil.getPluginImplLibPath for Class (" + pluginClass.getName() + " PATH :" + ret + ")"); + } + + return ret; + } +} diff --git a/ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/Impl/TestChildFistClassLoader.java b/ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/Impl/TestChildFistClassLoader.java new file mode 100644 index 00000000000..de45520211f --- /dev/null +++ b/ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/Impl/TestChildFistClassLoader.java @@ -0,0 +1,56 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.classloader.test.Impl; + +import java.io.File; +import java.net.URL; +import java.net.URLClassLoader; + +import org.apache.ranger.plugin.classloader.RangerPluginClassLoader; +import org.apache.ranger.plugin.classloader.test.TestPlugin; +import org.apache.ranger.plugin.classloader.test.TestPrintParent; + +public class TestChildFistClassLoader { + + public static void main(String [] args){ + TestPrintParent testPrint = new TestPrintParent(); + System.out.println(testPrint.getString()); + File file = null; + URL[] urls = null; + try { + file = new File(".." + File.separatorChar + "TestPluginImpl.class"); + URL url = file.toPath().toUri().toURL(); + urls = new URL[] {url}; + } catch (Exception e) { + e.printStackTrace(); + } + + String[] libdirs = new String[] { file.getAbsolutePath() }; + + try { + @SuppressWarnings("resource") + RangerPluginClassLoader rangerPluginClassLoader = new RangerPluginClassLoader("hdfs", TestChildFistClassLoader.class); + TestPlugin testPlugin = (TestPlugin) rangerPluginClassLoader.loadClass("org.apache.ranger.plugin.classloader.test.Impl.TestPluginImpl").newInstance(); + System.out.println(testPlugin.print()); + } catch (Throwable t) { + t.printStackTrace(); + } + } +} diff --git a/ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/Impl/TestPluginImpl.java b/ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/Impl/TestPluginImpl.java new file mode 100644 index 00000000000..cbb3c671a54 --- /dev/null +++ b/ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/Impl/TestPluginImpl.java @@ -0,0 +1,32 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.classloader.test.Impl; + +import org.apache.ranger.plugin.classloader.test.TestPlugin; + +public class TestPluginImpl implements TestPlugin { + + @Override + public String print() { + String ret = new TestPrint().getString(); + return ret; + } + +} diff --git a/ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/Impl/TestPrint.java b/ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/Impl/TestPrint.java new file mode 100644 index 00000000000..8626ec46d35 --- /dev/null +++ b/ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/Impl/TestPrint.java @@ -0,0 +1,28 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.classloader.test.Impl; + +public class TestPrint { + + public String getString(){ + String ret = "Class Loaded by RangerPlugingClassLoader"; + return ret; + } +} \ No newline at end of file diff --git a/ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/TestPlugin.java b/ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/TestPlugin.java new file mode 100644 index 00000000000..145d7a5df4e --- /dev/null +++ b/ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/TestPlugin.java @@ -0,0 +1,24 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.classloader.test; + +public interface TestPlugin { + public String print(); +} diff --git a/ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/TestPrintParent.java b/ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/TestPrintParent.java new file mode 100644 index 00000000000..9524dfaa266 --- /dev/null +++ b/ranger-plugin-classloader/src/test/java/org/apache/ranger/plugin/classloader/test/TestPrintParent.java @@ -0,0 +1,29 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.classloader.test; + +public class TestPrintParent { + + public String getString(){ + String ret = "Loaded by Component ClassLoader"; + return ret; + } + +} diff --git a/ranger-storm-plugin-shim/pom.xml b/ranger-storm-plugin-shim/pom.xml new file mode 100644 index 00000000000..397bb2fc9da --- /dev/null +++ b/ranger-storm-plugin-shim/pom.xml @@ -0,0 +1,76 @@ + + + + 4.0.0 + security_plugins.ranger-storm-plugin-shim + ranger-storm-plugin-shim + Storm Security Plugin shim + Storm Security Plugins shim + jar + + UTF-8 + + + org.apache.ranger + ranger + 0.5.0 + .. + + + + org.apache.storm + storm-core + ${storm.version} + + + security_plugins.ranger-plugins-common + ranger-plugins-common + ${project.version} + + + security_plugins.ranger-plugins-audit + ranger-plugins-audit + ${project.version} + + + org.apache.ranger + credentialbuilder + ${project.version} + + + org.apache.hadoop + hadoop-hdfs + ${hadoop.version} + + + commons-cli + commons-cli + ${commons.cli.version} + + + org.apache.htrace + htrace-core + ${htrace-core.version} + + + security_plugins.ranger-plugin-classloader + ranger-plugin-classloader + ${project.version} + + + diff --git a/storm-agent/src/main/java/com/xasecure/authorization/storm/authorizer/XaSecureStormAuthorizer.java b/ranger-storm-plugin-shim/src/main/java/com/xasecure/authorization/storm/authorizer/XaSecureStormAuthorizer.java similarity index 100% rename from storm-agent/src/main/java/com/xasecure/authorization/storm/authorizer/XaSecureStormAuthorizer.java rename to ranger-storm-plugin-shim/src/main/java/com/xasecure/authorization/storm/authorizer/XaSecureStormAuthorizer.java diff --git a/ranger-storm-plugin-shim/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java b/ranger-storm-plugin-shim/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java new file mode 100644 index 00000000000..7c620ecf900 --- /dev/null +++ b/ranger-storm-plugin-shim/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java @@ -0,0 +1,138 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.authorization.storm.authorizer; + + + +import java.util.Map; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.apache.ranger.plugin.classloader.RangerPluginClassLoader; + +import backtype.storm.security.auth.IAuthorizer; +import backtype.storm.security.auth.ReqContext; + +public class RangerStormAuthorizer implements IAuthorizer { + private static final Logger LOG = LoggerFactory.getLogger(RangerStormAuthorizer.class); + + private static final String RANGER_PLUGIN_TYPE = "storm"; + private static final String[] RANGER_PLUGIN_LIB_DIR = new String[] {"lib/ranger-storm-plugin"}; + private static final String RANGER_STORM_AUTHORIZER_IMPL_CLASSNAME = "org.apache.ranger.authorization.storm.authorizer.RangerStormAuthorizer"; + + private IAuthorizer rangerStormAuthorizerImpl = null; + private static RangerPluginClassLoader rangerPluginClassLoader = null; + + public RangerStormAuthorizer() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerStormAuthorizer.RangerStormAuthorizer()"); + } + + this.init(); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerStormAuthorizer.RangerStormAuthorizer()"); + } + } + + private void init(){ + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerStormAuthorizer.init()"); + } + + try { + + rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass()); + + @SuppressWarnings("unchecked") + Class cls = (Class) Class.forName(RANGER_STORM_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader); + + activatePluginClassLoader(); + + rangerStormAuthorizerImpl = cls.newInstance(); + } catch (Exception e) { + // check what need to be done + LOG.error("Error Enabling RangerStormPlugin", e); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerStormAuthorizer.init()"); + } + } + + @Override + public void prepare(Map storm_conf) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerStormAuthorizer.prepare()"); + } + + try { + activatePluginClassLoader(); + + rangerStormAuthorizerImpl.prepare(storm_conf); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerStormAuthorizer.prepare()"); + } + + } + + @Override + public boolean permit(ReqContext context, String operation, Map topology_conf) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerStormAuthorizer.permit()"); + } + + boolean ret = false; + + try { + activatePluginClassLoader(); + + ret = rangerStormAuthorizerImpl.permit(context, operation, topology_conf); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerStormAuthorizer.permit()"); + } + + return ret; + } + + + private void activatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.activate(); + } + } + + private void deactivatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.deactivate(); + } + } + +} diff --git a/ranger-yarn-plugin-shim/pom.xml b/ranger-yarn-plugin-shim/pom.xml new file mode 100644 index 00000000000..d461ca580be --- /dev/null +++ b/ranger-yarn-plugin-shim/pom.xml @@ -0,0 +1,66 @@ + + + + 4.0.0 + security_plugins.ranger-yarn-plugin-shim + ranger-yarn-plugin-shim + YARN Security Plugin Shim + YARN Security Plugin Shim + jar + + UTF-8 + + + org.apache.ranger + ranger + 0.5.0 + .. + + + + security_plugins.ranger-plugins-common + ranger-plugins-common + ${project.version} + + + security_plugins.ranger-plugins-audit + ranger-plugins-audit + ${project.version} + + + org.apache.ranger + credentialbuilder + ${project.version} + + + org.apache.hadoop + hadoop-yarn-common + ${hadoop.version} + + + org.apache.hadoop + hadoop-yarn-api + ${hadoop.version} + + + security_plugins.ranger-plugin-classloader + ranger-plugin-classloader + ${project.version} + + + diff --git a/ranger-yarn-plugin-shim/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java b/ranger-yarn-plugin-shim/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java new file mode 100644 index 00000000000..289d1c0b605 --- /dev/null +++ b/ranger-yarn-plugin-shim/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java @@ -0,0 +1,205 @@ + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.authorization.yarn.authorizer; + +import java.util.Map; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.authorize.AccessControlList; +import org.apache.hadoop.yarn.security.AccessType; +import org.apache.hadoop.yarn.security.PrivilegedEntity; +import org.apache.hadoop.yarn.security.YarnAuthorizationProvider; +import org.apache.ranger.plugin.classloader.RangerPluginClassLoader; + + + +public class RangerYarnAuthorizer extends YarnAuthorizationProvider { + private static final Log LOG = LogFactory.getLog(RangerYarnAuthorizer.class); + + private static final String RANGER_PLUGIN_TYPE = "yarn"; + private static final String[] RANGER_PLUGIN_LIB_DIR = new String[] {"lib/ranger-yarn-plugin"}; + private static final String RANGER_YARN_AUTHORIZER_IMPL_CLASSNAME = "org.apache.ranger.authorization.yarn.authorizer.RangerYarnAuthorizer"; + + private YarnAuthorizationProvider yarnAuthorizationProviderImpl = null; + private static RangerPluginClassLoader rangerPluginClassLoader = null; + + public RangerYarnAuthorizer() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerYarnAuthorizer.RangerYarnAuthorizer()"); + } + + this.init(); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerYarnAuthorizer.RangerYarnAuthorizer()"); + } + } + + private void init(){ + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerYarnAuthorizer.init()"); + } + + try { + + rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass()); + + @SuppressWarnings("unchecked") + Class cls = (Class) Class.forName(RANGER_YARN_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader); + + activatePluginClassLoader(); + + yarnAuthorizationProviderImpl = cls.newInstance(); + } catch (Exception e) { + // check what need to be done + LOG.error("Error Enabling RangerYarnPluing", e); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerYarnAuthorizer.init()"); + } + } + + @Override + public void init(Configuration conf) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerYarnAuthorizer.init()"); + } + + try { + activatePluginClassLoader(); + + yarnAuthorizationProviderImpl.init(conf); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerYarnAuthorizer.start()"); + } + } + + @Override + public boolean checkPermission(AccessType accessType, PrivilegedEntity target, UserGroupInformation user) { + + boolean ret = false; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerYarnAuthorizer.checkPermission()"); + } + + try { + activatePluginClassLoader(); + + ret = yarnAuthorizationProviderImpl.checkPermission(accessType, target, user); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerYarnAuthorizer.checkPermission()"); + } + + return ret; + } + + @Override + public void setPermission(PrivilegedEntity target, Map acls, UserGroupInformation ugi) { + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerYarnAuthorizer.setPermission()"); + } + + try { + activatePluginClassLoader(); + + yarnAuthorizationProviderImpl.setPermission(target, acls, ugi); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerYarnAuthorizer.setPermission()"); + } + } + + @Override + public void setAdmins(AccessControlList acls, UserGroupInformation ugi) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerYarnAuthorizer.setAdmins()"); + } + + try { + activatePluginClassLoader(); + + yarnAuthorizationProviderImpl.setAdmins(acls, ugi); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerYarnAuthorizer.setAdmins()"); + } + } + + @Override + public boolean isAdmin(UserGroupInformation ugi) { + + boolean ret = false; + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerYarnAuthorizer.setAdmins()"); + } + + try { + activatePluginClassLoader(); + + ret = yarnAuthorizationProviderImpl.isAdmin(ugi); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerYarnAuthorizer.setAdmins()"); + } + + return ret; + } + + private void activatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.activate(); + } + } + + private void deactivatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.deactivate(); + } + } + + +} \ No newline at end of file diff --git a/src/main/assembly/hbase-agent.xml b/src/main/assembly/hbase-agent.xml index 0f2206609b2..0ffc65cf4d9 100644 --- a/src/main/assembly/hbase-agent.xml +++ b/src/main/assembly/hbase-agent.xml @@ -24,6 +24,19 @@ ${project.name}-${project.version}-hbase-plugin true + + + false + false + 755 + 644 + /lib + + + security_plugins.ranger-hbase-plugin-shim:ranger-hbase-plugin-shim + security_plugins.ranger-plugin-classloader:ranger-plugin-classloader + + false @@ -32,17 +45,17 @@ 644 - /lib + /lib/ranger-hbase-plugin-impl com.google.code.gson:gson* org.eclipse.persistence:eclipselink - org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version} - org.noggit:noggit:jar:${noggit.version} + org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version} + org.noggit:noggit:jar:${noggit.version} false - /lib + /lib/ranger-hbase-plugin-impl org.apache.ranger:ranger_solrj @@ -55,7 +68,7 @@ - false + true /install/lib @@ -67,7 +80,7 @@ commons-io:commons-io:jar:${commons.io.version} commons-lang:commons-lang commons-logging:commons-logging:jar:${commons.logging.version} - com.google.guava:guava:jar:${guava.version} + com.google.guava:guava:jar:${google.guava.version} org.hamcrest:hamcrest-all junit:junit org.slf4j:slf4j-api:jar:${slf4j-api.version} diff --git a/src/main/assembly/hdfs-agent.xml b/src/main/assembly/hdfs-agent.xml index 2c180010cd5..deec461f52b 100644 --- a/src/main/assembly/hdfs-agent.xml +++ b/src/main/assembly/hdfs-agent.xml @@ -24,39 +24,24 @@ ${project.name}-${project.version}-hdfs-plugin true + false false 755 644 - - - /lib - - com.google.code.gson:gson* - org.eclipse.persistence:javax.persistence - org.eclipse.persistence:eclipselink - org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version} - org.noggit:noggit:jar:${noggit.version} - - false - - - /lib + /lib - org.apache.ranger:ranger_solrj - security_plugins.ranger-plugins-audit:ranger-plugins-audit - security_plugins.ranger-plugins-cred:ranger-plugins-cred - security_plugins.ranger-plugins-impl:ranger-plugins-impl - security_plugins.ranger-plugins-common:ranger-plugins-common - security_plugins.ranger-hdfs-plugin:ranger-hdfs-plugin - + security_plugins.ranger-hdfs-plugin-shim:ranger-hdfs-plugin-shim + security_plugins.ranger-plugin-classloader:ranger-plugin-classloader + + - false + true /install/lib @@ -68,9 +53,9 @@ commons-io:commons-io:jar:${commons.io.version} commons-lang:commons-lang commons-logging:commons-logging:jar:${commons.logging.version} - com.google.guava:guava:jar:${guava.version} + com.google.guava:guava:jar:${google.guava.version} org.hamcrest:hamcrest-all - junit:junit + junit:junit:${junit.version} org.slf4j:slf4j-api:jar:${slf4j-api.version} org.apache.hadoop:hadoop-common:jar:${hadoop-common.version} org.apache.hadoop:hadoop-auth:jar:${hadoop-common.version} @@ -85,6 +70,38 @@ org.apache.ranger:credentialbuilder + + + + true + false + 755 + 644 + + + /lib/ranger-hdfs-plugin-impl + + com.google.code.gson:gson* + org.eclipse.persistence:javax.persistence + org.eclipse.persistence:eclipselink + org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version} + org.noggit:noggit:jar:${noggit.version} + + false + + + /lib/ranger-hdfs-plugin-impl + + + org.apache.ranger:ranger_solrj + security_plugins.ranger-plugins-audit:ranger-plugins-audit + security_plugins.ranger-plugins-cred:ranger-plugins-cred + security_plugins.ranger-plugins-impl:ranger-plugins-impl + security_plugins.ranger-plugins-common:ranger-plugins-common + security_plugins.ranger-hdfs-plugin:ranger-hdfs-plugin + + + diff --git a/src/main/assembly/hive-agent.xml b/src/main/assembly/hive-agent.xml index d21c6b8e593..91225472c52 100644 --- a/src/main/assembly/hive-agent.xml +++ b/src/main/assembly/hive-agent.xml @@ -24,6 +24,19 @@ ${project.name}-${project.version}-hive-plugin true + + + false + false + 755 + 644 + /lib + + + security_plugins.ranger-hive-plugin-shim:ranger-hive-plugin-shim + security_plugins.ranger-plugin-classloader:ranger-plugin-classloader + + false @@ -32,18 +45,18 @@ 644 - /lib + /lib/ranger-hive-plugin-impl com.google.code.gson:gson* org.eclipse.persistence:eclipselink org.eclipse.persistence:javax.persistence - org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version} - org.noggit:noggit:jar:${noggit.version} + org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version} + org.noggit:noggit:jar:${noggit.version} false - /lib + /lib/ranger-hive-plugin-impl org.apache.ranger:ranger_solrj @@ -56,7 +69,7 @@ - false + true /install/lib @@ -68,7 +81,7 @@ commons-io:commons-io:jar:${commons.io.version} commons-lang:commons-lang commons-logging:commons-logging:jar:${commons.logging.version} - com.google.guava:guava:jar:${guava.version} + com.google.guava:guava:jar:${google.guava.version} org.hamcrest:hamcrest-all junit:junit org.slf4j:slf4j-api:jar:${slf4j-api.version} diff --git a/src/main/assembly/knox-agent.xml b/src/main/assembly/knox-agent.xml index 7c082708be2..dc73f69aaf2 100644 --- a/src/main/assembly/knox-agent.xml +++ b/src/main/assembly/knox-agent.xml @@ -24,6 +24,21 @@ ${project.name}-${project.version}-knox-plugin true + + + + false + false + 755 + 644 + /lib + + + security_plugins.ranger-knox-plugin-shim:ranger-knox-plugin-shim + security_plugins.ranger-plugin-classloader:ranger-plugin-classloader + + + false @@ -32,9 +47,10 @@ 644 - /lib + /lib/ranger-knox-plugin-impl commons-configuration:commons-configuration + com.google.code.gson:gson* org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version} org.noggit:noggit:jar:${noggit.version} com.google.protobuf:protobuf-java:jar:${protobuf-java.version} @@ -44,7 +60,7 @@ false - /lib + /lib/ranger-knox-plugin-impl org.apache.ranger:ranger_solrj @@ -71,7 +87,7 @@ commons-io:commons-io:jar:${commons.io.version} commons-lang:commons-lang commons-logging:commons-logging:jar:${commons.logging.version} - com.google.guava:guava:jar:${guava.version} + com.google.guava:guava:jar:${google.guava.version} org.hamcrest:hamcrest-all junit:junit org.slf4j:slf4j-api:jar:${slf4j-api.version} diff --git a/src/main/assembly/plugin-kafka.xml b/src/main/assembly/plugin-kafka.xml index 3727bdeb9f1..31498e5f377 100644 --- a/src/main/assembly/plugin-kafka.xml +++ b/src/main/assembly/plugin-kafka.xml @@ -19,15 +19,29 @@ true + + + false + false + 755 + 644 + /lib + + + security_plugins.ranger-kafka-plugin-shim:ranger-kafka-plugin-shim + security_plugins.ranger-plugin-classloader:ranger-plugin-classloader + + + - false + true false 755 644 - /lib + lib/ranger-kafka-plugin-impl false commons-configuration:commons-configuration:jar:${commons.configuration.version} @@ -38,6 +52,7 @@ org.apache.hadoop:hadoop-auth:jar:${hadoop-common.version} + org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version} com.google.code.gson:gson org.eclipse.persistence:eclipselink org.eclipse.persistence:javax.persistence @@ -47,7 +62,7 @@ commons-lang:commons-lang commons-io:commons-io - com.google.guava:guava:jar:${guava.version} + com.google.guava:guava:jar:${google.guava.version} org.apache.httpcomponents:httpclient:jar:${httpcomponent.httpclient.version} org.apache.httpcomponents:httpcore:jar:${httpcomponent.httpcore.version} @@ -59,7 +74,6 @@ org.codehaus.jackson:jackson-jaxrs org.codehaus.jackson:jackson-mapper-asl org.codehaus.jackson:jackson-xc - @@ -77,7 +91,7 @@ commons-lang:commons-lang:jar:${commons.lang.version} commons-logging:commons-logging - com.google.guava:guava:jar:${guava.version} + com.google.guava:guava:jar:${google.guava.version} org.hamcrest:hamcrest-all junit:junit org.slf4j:slf4j-api:jar:${slf4j-api.version} @@ -91,20 +105,14 @@ - /lib + lib/ranger-kafka-plugin-impl + security_plugins.ranger-kafka-plugin:ranger-kafka-plugin org.apache.ranger:ranger_solrj - security_plugins.ranger-plugins-audit:ranger-plugins-audit - - security_plugins.ranger-plugins-cred:ranger-plugins-cred - - security_plugins.ranger-plugins-impl:ranger-plugins-impl - - security_plugins.ranger-plugins-common:ranger-plugins-common - - security_plugins.ranger-kafka-plugin:ranger-kafka-plugin - + security_plugins.ranger-plugins-audit:ranger-plugins-audit + security_plugins.ranger-plugins-cred:ranger-plugins-cred + security_plugins.ranger-plugins-common:ranger-plugins-common diff --git a/src/main/assembly/plugin-yarn.xml b/src/main/assembly/plugin-yarn.xml index a791bba40e9..6f8e33bb642 100644 --- a/src/main/assembly/plugin-yarn.xml +++ b/src/main/assembly/plugin-yarn.xml @@ -24,6 +24,20 @@ ${project.name}-${project.version}-yarn-plugin true + + + false + false + 755 + 644 + /lib + + + security_plugins.ranger-yarn-plugin-shim:ranger-yarn-plugin-shim + security_plugins.ranger-plugin-classloader:ranger-plugin-classloader + + + false @@ -32,7 +46,7 @@ 644 - /lib + /lib/ranger-yarn-plugin-impl false org.apache.hadoop:hadoop-common:jar:${hadoop-common.version} @@ -54,8 +68,8 @@ commons-configuration:commons-configuration:jar:${commons.configuration.version} commons-io:commons-io:jar:${commons.io.version} commons-lang:commons-lang:jar:${commons.lang.version} - commons-logging:commons-logging - com.google.guava:guava:jar:${guava.version} + commons-logging:commons-logging:jar:${commons.logging.version} + com.google.guava:guava:jar:${google.guava.version} org.hamcrest:hamcrest-all junit:junit org.slf4j:slf4j-api:jar:${slf4j-api.version} @@ -66,7 +80,7 @@ - /lib + /lib/ranger-yarn-plugin-impl org.apache.ranger:ranger_solrj @@ -79,7 +93,7 @@ - false + true /install/lib false diff --git a/src/main/assembly/storm-agent.xml b/src/main/assembly/storm-agent.xml index 12ec0523d03..a5f4b2c817b 100644 --- a/src/main/assembly/storm-agent.xml +++ b/src/main/assembly/storm-agent.xml @@ -27,12 +27,25 @@ false + false + 755 + 644 + /lib + + + security_plugins.ranger-storm-plugin-shim:ranger-storm-plugin-shim + security_plugins.ranger-plugin-classloader:ranger-plugin-classloader + + + + + true false 755 644 - /lib + lib/ranger-storm-plugin-impl false commons-configuration:commons-configuration:jar:${commons.configuration.version} @@ -44,7 +57,7 @@ commons-collections:commons-collections com.sun.jersey:jersey-bundle commons-logging:commons-logging:jar:${commons.logging.version} - com.google.guava:guava:jar:${guava.version} + com.google.guava:guava:jar:${google.guava.version} org.codehaus.jackson:jackson-jaxrs:jar:${codehaus.jackson.version} org.codehaus.jackson:jackson-core-asl:jar:${codehaus.jackson.storm.version} org.codehaus.jackson:jackson-mapper-asl:jar:${codehaus.jackson.storm.version} @@ -55,7 +68,7 @@ com.google.protobuf:protobuf-java:jar:${protobuf-java.version} org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version} org.apache.htrace:htrace-core:jar:${htrace-core.version} - commons-cli:commons-cli:jar:${commons.cli.version} + commons-cli:commons-cli:jar:${commons.cli.version} commons-lang:commons-lang:jar:${commons.lang.version} commons-io:commons-io:jar:${commons.io.version} @@ -72,7 +85,7 @@ commons-io:commons-io:jar:${commons.io.version} commons-lang:commons-lang:jar:${commons.lang.version} commons-logging:commons-logging - com.google.guava:guava:jar:${guava.version} + com.google.guava:guava:jar:${google.guava.version} org.hamcrest:hamcrest-all junit:junit org.slf4j:slf4j-api:jar:${slf4j-api.version} @@ -83,7 +96,7 @@ - /lib + lib/ranger-storm-plugin-impl org.apache.ranger:ranger_solrj From 709f6ffacf36c116233a1fe06280e03cf36b5e7b Mon Sep 17 00:00:00 2001 From: rmani Date: Wed, 28 Oct 2015 16:18:35 -0700 Subject: [PATCH 083/202] RANGER-700:Provide a wrapper shell script to run the FileSourceUserGroupBuilder process --- src/main/assembly/usersync.xml | 9 +++ .../run-filesource-usersync.sh | 72 +++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 ugsync/filesourceusersynctool/run-filesource-usersync.sh diff --git a/src/main/assembly/usersync.xml b/src/main/assembly/usersync.xml index 161a443ce67..211db7cfacc 100644 --- a/src/main/assembly/usersync.xml +++ b/src/main/assembly/usersync.xml @@ -134,6 +134,15 @@ 544 + + 755 + 755 + /usersync_tool + ugsync/filesourceusersynctool + + run-filesource-usersync.sh + + 755 755 diff --git a/ugsync/filesourceusersynctool/run-filesource-usersync.sh b/ugsync/filesourceusersynctool/run-filesource-usersync.sh new file mode 100644 index 00000000000..6badfa11ea7 --- /dev/null +++ b/ugsync/filesourceusersynctool/run-filesource-usersync.sh @@ -0,0 +1,72 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +usage() { + echo "usage: run-filesource-usergroupsync.sh + -h show help. + -i Input file name ( csv or json file ) + JSON FILE FORMAT + { + "user1":["group-1", "group-2", "group-3"], + "user2":["group-x","group-y","group-z"] + } + + CSV FILE FORMAT + user-1,group-1,group-2,group-3 + user-2,group-x,group-y,group-z" + exit 1 +} + +logdir="/var/log/ranger/usersync" +scriptPath=$(cd "$(dirname "$0")"; pwd) +ugsync_home="${scriptPath}/.." +cp="${ugsync_home}/dist/*:${ugsync_home}/lib/*:${ugsync_home}/conf" + +JAVA_CMD="java -Dlogdir=${logdir} -cp ${cp} org.apache.ranger.unixusersync.process.FileSourceUserGroupBuilder" + +while getopts "i:h" opt; do + case $opt in + i) JAVA_CMD="$JAVA_CMD $OPTARG" + fileName=$OPTARG + ;; + h) usage + ;; + \?) echo -e \\n"Option -$OPTARG not allowed." + usage + ;; + esac +done + +if [ $OPTIND -eq 1 ]; +then + usage; +fi + +echo "JAVA commnad = $JAVA_CMD" + +if [ "${JAVA_HOME}" != "" ] +then + export JAVA_HOME + PATH="${JAVA_HOME}/bin:${PATH}" + export PATH +fi +$JAVA_CMD +errorCode=$? +if [ ${errorCode} -eq 0 ]; then + echo "Successfully loaded users/groups from file ${fileName}" +else + echo "Failed to load users/groups from file ${fileName}: error code=${errorCode}" +fi From f47cbd13d9049462cf685748cf81be95c858da60 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Wed, 28 Oct 2015 13:53:37 +0530 Subject: [PATCH 084/202] RANGER-706 : Optimize audit db upgrade patches to minimize timeout issues --- .../patches/audit/011-auditcolumnssize.sql | 11 ++---- .../patches/audit/015-auditlogaggregation.sql | 20 ++++------- .../patches/audit/011-auditcolumnssize.sql | 14 ++------ .../patches/audit/015-auditlogaggregation.sql | 34 +++++-------------- 4 files changed, 20 insertions(+), 59 deletions(-) diff --git a/security-admin/db/mysql/patches/audit/011-auditcolumnssize.sql b/security-admin/db/mysql/patches/audit/011-auditcolumnssize.sql index b38ae8c93c1..a8c7b81edaf 100644 --- a/security-admin/db/mysql/patches/audit/011-auditcolumnssize.sql +++ b/security-admin/db/mysql/patches/audit/011-auditcolumnssize.sql @@ -18,14 +18,9 @@ drop procedure if exists increase_column_size_of_xa_access_audit_table; delimiter ;; create procedure increase_column_size_of_xa_access_audit_table() begin - /* change request_data data size from 2000 to 4000 */ - if exists (select * from information_schema.columns where table_schema=database() and table_name = 'xa_access_audit' and column_name = 'request_data' and data_type='varchar' and CHARACTER_MAXIMUM_LENGTH=2000) then - ALTER TABLE `xa_access_audit` CHANGE `request_data` `request_data` VARCHAR(4000) NULL DEFAULT NULL ; - end if; - - /* change resource_path data size from 2000 to 4000 */ - if exists (select * from information_schema.columns where table_schema=database() and table_name = 'xa_access_audit' and column_name = 'resource_path' and data_type='varchar' and CHARACTER_MAXIMUM_LENGTH=2000) then - ALTER TABLE `xa_access_audit` CHANGE `resource_path` `resource_path` VARCHAR(4000) NULL DEFAULT NULL ; + /* change request_data and resource_path column size from 2000 to 4000 */ + if exists (select * from information_schema.columns where table_schema=database() and table_name = 'xa_access_audit' and (column_name = 'request_data' or column_name = 'resource_path') and data_type='varchar' and CHARACTER_MAXIMUM_LENGTH=2000) then + ALTER TABLE `xa_access_audit` CHANGE `request_data` `request_data` VARCHAR(4000) NULL DEFAULT NULL,CHANGE `resource_path` `resource_path` VARCHAR(4000) NULL DEFAULT NULL; end if; end;; diff --git a/security-admin/db/mysql/patches/audit/015-auditlogaggregation.sql b/security-admin/db/mysql/patches/audit/015-auditlogaggregation.sql index c88c5b414f3..7990f86815d 100644 --- a/security-admin/db/mysql/patches/audit/015-auditlogaggregation.sql +++ b/security-admin/db/mysql/patches/audit/015-auditlogaggregation.sql @@ -20,19 +20,11 @@ create procedure add_columns_to_support_audit_log_aggregation() begin if exists (select * from information_schema.columns where table_schema=database() and table_name = 'xa_access_audit') then if not exists (select * from information_schema.columns where table_schema=database() and table_name = 'xa_access_audit' and column_name = 'seq_num') then - ALTER TABLE `xa_access_audit` ADD `seq_num` bigint NULL DEFAULT 0; - end if; - end if; - - if exists (select * from information_schema.columns where table_schema=database() and table_name = 'xa_access_audit') then - if not exists (select * from information_schema.columns where table_schema=database() and table_name = 'xa_access_audit' and column_name = 'event_count') then - ALTER TABLE `xa_access_audit` ADD `event_count` bigint NULL DEFAULT 1; - end if; - end if; - - if exists (select * from information_schema.columns where table_schema=database() and table_name = 'xa_access_audit') then - if not exists (select * from information_schema.columns where table_schema=database() and table_name = 'xa_access_audit' and column_name = 'event_dur_ms') then - ALTER TABLE `xa_access_audit` ADD `event_dur_ms` bigint NULL DEFAULT 1; + if not exists (select * from information_schema.columns where table_schema=database() and table_name = 'xa_access_audit' and column_name = 'event_count') then + if not exists (select * from information_schema.columns where table_schema=database() and table_name = 'xa_access_audit' and column_name = 'event_dur_ms') then + ALTER TABLE `xa_access_audit` ADD `seq_num` bigint NULL DEFAULT 0,ADD `event_count` bigint NULL DEFAULT 1,ADD `event_dur_ms` bigint NULL DEFAULT 1; + end if; + end if; end if; end if; @@ -41,4 +33,4 @@ end;; delimiter ; call add_columns_to_support_audit_log_aggregation(); -drop procedure if exists add_columns_to_support_audit_log_aggregation; \ No newline at end of file +drop procedure if exists add_columns_to_support_audit_log_aggregation; diff --git a/security-admin/db/oracle/patches/audit/011-auditcolumnssize.sql b/security-admin/db/oracle/patches/audit/011-auditcolumnssize.sql index 35a932042f1..ad601878e29 100644 --- a/security-admin/db/oracle/patches/audit/011-auditcolumnssize.sql +++ b/security-admin/db/oracle/patches/audit/011-auditcolumnssize.sql @@ -19,21 +19,11 @@ DECLARE BEGIN Select count(*) into v_column_exists from user_tab_cols - where column_name = upper('REQUEST_DATA') + where (column_name = upper('REQUEST_DATA') or column_name = upper('RESOURCE_PATH')) and table_name = upper('XA_ACCESS_AUDIT') and DATA_TYPE='VARCHAR2' and DATA_LENGTH=2000; if (v_column_exists = 1) then - execute immediate 'ALTER TABLE XA_ACCESS_AUDIT modify(REQUEST_DATA VARCHAR(4000) DEFAULT NULL)'; - commit; - end if; - v_column_exists:=0; - Select count(*) into v_column_exists - from user_tab_cols - where column_name = upper('RESOURCE_PATH') - and table_name = upper('XA_ACCESS_AUDIT') and DATA_TYPE='VARCHAR2' and DATA_LENGTH=2000; - - if (v_column_exists = 1) then - execute immediate 'ALTER TABLE XA_ACCESS_AUDIT modify(RESOURCE_PATH VARCHAR(4000) DEFAULT NULL)'; + execute immediate 'ALTER TABLE XA_ACCESS_AUDIT modify(REQUEST_DATA VARCHAR(4000) DEFAULT NULL,RESOURCE_PATH VARCHAR(4000) DEFAULT NULL)'; commit; end if; end;/ \ No newline at end of file diff --git a/security-admin/db/oracle/patches/audit/015-auditlogaggregation.sql b/security-admin/db/oracle/patches/audit/015-auditlogaggregation.sql index 756ee6177bd..5c099e8191c 100644 --- a/security-admin/db/oracle/patches/audit/015-auditlogaggregation.sql +++ b/security-admin/db/oracle/patches/audit/015-auditlogaggregation.sql @@ -14,43 +14,27 @@ -- limitations under the License. DECLARE - v_column_exists number := 0; + v_column1_exists number := 0; + v_column2_exists number := 0; + v_column3_exists number := 0; BEGIN - Select count(*) into v_column_exists + Select count(*) into v_column1_exists from user_tab_cols where column_name = upper('seq_num') and table_name = upper('XA_ACCESS_AUDIT'); - if (v_column_exists = 0) then - execute immediate 'ALTER TABLE XA_ACCESS_AUDIT ADD seq_num NUMBER(20) DEFAULT 0 NULL'; - commit; - end if; -end;/ - -DECLARE - v_column_exists number := 0; -BEGIN - Select count(*) into v_column_exists + Select count(*) into v_column2_exists from user_tab_cols where column_name = upper('event_count') and table_name = upper('XA_ACCESS_AUDIT'); - if (v_column_exists = 0) then - execute immediate 'ALTER TABLE XA_ACCESS_AUDIT ADD event_count NUMBER(20) DEFAULT 1 NULL'; - commit; - end if; -end;/ - -DECLARE - v_column_exists number := 0; -BEGIN - Select count(*) into v_column_exists + Select count(*) into v_column3_exists from user_tab_cols where column_name = upper('event_dur_ms') and table_name = upper('XA_ACCESS_AUDIT'); - if (v_column_exists = 0) then - execute immediate 'ALTER TABLE XA_ACCESS_AUDIT ADD event_dur_ms NUMBER(20) DEFAULT 1 NULL'; + if (v_column1_exists = 0) AND (v_column2_exists = 0) AND (v_column3_exists = 0) then + execute immediate 'ALTER TABLE XA_ACCESS_AUDIT ADD (seq_num NUMBER(20) DEFAULT 0 NULL,event_count NUMBER(20) DEFAULT 1 NULL,event_dur_ms NUMBER(20) DEFAULT 1 NULL)'; commit; end if; -end;/ \ No newline at end of file +end;/ From 3a4372e7354049c570ed1cec2f2232159c1f9816 Mon Sep 17 00:00:00 2001 From: Sailaja Polavarapu Date: Wed, 28 Oct 2015 13:14:24 -0700 Subject: [PATCH 085/202] Ranger-684: Added support for Ranger Usersync to transform AD usernames and/or group names to linux compliant format Signed-off-by: Velmurugan Periasamy --- ugsync/pom.xml | 5 ++ .../process/LdapUserGroupBuilder.java | 50 +++++++++++ .../config/UserGroupSyncConfig.java | 47 ++++++++++ .../ranger/usergroupsync/AbstractMapper.java | 40 +++++++++ .../apache/ranger/usergroupsync/Mapper.java | 26 ++++++ .../apache/ranger/usergroupsync/RegEx.java | 83 +++++++++++++++++ .../ranger/usergroupsync/RegExTest.java | 89 +++++++++++++++++++ 7 files changed, 340 insertions(+) create mode 100644 ugsync/src/main/java/org/apache/ranger/usergroupsync/AbstractMapper.java create mode 100644 ugsync/src/main/java/org/apache/ranger/usergroupsync/Mapper.java create mode 100644 ugsync/src/main/java/org/apache/ranger/usergroupsync/RegEx.java create mode 100644 ugsync/src/test/java/org/apache/ranger/usergroupsync/RegExTest.java diff --git a/ugsync/pom.xml b/ugsync/pom.xml index c72eeee69bd..d0ecb2f29ea 100644 --- a/ugsync/pom.xml +++ b/ugsync/pom.xml @@ -105,6 +105,11 @@ ${project.version} + + junit + junit + test + diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java index 63643c0675f..911c5d51b5f 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java @@ -42,6 +42,7 @@ import org.apache.log4j.Logger; import org.apache.ranger.unixusersync.config.UserGroupSyncConfig; +import org.apache.ranger.usergroupsync.AbstractMapper; import org.apache.ranger.usergroupsync.UserGroupSink; import org.apache.ranger.usergroupsync.UserGroupSource; @@ -91,6 +92,9 @@ public class LdapUserGroupBuilder implements UserGroupSource { private boolean groupNameLowerCaseFlag = false ; private boolean groupUserMapSyncEnabled = false; + + AbstractMapper userNameRegExInst = null; + AbstractMapper groupNameRegExInst = null; public static void main(String[] args) throws Throwable { LdapUserGroupBuilder ugBuilder = new LdapUserGroupBuilder(); @@ -120,6 +124,39 @@ public LdapUserGroupBuilder() { groupNameLowerCaseFlag = UserGroupSyncConfig.UGSYNC_LOWER_CASE_CONVERSION_VALUE.equalsIgnoreCase(groupNameCaseConversion) ; } + String mappingUserNameHandler = config.getUserSyncMappingUserNameHandler(); + try { + if (mappingUserNameHandler != null) { + Class regExClass = (Class)Class.forName(mappingUserNameHandler); + userNameRegExInst = regExClass.newInstance(); + if (userNameRegExInst != null) { + userNameRegExInst.init(UserGroupSyncConfig.SYNC_MAPPING_USERNAME); + } else { + LOG.error("RegEx handler instance for username is null!"); + } + } + } catch (ClassNotFoundException cne) { + LOG.error("Failed to load " + mappingUserNameHandler + " " + cne); + } catch (Throwable te) { + LOG.error("Failed to instantiate " + mappingUserNameHandler + " " + te); + } + + String mappingGroupNameHandler = config.getUserSyncMappingGroupNameHandler(); + try { + if (mappingGroupNameHandler != null) { + Class regExClass = (Class)Class.forName(mappingGroupNameHandler); + groupNameRegExInst = regExClass.newInstance(); + if (groupNameRegExInst != null) { + groupNameRegExInst.init(UserGroupSyncConfig.SYNC_MAPPING_GROUPNAME); + } else { + LOG.error("RegEx handler instance for groupname is null!"); + } + } + } catch (ClassNotFoundException cne) { + LOG.error("Failed to load " + mappingGroupNameHandler + " " + cne); + } catch (Throwable te) { + LOG.error("Failed to instantiate " + mappingGroupNameHandler + " " + te); + } } @Override @@ -320,6 +357,10 @@ public void updateSink(UserGroupSink sink) throws Throwable { userName = userName.toUpperCase() ; } } + + if (userNameRegExInst != null) { + userName = userNameRegExInst.transform(userName); + } Set groups = new HashSet(); @@ -337,6 +378,9 @@ public void updateSink(UserGroupSink sink) throws Throwable { gName = gName.toUpperCase(); } } + if (groupNameRegExInst != null) { + gName = groupNameRegExInst.transform(gName); + } groups.add(gName); } } @@ -361,6 +405,9 @@ public void updateSink(UserGroupSink sink) throws Throwable { gName = gName.toUpperCase(); } } + if (groupNameRegExInst != null) { + gName = groupNameRegExInst.transform(gName); + } computedGroups.add(gName); } } @@ -453,6 +500,9 @@ public void updateSink(UserGroupSink sink) throws Throwable { gName = gName.toUpperCase(); } } + if (groupNameRegExInst != null) { + gName = groupNameRegExInst.transform(gName); + } groupNames.add(gName); } if (LOG.isInfoEnabled()) { diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java index c1b305b4fd0..ceeb836121f 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java @@ -24,7 +24,10 @@ import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; +import java.util.ArrayList; +import java.util.Enumeration; import java.util.HashSet; +import java.util.List; import java.util.Properties; import java.util.Set; import java.util.StringTokenizer; @@ -174,6 +177,17 @@ public class UserGroupSyncConfig { private static final String SYNC_SOURCE = "ranger.usersync.sync.source"; private static final String LGSYNC_REFERRAL = "ranger.usersync.ldap.referral"; private static final String DEFAULT_LGSYNC_REFERRAL = "ignore"; + + public static final String SYNC_MAPPING_USERNAME = "ranger.usersync.mapping.username.regex"; + + public static final String SYNC_MAPPING_GROUPNAME = "ranger.usersync.mapping.groupname.regex"; + + private static final String SYNC_MAPPING_USERNAME_HANDLER = "ranger.usersync.mapping.username.handler"; + private static final String DEFAULT_SYNC_MAPPING_USERNAME_HANDLER = "org.apache.ranger.usergroupsync.RegEx"; + + private static final String SYNC_MAPPING_GROUPNAME_HANDLER = "ranger.usersync.mapping.groupname.handler"; + private static final String DEFAULT_SYNC_MAPPING_GROUPNAME_HANDLER = "org.apache.ranger.usergroupsync.RegEx"; + private Properties prop = new Properties() ; private static volatile UserGroupSyncConfig me = null ; @@ -738,4 +752,37 @@ public String getContextReferral() { } return referral; } + + public List getAllRegexPatterns(String baseProperty) { + List regexPatterns = new ArrayList(); + if (prop != null) { + Enumeration propertyNames = prop.propertyNames(); + while (propertyNames != null && propertyNames.hasMoreElements()) { + String propertyName = (String)propertyNames.nextElement(); + if (propertyName != null && propertyName.contains(baseProperty)) { + regexPatterns.add(prop.getProperty(propertyName)); + } + } + + } + return regexPatterns; + } + + public String getUserSyncMappingUserNameHandler() { + String val = prop.getProperty(SYNC_MAPPING_USERNAME_HANDLER) ; + + if(val == null) { + val = DEFAULT_SYNC_MAPPING_USERNAME_HANDLER; + } + return val; + } + + public String getUserSyncMappingGroupNameHandler() { + String val = prop.getProperty(SYNC_MAPPING_GROUPNAME_HANDLER) ; + + if(val == null) { + val = DEFAULT_SYNC_MAPPING_GROUPNAME_HANDLER; + } + return val; + } } diff --git a/ugsync/src/main/java/org/apache/ranger/usergroupsync/AbstractMapper.java b/ugsync/src/main/java/org/apache/ranger/usergroupsync/AbstractMapper.java new file mode 100644 index 00000000000..fc5d10bcc05 --- /dev/null +++ b/ugsync/src/main/java/org/apache/ranger/usergroupsync/AbstractMapper.java @@ -0,0 +1,40 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.usergroupsync; + +import org.apache.log4j.Logger; + +public abstract class AbstractMapper implements Mapper { + + static Logger logger = Logger.getLogger(AbstractMapper.class); + + @Override + public void init(String baseProperty) { + // TODO Auto-generated method stub + + } + + @Override + public String transform(String attrValue) { + // TODO Auto-generated method stub + return null; + } + +} diff --git a/ugsync/src/main/java/org/apache/ranger/usergroupsync/Mapper.java b/ugsync/src/main/java/org/apache/ranger/usergroupsync/Mapper.java new file mode 100644 index 00000000000..820fe20e5d8 --- /dev/null +++ b/ugsync/src/main/java/org/apache/ranger/usergroupsync/Mapper.java @@ -0,0 +1,26 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.usergroupsync; + +public interface Mapper { + public void init(String baseProperty); + + public String transform(String attrValue); +} diff --git a/ugsync/src/main/java/org/apache/ranger/usergroupsync/RegEx.java b/ugsync/src/main/java/org/apache/ranger/usergroupsync/RegEx.java new file mode 100644 index 00000000000..b6555364a50 --- /dev/null +++ b/ugsync/src/main/java/org/apache/ranger/usergroupsync/RegEx.java @@ -0,0 +1,83 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.usergroupsync; + +import java.util.LinkedHashMap; +import java.util.List; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import org.apache.ranger.unixusersync.config.UserGroupSyncConfig; + +public class RegEx extends AbstractMapper { + private UserGroupSyncConfig config = UserGroupSyncConfig.getInstance(); + private LinkedHashMap replacementPattern; + + public LinkedHashMap getReplacementPattern() { + return replacementPattern; + } + + @Override + public void init (String baseProperty) { + logger.info("Initializing for " + baseProperty); + List regexPatterns = config.getAllRegexPatterns(baseProperty); + populateReplacementPatterns(baseProperty, regexPatterns); + } + + protected void populateReplacementPatterns(String baseProperty, List regexPatterns) { + replacementPattern = new LinkedHashMap(); + Pattern p = Pattern.compile("s/([^/]*)/([^/]*)/(g)?"); + for (String regexPattern : regexPatterns) { + Matcher m = p.matcher(regexPattern); + if (!m.matches()) { + logger.warn("Invalid RegEx " + regexPattern + " and hence skipping this regex property"); + } + m = m.reset(); + while (m.find()) { + String matchPattern = m.group(1); + String replacement = m.group(2); + if (matchPattern != null && !matchPattern.isEmpty() && replacement != null) { + replacementPattern.put(matchPattern, Matcher.quoteReplacement(replacement)); + if (logger.isDebugEnabled()) { + logger.debug(baseProperty + " match pattern = " + matchPattern + " and replacement string = " + replacement); + } + } + } + } + } + + @Override + public String transform (String attrValue) { + String result = attrValue; + if (replacementPattern != null && !replacementPattern.isEmpty()) { + for (String matchPattern : replacementPattern.keySet()) { + Pattern p = Pattern.compile(matchPattern); + Matcher m = p.matcher(result); + if (m.find()) { + String replacement = replacementPattern.get(matchPattern); + if (replacement != null) { + result = m.replaceAll(replacement); + } + } + } + } + return result; + } +} diff --git a/ugsync/src/test/java/org/apache/ranger/usergroupsync/RegExTest.java b/ugsync/src/test/java/org/apache/ranger/usergroupsync/RegExTest.java new file mode 100644 index 00000000000..d74eb2ba7ad --- /dev/null +++ b/ugsync/src/test/java/org/apache/ranger/usergroupsync/RegExTest.java @@ -0,0 +1,89 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.usergroupsync; + +import static org.junit.Assert.*; + +import java.util.ArrayList; +import java.util.List; + +import org.junit.Before; +import org.junit.Test; + +public class RegExTest { + protected String userNameBaseProperty = "ranger.usersync.mapping.username.regex"; + protected String groupNameBaseProperty = "ranger.usersync.mapping.groupname.regex"; + protected RegEx userNameRegEx = null; + protected RegEx groupNameRegEx = null; + List userRegexPatterns = null; + List groupRegexPatterns = null; + + @Before + public void setUp() throws Exception { + userNameRegEx = new RegEx(); + //userNameRegEx.init(userNameBaseProperty); + userRegexPatterns = new ArrayList(); + groupNameRegEx = new RegEx(); + //groupNameRegEx.init(groupNameBaseProperty); + groupRegexPatterns = new ArrayList(); + } + + @Test + public void testUserNameTransform() { + userRegexPatterns.add("s/\\s/_/"); + userNameRegEx.populateReplacementPatterns(userNameBaseProperty, userRegexPatterns); + assertEquals("test_user", userNameRegEx.transform("test user")); + } + + @Test + public void testGroupNameTransform() { + groupRegexPatterns.add("s/\\s/_/g"); + groupRegexPatterns.add("s/_/$/g"); + groupNameRegEx.populateReplacementPatterns(userNameBaseProperty, groupRegexPatterns); + assertEquals("ldap$grp", groupNameRegEx.transform("ldap grp")); + } + + @Test + public void testEmptyTransform() { + assertEquals("test user", userNameRegEx.transform("test user")); + assertEquals("ldap grp", groupNameRegEx.transform("ldap grp")); + } + + @Test + public void testTransform() { + userRegexPatterns.add("s/\\s/_/g"); + userNameRegEx.populateReplacementPatterns(userNameBaseProperty, userRegexPatterns); + assertEquals("test_user", userNameRegEx.transform("test user")); + assertEquals("ldap grp", groupNameRegEx.transform("ldap grp")); + } + + @Test + public void testTransform1() { + userRegexPatterns.add("s/\\\\/ /g"); + userRegexPatterns.add("s//_/g"); + userNameRegEx.populateReplacementPatterns(userNameBaseProperty, userRegexPatterns); + groupRegexPatterns.add("s/\\s//g"); + groupRegexPatterns.add("s/\\s"); + groupNameRegEx.populateReplacementPatterns(userNameBaseProperty, groupRegexPatterns); + assertEquals("test user", userNameRegEx.transform("test\\user")); + assertEquals("ldapgrp", groupNameRegEx.transform("ldap grp")); + } + +} From 684b096ca25660444044aea0b0eea380cda27e6c Mon Sep 17 00:00:00 2001 From: Sailaja Polavarapu Date: Wed, 28 Oct 2015 17:57:46 -0700 Subject: [PATCH 086/202] Ranger-684: Fixed some minor issues found during unit testing Signed-off-by: Velmurugan Periasamy --- .../config/UserGroupSyncConfig.java | 18 +++++++++++------- .../org/apache/ranger/usergroupsync/RegEx.java | 2 +- .../apache/ranger/usergroupsync/RegExTest.java | 5 +++-- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java index ceeb836121f..f43e125d143 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java @@ -25,7 +25,6 @@ import java.io.IOException; import java.io.InputStream; import java.util.ArrayList; -import java.util.Enumeration; import java.util.HashSet; import java.util.List; import java.util.Properties; @@ -756,12 +755,17 @@ public String getContextReferral() { public List getAllRegexPatterns(String baseProperty) { List regexPatterns = new ArrayList(); if (prop != null) { - Enumeration propertyNames = prop.propertyNames(); - while (propertyNames != null && propertyNames.hasMoreElements()) { - String propertyName = (String)propertyNames.nextElement(); - if (propertyName != null && propertyName.contains(baseProperty)) { - regexPatterns.add(prop.getProperty(propertyName)); - } + String baseRegex = prop.getProperty(baseProperty); + if (baseRegex == null) { + return regexPatterns; + } + regexPatterns.add(baseRegex); + int i = 1; + String nextRegex = prop.getProperty(baseProperty + "." + i);; + while (nextRegex != null) { + regexPatterns.add(nextRegex); + i++; + nextRegex = prop.getProperty(baseProperty + "." + i); } } diff --git a/ugsync/src/main/java/org/apache/ranger/usergroupsync/RegEx.java b/ugsync/src/main/java/org/apache/ranger/usergroupsync/RegEx.java index b6555364a50..0e9ed99aa37 100644 --- a/ugsync/src/main/java/org/apache/ranger/usergroupsync/RegEx.java +++ b/ugsync/src/main/java/org/apache/ranger/usergroupsync/RegEx.java @@ -54,7 +54,7 @@ protected void populateReplacementPatterns(String baseProperty, List reg String matchPattern = m.group(1); String replacement = m.group(2); if (matchPattern != null && !matchPattern.isEmpty() && replacement != null) { - replacementPattern.put(matchPattern, Matcher.quoteReplacement(replacement)); + replacementPattern.put(matchPattern, replacement); if (logger.isDebugEnabled()) { logger.debug(baseProperty + " match pattern = " + matchPattern + " and replacement string = " + replacement); } diff --git a/ugsync/src/test/java/org/apache/ranger/usergroupsync/RegExTest.java b/ugsync/src/test/java/org/apache/ranger/usergroupsync/RegExTest.java index d74eb2ba7ad..26218624510 100644 --- a/ugsync/src/test/java/org/apache/ranger/usergroupsync/RegExTest.java +++ b/ugsync/src/test/java/org/apache/ranger/usergroupsync/RegExTest.java @@ -55,7 +55,7 @@ public void testUserNameTransform() { @Test public void testGroupNameTransform() { groupRegexPatterns.add("s/\\s/_/g"); - groupRegexPatterns.add("s/_/$/g"); + groupRegexPatterns.add("s/_/\\$/g"); groupNameRegEx.populateReplacementPatterns(userNameBaseProperty, groupRegexPatterns); assertEquals("ldap$grp", groupNameRegEx.transform("ldap grp")); } @@ -79,8 +79,9 @@ public void testTransform1() { userRegexPatterns.add("s/\\\\/ /g"); userRegexPatterns.add("s//_/g"); userNameRegEx.populateReplacementPatterns(userNameBaseProperty, userRegexPatterns); - groupRegexPatterns.add("s/\\s//g"); + groupRegexPatterns.add("s/\\s/\\$/g"); groupRegexPatterns.add("s/\\s"); + groupRegexPatterns.add("s/\\$//g"); groupNameRegEx.populateReplacementPatterns(userNameBaseProperty, groupRegexPatterns); assertEquals("test user", userNameRegEx.transform("test\\user")); assertEquals("ldapgrp", groupNameRegEx.transform("ldap grp")); From 16b338719854833015c86adce4685c1abce93126 Mon Sep 17 00:00:00 2001 From: Sailaja Polavarapu Date: Thu, 29 Oct 2015 11:09:19 -0700 Subject: [PATCH 087/202] Ranger-684: Modified code to incorporate review comments Signed-off-by: Velmurugan Periasamy --- .../process/LdapUserGroupBuilder.java | 5 ++-- .../config/UserGroupSyncConfig.java | 2 +- .../apache/ranger/usergroupsync/RegEx.java | 30 ++++++++++++------- .../ranger/usergroupsync/RegExTest.java | 8 ++--- 4 files changed, 27 insertions(+), 18 deletions(-) diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java index 911c5d51b5f..e13db585705 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java @@ -42,6 +42,7 @@ import org.apache.log4j.Logger; import org.apache.ranger.unixusersync.config.UserGroupSyncConfig; +import org.apache.ranger.usergroupsync.Mapper; import org.apache.ranger.usergroupsync.AbstractMapper; import org.apache.ranger.usergroupsync.UserGroupSink; import org.apache.ranger.usergroupsync.UserGroupSource; @@ -93,8 +94,8 @@ public class LdapUserGroupBuilder implements UserGroupSource { private boolean groupUserMapSyncEnabled = false; - AbstractMapper userNameRegExInst = null; - AbstractMapper groupNameRegExInst = null; + Mapper userNameRegExInst = null; + Mapper groupNameRegExInst = null; public static void main(String[] args) throws Throwable { LdapUserGroupBuilder ugBuilder = new LdapUserGroupBuilder(); diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java index f43e125d143..792a05a12ed 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java @@ -752,7 +752,7 @@ public String getContextReferral() { return referral; } - public List getAllRegexPatterns(String baseProperty) { + public List getAllRegexPatterns(String baseProperty) throws Throwable { List regexPatterns = new ArrayList(); if (prop != null) { String baseRegex = prop.getProperty(baseProperty); diff --git a/ugsync/src/main/java/org/apache/ranger/usergroupsync/RegEx.java b/ugsync/src/main/java/org/apache/ranger/usergroupsync/RegEx.java index 0e9ed99aa37..4bf452ac968 100644 --- a/ugsync/src/main/java/org/apache/ranger/usergroupsync/RegEx.java +++ b/ugsync/src/main/java/org/apache/ranger/usergroupsync/RegEx.java @@ -37,11 +37,15 @@ public LinkedHashMap getReplacementPattern() { @Override public void init (String baseProperty) { logger.info("Initializing for " + baseProperty); - List regexPatterns = config.getAllRegexPatterns(baseProperty); - populateReplacementPatterns(baseProperty, regexPatterns); + try { + List regexPatterns = config.getAllRegexPatterns(baseProperty); + populateReplacementPatterns(baseProperty, regexPatterns); + } catch (Throwable t) { + logger.error("Failed to initialize " + baseProperty, t.fillInStackTrace()); + } } - protected void populateReplacementPatterns(String baseProperty, List regexPatterns) { + protected void populateReplacementPatterns(String baseProperty, List regexPatterns) throws Throwable{ replacementPattern = new LinkedHashMap(); Pattern p = Pattern.compile("s/([^/]*)/([^/]*)/(g)?"); for (String regexPattern : regexPatterns) { @@ -66,17 +70,21 @@ protected void populateReplacementPatterns(String baseProperty, List reg @Override public String transform (String attrValue) { String result = attrValue; - if (replacementPattern != null && !replacementPattern.isEmpty()) { - for (String matchPattern : replacementPattern.keySet()) { - Pattern p = Pattern.compile(matchPattern); - Matcher m = p.matcher(result); - if (m.find()) { - String replacement = replacementPattern.get(matchPattern); - if (replacement != null) { - result = m.replaceAll(replacement); + try { + if (replacementPattern != null && !replacementPattern.isEmpty()) { + for (String matchPattern : replacementPattern.keySet()) { + Pattern p = Pattern.compile(matchPattern); + Matcher m = p.matcher(result); + if (m.find()) { + String replacement = replacementPattern.get(matchPattern); + if (replacement != null) { + result = m.replaceAll(replacement); + } } } } + } catch (Throwable t) { + logger.error("Failed to transform " + attrValue, t.fillInStackTrace()); } return result; } diff --git a/ugsync/src/test/java/org/apache/ranger/usergroupsync/RegExTest.java b/ugsync/src/test/java/org/apache/ranger/usergroupsync/RegExTest.java index 26218624510..2c1e02362c0 100644 --- a/ugsync/src/test/java/org/apache/ranger/usergroupsync/RegExTest.java +++ b/ugsync/src/test/java/org/apache/ranger/usergroupsync/RegExTest.java @@ -46,14 +46,14 @@ public void setUp() throws Exception { } @Test - public void testUserNameTransform() { + public void testUserNameTransform() throws Throwable { userRegexPatterns.add("s/\\s/_/"); userNameRegEx.populateReplacementPatterns(userNameBaseProperty, userRegexPatterns); assertEquals("test_user", userNameRegEx.transform("test user")); } @Test - public void testGroupNameTransform() { + public void testGroupNameTransform() throws Throwable { groupRegexPatterns.add("s/\\s/_/g"); groupRegexPatterns.add("s/_/\\$/g"); groupNameRegEx.populateReplacementPatterns(userNameBaseProperty, groupRegexPatterns); @@ -67,7 +67,7 @@ public void testEmptyTransform() { } @Test - public void testTransform() { + public void testTransform() throws Throwable { userRegexPatterns.add("s/\\s/_/g"); userNameRegEx.populateReplacementPatterns(userNameBaseProperty, userRegexPatterns); assertEquals("test_user", userNameRegEx.transform("test user")); @@ -75,7 +75,7 @@ public void testTransform() { } @Test - public void testTransform1() { + public void testTransform1() throws Throwable { userRegexPatterns.add("s/\\\\/ /g"); userRegexPatterns.add("s//_/g"); userNameRegEx.populateReplacementPatterns(userNameBaseProperty, userRegexPatterns); From f15f87aea49f45b37d6ff35c7bce86857d464a29 Mon Sep 17 00:00:00 2001 From: Sailaja Polavarapu Date: Fri, 30 Oct 2015 13:36:50 -0700 Subject: [PATCH 088/202] Ranger-684: Using Class type as Mapper (which is the interface) instead of AbstractMapper (which is an abstract class that implements Mapper) inorder to allow handlers to implement the interface directly without using the abstract class. Signed-off-by: Velmurugan Periasamy --- .../ranger/ldapusersync/process/LdapUserGroupBuilder.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java index e13db585705..bab9e84d992 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java @@ -43,7 +43,6 @@ import org.apache.log4j.Logger; import org.apache.ranger.unixusersync.config.UserGroupSyncConfig; import org.apache.ranger.usergroupsync.Mapper; -import org.apache.ranger.usergroupsync.AbstractMapper; import org.apache.ranger.usergroupsync.UserGroupSink; import org.apache.ranger.usergroupsync.UserGroupSource; @@ -128,7 +127,7 @@ public LdapUserGroupBuilder() { String mappingUserNameHandler = config.getUserSyncMappingUserNameHandler(); try { if (mappingUserNameHandler != null) { - Class regExClass = (Class)Class.forName(mappingUserNameHandler); + Class regExClass = (Class)Class.forName(mappingUserNameHandler); userNameRegExInst = regExClass.newInstance(); if (userNameRegExInst != null) { userNameRegExInst.init(UserGroupSyncConfig.SYNC_MAPPING_USERNAME); @@ -145,7 +144,7 @@ public LdapUserGroupBuilder() { String mappingGroupNameHandler = config.getUserSyncMappingGroupNameHandler(); try { if (mappingGroupNameHandler != null) { - Class regExClass = (Class)Class.forName(mappingGroupNameHandler); + Class regExClass = (Class)Class.forName(mappingGroupNameHandler); groupNameRegExInst = regExClass.newInstance(); if (groupNameRegExInst != null) { groupNameRegExInst.init(UserGroupSyncConfig.SYNC_MAPPING_GROUPNAME); From 801ec6657281ee64293745046a6a353f1543efa5 Mon Sep 17 00:00:00 2001 From: rmani Date: Sat, 31 Oct 2015 09:53:00 -0700 Subject: [PATCH 089/202] RANGER-713:Knox-plugin failed to enable after plugin modification for not to add dependent libraries to component's CLASSPATH --- .../ranger/authorization/knox/RangerPDPKnoxFilter.java | 7 +++---- .../knox/deploy/RangerPDPKnoxDeploymentContributor.java | 0 ...che.hadoop.gateway.deploy.ProviderDeploymentContributor | 0 3 files changed, 3 insertions(+), 4 deletions(-) rename {knox-agent => ranger-knox-plugin-shim}/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java (100%) rename {knox-agent => ranger-knox-plugin-shim}/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor (100%) diff --git a/ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java b/ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java index af4d9476d52..c039ff2e62c 100644 --- a/ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java +++ b/ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java @@ -36,10 +36,9 @@ public class RangerPDPKnoxFilter implements Filter { private static final Log LOG = LogFactory.getLog(RangerPDPKnoxFilter.class); private static final String RANGER_PLUGIN_TYPE = "knox"; - private static final String[] RANGER_PLUGIN_LIB_DIR = new String[] {"lib/ranger-hdfs-plugin"}; private static final String RANGER_PDP_KNOX_FILTER_IMPL_CLASSNAME = "org.apache.ranger.authorization.knox.RangerPDPKnoxFilter"; - - private RangerPDPKnoxFilter rangerPDPKnoxFilteImpl = null; + + private Filter rangerPDPKnoxFilteImpl = null; private static RangerPluginClassLoader rangerPluginClassLoader = null; public RangerPDPKnoxFilter() { @@ -67,7 +66,7 @@ private void init0(){ activatePluginClassLoader(); - rangerPDPKnoxFilteImpl = (RangerPDPKnoxFilter) cls.newInstance(); + rangerPDPKnoxFilteImpl = cls.newInstance(); } catch (Exception e) { // check what need to be done LOG.error("Error Enabling RangerKnoxPlugin", e); diff --git a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java b/ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java similarity index 100% rename from knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java rename to ranger-knox-plugin-shim/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java diff --git a/knox-agent/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor b/ranger-knox-plugin-shim/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor similarity index 100% rename from knox-agent/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor rename to ranger-knox-plugin-shim/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor From a340b2b7bf27d88738482cf1b4248b67e4980ce8 Mon Sep 17 00:00:00 2001 From: rmani Date: Mon, 2 Nov 2015 16:33:00 -0800 Subject: [PATCH 090/202] Ranger-715:Fix issues reported by coverity test in Ranger Plugin ClassLoader --- .../classloader/RangerPluginClassLoader.java | 34 ++++++++++++------- 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java b/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java index eafcd274ba4..23e16bff6c7 100644 --- a/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java +++ b/ranger-plugin-classloader/src/main/java/org/apache/ranger/plugin/classloader/RangerPluginClassLoader.java @@ -22,11 +22,11 @@ import java.io.IOException; import java.net.URL; import java.net.URLClassLoader; +import java.security.AccessController; +import java.security.PrivilegedAction; +import java.security.PrivilegedExceptionAction; import java.util.Enumeration; -//import org.apache.commons.logging.Log; -//import org.apache.commons.logging.LogFactory; - import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -35,24 +35,34 @@ public class RangerPluginClassLoader extends URLClassLoader { private static volatile RangerPluginClassLoader me = null; private static MyClassLoader componentClassLoader = null; - //private static ThreadLocal componentClassLoader = new ThreadLocal(); public RangerPluginClassLoader(String pluginType, Class pluginClass ) throws Exception { super(RangerPluginClassLoaderUtil.getInstance().getPluginFilesForServiceTypeAndPluginclass(pluginType, pluginClass), null); - //componentClassLoader.set(new MyClassLoader(Thread.currentThread().getContextClassLoader())); - componentClassLoader = new MyClassLoader(Thread.currentThread().getContextClassLoader()); + componentClassLoader = AccessController.doPrivileged( + new PrivilegedAction() { + public MyClassLoader run() { + return new MyClassLoader(Thread.currentThread().getContextClassLoader()); + } + } + ); } - public static RangerPluginClassLoader getInstance(String pluginType, Class pluginClass ) throws Exception { + public static RangerPluginClassLoader getInstance(final String pluginType, final Class pluginClass ) throws Exception { RangerPluginClassLoader ret = me; if ( ret == null) { synchronized(RangerPluginClassLoader.class) { ret = me; if ( ret == null){ - me = ret = new RangerPluginClassLoader(pluginType,pluginClass); - } - } - } + me = ret = AccessController.doPrivileged( + new PrivilegedExceptionAction(){ + public RangerPluginClassLoader run() throws Exception { + return new RangerPluginClassLoader(pluginType,pluginClass); + } + } + ); + } + } + } return ret; } @@ -263,7 +273,7 @@ public Class findClass(String name) throws ClassNotFoundException { } } - class MergeEnumeration implements Enumeration { + static class MergeEnumeration implements Enumeration { Enumeration e1 = null; Enumeration e2 = null; From a9e73ddd7eb2d861d54e4f85e270aa66b2ceb33b Mon Sep 17 00:00:00 2001 From: Sailaja Polavarapu Date: Tue, 3 Nov 2015 10:01:25 -0800 Subject: [PATCH 091/202] Ranger-652: Excluding windows azure package dependency in Ldap Config check tool Signed-off-by: Velmurugan Periasamy --- .../ldapconfigcheck/pom.xml | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml b/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml index 4ac823f6d81..8d7a15013bc 100644 --- a/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml @@ -90,17 +90,27 @@ ${springframework.security.version} - org.apache.ranger - credentialbuilder - ${project.version} + org.apache.ranger + credentialbuilder + ${project.version} + + + com.microsoft.windowsazure + * + + - org.apache.ranger ranger-util ${project.version} + + + com.microsoft.windowsazure + * + + - ldapconfigcheck From 7852c6c1aa72ffc2673357589f3d9e3cf9a54a9b Mon Sep 17 00:00:00 2001 From: Madhan Neethiraj Date: Wed, 4 Nov 2015 19:25:47 -0800 Subject: [PATCH 092/202] RANGER-608: fix - denied access due to lack of traverse access does not generate audit Signed-off-by: sneethiraj (cherry picked from commit 0158e1a1c7ca7997e3865693f599e5caaa69f505) --- .../hadoop/RangerHdfsAuthorizer.java | 87 +++++++++++++------ 1 file changed, 60 insertions(+), 27 deletions(-) diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java index fa2155caea9..5125af7367a 100644 --- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java +++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java @@ -197,9 +197,12 @@ public void checkPermission(String fsOwner, String superGroup, UserGroupInformat } try { - if(plugin != null && !ArrayUtils.isEmpty(inodes)) { - auditHandler = new RangerHdfsAuditHandler(path); + boolean isTraverseOnlyCheck = access == null && parentAccess == null && ancestorAccess == null && subAccess == null; + INode ancestor = null; + INode parent = null; + INode inode = null; + if(plugin != null && !ArrayUtils.isEmpty(inodes)) { if(ancestorIndex >= inodes.length) { ancestorIndex = inodes.length - 1; } @@ -208,26 +211,28 @@ public void checkPermission(String fsOwner, String superGroup, UserGroupInformat accessGranted = true; - INode ancestor = inodes.length > ancestorIndex && ancestorIndex >= 0 ? inodes[ancestorIndex] : null; - INode parent = inodes.length > 1 ? inodes[inodes.length - 2] : null; - INode inode = inodes[inodes.length - 1]; + ancestor = inodes.length > ancestorIndex && ancestorIndex >= 0 ? inodes[ancestorIndex] : null; + parent = inodes.length > 1 ? inodes[inodes.length - 2] : null; + inode = inodes[inodes.length - 1]; // could be null while creating a new file - boolean noAccessToCheck = access == null && parentAccess == null && ancestorAccess == null && subAccess == null; + auditHandler = new RangerHdfsAuditHandler(path, isTraverseOnlyCheck); - if(noAccessToCheck) { // check for traverse (EXECUTE) access on the path (if path is a directory) or its parent (if path is a file) - INode node = null; - INodeAttributes nodeAttribs = null; + if(isTraverseOnlyCheck) { + INode nodeToCheck = inode; + INodeAttributes nodeAttribs = inodeAttrs.length > 0 ? inodeAttrs[inodeAttrs.length - 1] : null; - if(inode != null && inode.isDirectory()) { - node = inode; - nodeAttribs = inodeAttrs.length > 0 ? inodeAttrs[inodeAttrs.length - 1] : null; - } else if(parent != null) { - node = parent; - nodeAttribs = inodeAttrs.length > 1 ? inodeAttrs[inodeAttrs.length - 2] : null; + if(nodeToCheck == null || nodeToCheck.isFile()) { + if(parent != null) { + nodeToCheck = parent; + nodeAttribs = inodeAttrs.length > 1 ? inodeAttrs[inodeAttrs.length - 2] : null; + } else if(ancestor != null) { + nodeToCheck = ancestor; + nodeAttribs = inodeAttrs.length > ancestorIndex ? inodeAttrs[ancestorIndex] : null; + } } - if(node != null) { - accessGranted = isAccessAllowed(node, nodeAttribs, FsAction.EXECUTE, user, groups, fsOwner, superGroup, plugin, null); + if(nodeToCheck != null) { + accessGranted = isAccessAllowed(nodeToCheck, nodeAttribs, FsAction.EXECUTE, user, groups, fsOwner, superGroup, plugin, auditHandler); } } @@ -304,27 +309,52 @@ public void checkPermission(String fsOwner, String superGroup, UserGroupInformat accessGranted = true; } finally { if(auditHandler != null) { - FsAction action = access; + INode nodeChecked = inode; + FsAction action = access; + + if(isTraverseOnlyCheck) { + if(nodeChecked == null || nodeChecked.isFile()) { + if(parent != null) { + nodeChecked = parent; + } else if(ancestor != null) { + nodeChecked = ancestor; + } + } - if(action == null) { + action = FsAction.EXECUTE; + } else if(action == null) { if(parentAccess != null) { - action = parentAccess; + nodeChecked = parent; + action = parentAccess; } else if(ancestorAccess != null) { - action = ancestorAccess; + nodeChecked = ancestor; + action = ancestorAccess; } else if(subAccess != null) { action = subAccess; - } else { - action = FsAction.NONE; } } - auditHandler.logHadoopEvent(path, action, accessGranted); + String pathChecked = nodeChecked != null ? nodeChecked.getFullPathName() : path; + + auditHandler.logHadoopEvent(pathChecked, action, accessGranted); } } } if(! accessGranted) { - throw new RangerAccessControlException("Permission denied: principal{user=" + user + ",groups: " + groups + "}, access=" + access + ", " + path) ; + FsAction action = access; + + if(action == null) { + if(parentAccess != null) { + action = parentAccess; + } else if(ancestorAccess != null) { + action = ancestorAccess; + } else { + action = FsAction.EXECUTE; + } + } + + throw new RangerAccessControlException("Permission denied: user=" + user + ", access=" + action + ", inode=\"" + path + "\"") ; } } finally { if(auditHandler != null) { @@ -442,6 +472,7 @@ class RangerHdfsAuditHandler extends RangerDefaultAuditHandler { private boolean isAuditEnabled = false; private AuthzAuditEvent auditEvent = null; + private final boolean auditOnlyIfDenied; private static final String RangerModuleName = RangerConfiguration.getInstance().get(RangerHadoopConstants.AUDITLOG_RANGER_MODULE_ACL_NAME_PROP , RangerHadoopConstants.DEFAULT_RANGER_MODULE_ACL_NAME) ; private static final String HadoopModuleName = RangerConfiguration.getInstance().get(RangerHadoopConstants.AUDITLOG_HADOOP_MODULE_ACL_NAME_PROP , RangerHadoopConstants.DEFAULT_HADOOP_MODULE_ACL_NAME) ; @@ -461,7 +492,9 @@ class RangerHdfsAuditHandler extends RangerDefaultAuditHandler { } } - public RangerHdfsAuditHandler(String pathToBeValidated) { + public RangerHdfsAuditHandler(String pathToBeValidated, boolean auditOnlyIfDenied) { + this.auditOnlyIfDenied = auditOnlyIfDenied; + auditEvent = new AuthzAuditEvent(); auditEvent.setResourcePath(pathToBeValidated); } @@ -523,7 +556,7 @@ public void flushAudit() { if(isAuditEnabled && !StringUtils.isEmpty(auditEvent.getAccessType())) { String username = auditEvent.getUser(); - boolean skipLog = (username != null && excludeUsers != null && excludeUsers.contains(username)) ; + boolean skipLog = (username != null && excludeUsers != null && excludeUsers.contains(username)) || (auditOnlyIfDenied && auditEvent.getAccessResult() != 0); if (! skipLog) { super.logAuthzAudit(auditEvent); From cee8c46b0a2735216774be594ba12124953111d2 Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Fri, 30 Oct 2015 16:26:47 -0700 Subject: [PATCH 093/202] RANGER-712 Create a sub-project to serve as not only a repository for samples for ranger extensions but also a template project for someone wanting to write extensions --- .../RangerCountryProvider.java | 79 -------- .../RangerSimpleMatcher.java | 6 +- pom.xml | 1 + ranger-examples/pom.xml | 45 +++++ .../RangerSampleSimpleMatcher.java | 170 ++++++++++++++++++ .../RangerSampleCountryProvider.java | 105 +++++++++++ .../RangerSampleProjectProvider.java | 44 +++-- .../RangerSampleSimpleMatcherTest.java | 81 ++++----- 8 files changed, 395 insertions(+), 136 deletions(-) delete mode 100644 agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerCountryProvider.java rename agents-common/src/{main => test}/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcher.java (100%) create mode 100644 ranger-examples/pom.xml create mode 100644 ranger-examples/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerSampleSimpleMatcher.java create mode 100644 ranger-examples/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleCountryProvider.java rename agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerProjectProvider.java => ranger-examples/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleProjectProvider.java (50%) rename agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcherTest.java => ranger-examples/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSampleSimpleMatcherTest.java (59%) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerCountryProvider.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerCountryProvider.java deleted file mode 100644 index 64f50231c2f..00000000000 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerCountryProvider.java +++ /dev/null @@ -1,79 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.contextenricher; - -import java.util.Map; -import java.util.Properties; - -import org.apache.commons.lang.StringUtils; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.ranger.plugin.policyengine.RangerAccessRequest; - - -public class RangerCountryProvider extends RangerAbstractContextEnricher { - private static final Log LOG = LogFactory.getLog(RangerCountryProvider.class); - - private String contextName = "COUNTRY"; - private Properties userCountryMap = null; - - @Override - public void init() { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerCountryProvider.init(" + enricherDef + ")"); - } - - super.init(); - - contextName = getOption("contextName", "COUNTRY"); - - String dataFile = getOption("dataFile", "/etc/ranger/data/userCountry.txt"); - - userCountryMap = readProperties(dataFile); - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerCountryProvider.init(" + enricherDef + ")"); - } - } - - @Override - public void enrich(RangerAccessRequest request) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerCountryProvider.enrich(" + request + ")"); - } - - if(request != null && userCountryMap != null) { - Map context = request.getContext(); - String country = userCountryMap.getProperty(request.getUser()); - - if(context != null && !StringUtils.isEmpty(country)) { - request.getContext().put(contextName, country); - } else { - if(LOG.isDebugEnabled()) { - LOG.debug("RangerCountryProvider.enrich(): skipping due to unavailable context or country. context=" + context + "; country=" + country); - } - } - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerCountryProvider.enrich(" + request + ")"); - } - } -} diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcher.java b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcher.java similarity index 100% rename from agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcher.java rename to agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcher.java index d9f61589b18..7ad7252cc67 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcher.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcher.java @@ -19,9 +19,6 @@ package org.apache.ranger.plugin.conditionevaluator; -import java.util.ArrayList; -import java.util.List; - import org.apache.commons.collections.CollectionUtils; import org.apache.commons.collections.MapUtils; import org.apache.commons.io.FilenameUtils; @@ -30,6 +27,9 @@ import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import java.util.ArrayList; +import java.util.List; + public class RangerSimpleMatcher extends RangerAbstractConditionEvaluator { private static final Log LOG = LogFactory.getLog(RangerSimpleMatcher.class); diff --git a/pom.xml b/pom.xml index 835894da66a..91e81c71498 100644 --- a/pom.xml +++ b/pom.xml @@ -103,6 +103,7 @@ ranger-knox-plugin-shim ranger-yarn-plugin-shim ranger-storm-plugin-shim + ranger-examples 1.7 diff --git a/ranger-examples/pom.xml b/ranger-examples/pom.xml new file mode 100644 index 00000000000..8090170d3e8 --- /dev/null +++ b/ranger-examples/pom.xml @@ -0,0 +1,45 @@ + + + + + ranger + org.apache.ranger + 0.5.0 + + 4.0.0 + + ranger-examples + + + + junit + junit + + + org.mockito + mockito-core + + + security_plugins.ranger-plugins-common + ranger-plugins-common + ${project.version} + + + \ No newline at end of file diff --git a/ranger-examples/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerSampleSimpleMatcher.java b/ranger-examples/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerSampleSimpleMatcher.java new file mode 100644 index 00000000000..50ecb698eca --- /dev/null +++ b/ranger-examples/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerSampleSimpleMatcher.java @@ -0,0 +1,170 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.conditionevaluator; + +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.collections.MapUtils; +import org.apache.commons.io.FilenameUtils; +import org.apache.commons.lang.StringUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; + +import java.util.ArrayList; +import java.util.List; + +/** + * This is a sample implementation of a condition Evaluator. It works in conjunction with the sample context enricher + * RangerSampleProjectProvider. This is how it would be specified in the service definition: + { + ... + ... service definition + ... + "policyConditions": [ + { + "itemId": 1, + "name": "user-in-project", + "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerSimpleMatcher", + "evaluatorOptions": { CONTEXT_NAME=’PROJECT’}, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Project Matcher", + "description": "Projects" + } + } + * + * Name of this class is specified via the "evaluator" of the policy condition definition. Significant evaluator option + * for this evaluator is the CONTEXT_NAME which indicates the name under which it would look for value for the condition. + * It is also use to lookup the condition values specified in the policy. This example uses CONTEXT_NAME of PROJECT + * which matches the value under which context is enriched by its companion class RangerSampleProjectProvider. + * + * Note that the same Condition Evaluator can be used to process Context enrichment done by RangerSampleCountryProvider + * provided the CONTEXT_NAME evaluator option is set to COUNTRY which is same as the value used by its companion Context + * Enricher RangerSampleCountryProvider. Which serves as an example of how a single Condition Evaluator + * implementation can be used to model multiple policy conditions. + * + * For matching context value against policy values it uses FilenameUtils.wildcardMatch() which allows policy authors + * flexibility to specify policy conditions using wildcards. Take a look at + * {@link org.apache.ranger.plugin.conditionevaluator.RangerSampleSimpleMatcherTest#testIsMatched_happyPath() testIsMatched_happyPath} + * test for examples of what sorts of matching is afforded by this use. + * + */ +public class RangerSampleSimpleMatcher extends RangerAbstractConditionEvaluator { + + private static final Log LOG = LogFactory.getLog(RangerSampleSimpleMatcher.class); + + public static final String CONTEXT_NAME = "CONTEXT_NAME"; + + private boolean _allowAny = false; + private String _contextName = null; + private List _values = new ArrayList(); + + @Override + public void init() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerSampleSimpleMatcher.init(" + condition + ")"); + } + + super.init(); + + if (condition == null) { + LOG.debug("init: null policy condition! Will match always!"); + _allowAny = true; + } else if (conditionDef == null) { + LOG.debug("init: null policy condition definition! Will match always!"); + _allowAny = true; + } else if (CollectionUtils.isEmpty(condition.getValues())) { + LOG.debug("init: empty conditions collection on policy condition! Will match always!"); + _allowAny = true; + } else if (MapUtils.isEmpty(conditionDef.getEvaluatorOptions())) { + LOG.debug("init: Evaluator options were empty. Can't determine what value to use from context. Will match always."); + _allowAny = true; + } else if (StringUtils.isEmpty(conditionDef.getEvaluatorOptions().get(CONTEXT_NAME))) { + LOG.debug("init: CONTEXT_NAME is not specified in evaluator options. Can't determine what value to use from context. Will match always."); + _allowAny = true; + } else { + _contextName = conditionDef.getEvaluatorOptions().get(CONTEXT_NAME); + for (String value : condition.getValues()) { + _values.add(value); + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerSampleSimpleMatcher.init(" + condition + "): values[" + _values + "]"); + } + } + + @Override + public boolean isMatched(RangerAccessRequest request) { + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerSampleSimpleMatcher.isMatched(" + request + ")"); + } + + boolean matched = false; + + if (_allowAny) { + matched = true; + } else { + String requestValue = extractValue(request, _contextName); + if (StringUtils.isNotBlank(requestValue)) { + for (String policyValue : _values) { + if (FilenameUtils.wildcardMatch(requestValue, policyValue)) { + matched = true; + break; + } + } + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerSampleSimpleMatcher.isMatched(" + request+ "): " + matched); + } + + return matched; + } + + String extractValue(final RangerAccessRequest request, String key) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerSampleSimpleMatcher.extractValue(" + request+ ")"); + } + + String value = null; + if (request == null) { + LOG.debug("isMatched: Unexpected: null request. Returning null!"); + } else if (request.getContext() == null) { + LOG.debug("isMatched: Context map of request is null. Ok. Returning null!"); + } else if (CollectionUtils.isEmpty(request.getContext().entrySet())) { + LOG.debug("isMatched: Missing context on request. Ok. Condition isn't applicable. Returning null!"); + } else if (!request.getContext().containsKey(key)) { + if (LOG.isDebugEnabled()) { + LOG.debug("isMatched: Unexpected: Context did not have data for condition[" + key + "]. Returning null!"); + } + } else { + value = (String)request.getContext().get(key); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerSampleSimpleMatcher.extractValue(" + request+ "): " + value); + } + return value; + } +} diff --git a/ranger-examples/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleCountryProvider.java b/ranger-examples/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleCountryProvider.java new file mode 100644 index 00000000000..198dc5f1882 --- /dev/null +++ b/ranger-examples/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleCountryProvider.java @@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.contextenricher; + +import java.util.Map; +import java.util.Properties; + +import org.apache.commons.lang.StringUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; + +/** + * This is a sample implementation of a Context Enricher. It works in conjunction with a sample Condition Evaluator + * RangerSampleSimpleMatcher. It This is how it would be used in service definition: + { + ... service def + ... + "contextEnrichers": [ + { + "itemId": 1, "name": "country-provider", + "enricher": "org.apache.ranger.plugin.contextenricher.RangerSampleCountryProvider", + "enricherOptions": { "contextName" : "COUNTRY", "dataFile":"/etc/ranger/data/userCountry.txt"} + } + ... + } + + contextName: is used to specify the name under which the enricher would push value into context. + For purposes of this example the default value of this parameter, if unspecified is COUNTRY. This default + can be seen specified in init(). + dataFile: is the file which contains the lookup data that this particular enricher would use to + ascertain which value to insert into the context. For purposes of this example the default value of + this parameter, if unspecified is /etc/ranger/data/userCountry.txt. This default can be seen specified + in init(). Format of lookup data is in the form of standard java properties list. + + @see Java Properties List + * + * This Context Enricher is almost identical to another sample enricher RangerSampleProjectProvider. + */ +public class RangerSampleCountryProvider extends RangerAbstractContextEnricher { + private static final Log LOG = LogFactory.getLog(RangerSampleCountryProvider.class); + + private String contextName = "COUNTRY"; + private Properties userCountryMap = null; + + @Override + public void init() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerSampleCountryProvider.init(" + enricherDef + ")"); + } + + super.init(); + + contextName = getOption("contextName", "COUNTRY"); + + String dataFile = getOption("dataFile", "/etc/ranger/data/userCountry.txt"); + + userCountryMap = readProperties(dataFile); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerSampleCountryProvider.init(" + enricherDef + ")"); + } + } + + @Override + public void enrich(RangerAccessRequest request) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerSampleCountryProvider.enrich(" + request + ")"); + } + + if(request != null && userCountryMap != null) { + Map context = request.getContext(); + String country = userCountryMap.getProperty(request.getUser()); + + if(context != null && !StringUtils.isEmpty(country)) { + request.getContext().put(contextName, country); + } else { + if(LOG.isDebugEnabled()) { + LOG.debug("RangerSampleCountryProvider.enrich(): skipping due to unavailable context or country. context=" + context + "; country=" + country); + } + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerSampleCountryProvider.enrich(" + request + ")"); + } + } +} diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerProjectProvider.java b/ranger-examples/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleProjectProvider.java similarity index 50% rename from agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerProjectProvider.java rename to ranger-examples/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleProjectProvider.java index 4df53cbc90e..d3de6905833 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerProjectProvider.java +++ b/ranger-examples/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleProjectProvider.java @@ -19,17 +19,41 @@ package org.apache.ranger.plugin.contextenricher; -import java.util.Map; -import java.util.Properties; - import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import java.util.Map; +import java.util.Properties; -public class RangerProjectProvider extends RangerAbstractContextEnricher { - private static final Log LOG = LogFactory.getLog(RangerProjectProvider.class); +/** + * This is a sample implementation of a Context Enricher. It works in conjunction with a sample Condition Evaluator + * RangerSampleSimpleMatcher. It This is how it would be used in service definition: + { + ... service def + ... + "contextEnrichers": [ + { + "itemId": 1, "name": "project-provider", + "enricher": "org.apache.ranger.plugin.contextenricher.RangerSampleProjectProvider", + "enricherOptions": { "contextName" : "PROJECT", "dataFile":"/etc/ranger/data/userProject.txt"} + } + ... + } + + contextName: is used to specify the name under which the enricher would push value into context. + For purposes of this example the default value of this parameter, if unspecified is PROJECT. This default + can be seen specified in init(). + dataFile: is the file which contains the lookup data that this particular enricher would use to + ascertain which value to insert into the context. For purposes of this example the default value of + this parameter, if unspecified is /etc/ranger/data/userProject.txt. This default can be seen specified + in init(). Format of lookup data is in the form of standard java properties list. + + @see Java Properties List + */ +public class RangerSampleProjectProvider extends RangerAbstractContextEnricher { + private static final Log LOG = LogFactory.getLog(RangerSampleProjectProvider.class); private String contextName = "PROJECT"; private Properties userProjectMap = null; @@ -37,7 +61,7 @@ public class RangerProjectProvider extends RangerAbstractContextEnricher { @Override public void init() { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerProjectProvider.init(" + enricherDef + ")"); + LOG.debug("==> RangerSampleProjectProvider.init(" + enricherDef + ")"); } super.init(); @@ -49,14 +73,14 @@ public void init() { userProjectMap = readProperties(dataFile); if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerProjectProvider.init(" + enricherDef + ")"); + LOG.debug("<== RangerSampleProjectProvider.init(" + enricherDef + ")"); } } @Override public void enrich(RangerAccessRequest request) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerProjectProvider.enrich(" + request + ")"); + LOG.debug("==> RangerSampleProjectProvider.enrich(" + request + ")"); } if(request != null && userProjectMap != null) { @@ -67,13 +91,13 @@ public void enrich(RangerAccessRequest request) { request.getContext().put(contextName, project); } else { if(LOG.isDebugEnabled()) { - LOG.debug("RangerProjectProvider.enrich(): skipping due to unavailable context or project. context=" + context + "; project=" + project); + LOG.debug("RangerSampleProjectProvider.enrich(): skipping due to unavailable context or project. context=" + context + "; project=" + project); } } } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerProjectProvider.enrich(" + request + ")"); + LOG.debug("<== RangerSampleProjectProvider.enrich(" + request + ")"); } } } diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcherTest.java b/ranger-examples/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSampleSimpleMatcherTest.java similarity index 59% rename from agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcherTest.java rename to ranger-examples/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSampleSimpleMatcherTest.java index 8d0bc750220..3e683bac950 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSimpleMatcherTest.java +++ b/ranger-examples/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerSampleSimpleMatcherTest.java @@ -20,40 +20,33 @@ package org.apache.ranger.plugin.conditionevaluator; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertTrue; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; - -import java.util.ArrayList; -import java.util.Arrays; -import java.util.HashMap; -import java.util.List; -import java.util.Map; - import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.junit.Assert; import org.junit.Test; +import org.mockito.Mockito; + +import java.util.*; -public class RangerSimpleMatcherTest { +public class RangerSampleSimpleMatcherTest { final Map _conditionOptions = new HashMap(); { - _conditionOptions.put(RangerSimpleMatcher.CONTEXT_NAME, RangerSimpleMatcher.CONTEXT_NAME); + _conditionOptions.put(RangerSampleSimpleMatcher.CONTEXT_NAME, RangerSampleSimpleMatcher.CONTEXT_NAME); } @Test public void testIsMatched_happyPath() { // this documents some unexpected behavior of the ip matcher - RangerSimpleMatcher ipMatcher = createMatcher(new String[]{"US", "C*"} ); - assertTrue(ipMatcher.isMatched(createRequest("US"))); - assertTrue(ipMatcher.isMatched(createRequest("CA"))); - assertTrue(ipMatcher.isMatched(createRequest("C---"))); - assertFalse(ipMatcher.isMatched(createRequest(" US "))); - assertFalse(ipMatcher.isMatched(createRequest("Us"))); - assertFalse(ipMatcher.isMatched(createRequest("ca"))); + RangerSampleSimpleMatcher ipMatcher = createMatcher(new String[]{"US", "C*"} ); + Assert.assertTrue(ipMatcher.isMatched(createRequest("US"))); + Assert.assertTrue(ipMatcher.isMatched(createRequest("CA"))); + Assert.assertTrue(ipMatcher.isMatched(createRequest("C---"))); + Assert.assertFalse(ipMatcher.isMatched(createRequest(" US "))); + Assert.assertFalse(ipMatcher.isMatched(createRequest("Us"))); + Assert.assertFalse(ipMatcher.isMatched(createRequest("ca"))); } @Test @@ -62,72 +55,72 @@ public void test_firewallings() { // create a request for some policyValue, say, country and use it to match against matcher initialized with all sorts of bad data RangerAccessRequest request = createRequest("AB"); - RangerSimpleMatcher matcher = new RangerSimpleMatcher(); + RangerSampleSimpleMatcher matcher = new RangerSampleSimpleMatcher(); // Matcher initialized with null policy should behave sensibly! It matches everything! matcher.setConditionDef(null); matcher.setPolicyItemCondition(null); matcher.init(); - assertTrue(matcher.isMatched(request)); + Assert.assertTrue(matcher.isMatched(request)); - RangerPolicyItemCondition policyItemCondition = mock(RangerPolicyItemCondition.class); + RangerPolicyItemCondition policyItemCondition = Mockito.mock(RangerPolicyItemCondition.class); matcher.setConditionDef(null); matcher.setPolicyItemCondition(policyItemCondition); matcher.init(); - assertTrue(matcher.isMatched(request)); + Assert.assertTrue(matcher.isMatched(request)); - RangerPolicyConditionDef conditionDef = mock(RangerPolicyConditionDef.class); + RangerPolicyConditionDef conditionDef = Mockito.mock(RangerPolicyConditionDef.class); matcher.setConditionDef(conditionDef); matcher.setPolicyItemCondition(null); matcher.init(); - assertTrue(matcher.isMatched(request)); + Assert.assertTrue(matcher.isMatched(request)); // so should a policy item condition with initialized with null list of values - when(policyItemCondition.getValues()).thenReturn(null); + Mockito.when(policyItemCondition.getValues()).thenReturn(null); matcher.setConditionDef(conditionDef); matcher.setPolicyItemCondition(policyItemCondition); matcher.init(); - assertTrue(matcher.isMatched(request)); + Assert.assertTrue(matcher.isMatched(request)); // not null item condition with empty condition list List values = new ArrayList(); - when(policyItemCondition.getValues()).thenReturn(values); + Mockito.when(policyItemCondition.getValues()).thenReturn(values); matcher.setConditionDef(conditionDef); matcher.setPolicyItemCondition(policyItemCondition); matcher.init(); - assertTrue(matcher.isMatched(request)); + Assert.assertTrue(matcher.isMatched(request)); // values as sensible items in it, however, the conditionDef has null evaluator option, so that too suppresses any check values.add("AB"); - when(policyItemCondition.getValues()).thenReturn(values); - when(conditionDef.getEvaluatorOptions()).thenReturn(null); + Mockito.when(policyItemCondition.getValues()).thenReturn(values); + Mockito.when(conditionDef.getEvaluatorOptions()).thenReturn(null); matcher.setConditionDef(conditionDef); matcher.setPolicyItemCondition(policyItemCondition); matcher.init(); - assertTrue(matcher.isMatched(request)); + Assert.assertTrue(matcher.isMatched(request)); // If evaluator option on the condition def is non-null then it starts to evaluate for real - when(conditionDef.getEvaluatorOptions()).thenReturn(_conditionOptions); + Mockito.when(conditionDef.getEvaluatorOptions()).thenReturn(_conditionOptions); matcher.setConditionDef(conditionDef); matcher.setPolicyItemCondition(policyItemCondition); matcher.init(); - assertTrue(matcher.isMatched(request)); + Assert.assertTrue(matcher.isMatched(request)); } - RangerSimpleMatcher createMatcher(String[] ipArray) { - RangerSimpleMatcher matcher = new RangerSimpleMatcher(); + RangerSampleSimpleMatcher createMatcher(String[] ipArray) { + RangerSampleSimpleMatcher matcher = new RangerSampleSimpleMatcher(); if (ipArray == null) { matcher.setConditionDef(null); matcher.setPolicyItemCondition(null); matcher.init(); } else { - RangerPolicyItemCondition condition = mock(RangerPolicyItemCondition.class); + RangerPolicyItemCondition condition = Mockito.mock(RangerPolicyItemCondition.class); List addresses = Arrays.asList(ipArray); - when(condition.getValues()).thenReturn(addresses); + Mockito.when(condition.getValues()).thenReturn(addresses); - RangerPolicyConditionDef conditionDef = mock(RangerPolicyConditionDef.class); + RangerPolicyConditionDef conditionDef = Mockito.mock(RangerPolicyConditionDef.class); - when(conditionDef.getEvaluatorOptions()).thenReturn(_conditionOptions); + Mockito.when(conditionDef.getEvaluatorOptions()).thenReturn(_conditionOptions); matcher.setConditionDef(conditionDef); matcher.setPolicyItemCondition(condition); matcher.init(); @@ -138,9 +131,9 @@ RangerSimpleMatcher createMatcher(String[] ipArray) { RangerAccessRequest createRequest(String value) { Map context = new HashMap(); - context.put(RangerSimpleMatcher.CONTEXT_NAME, value); - RangerAccessRequest request = mock(RangerAccessRequest.class); - when(request.getContext()).thenReturn(context); + context.put(RangerSampleSimpleMatcher.CONTEXT_NAME, value); + RangerAccessRequest request = Mockito.mock(RangerAccessRequest.class); + Mockito.when(request.getContext()).thenReturn(context); return request; } } From ae369758409e75e615c335836bfa66ccae2027f2 Mon Sep 17 00:00:00 2001 From: Madhan Neethiraj Date: Sun, 8 Nov 2015 11:07:14 -0800 Subject: [PATCH 094/202] RANGER-724: AuditBatchQueue.waitToComplete() updated to recompute prevQueueSize within while loop (cherry picked from commit c89b01f28aeda1fa7fc05de7546e1e12614a4319) --- .../java/org/apache/ranger/audit/queue/AuditBatchQueue.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java index f3a38dc1980..5b56c96abbd 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java @@ -168,9 +168,11 @@ public void waitToComplete(long timeout) { if (staticLoopCount > 5) { logger.error("Aborting writing to consumer. Some logs will be discarded." + getName() + ".size=" + queue.size()); + break; } } else { staticLoopCount = 0; + prevQueueSize = queue.size(); } if (consumerThread != null) { consumerThread.interrupt(); From 2c8c3c7492f169490ff29974f18a6f1d1be39c34 Mon Sep 17 00:00:00 2001 From: rmani Date: Mon, 9 Nov 2015 09:46:23 -0800 Subject: [PATCH 095/202] RANGER-717:Hive and Hbase ranger plugin Audit to DB failed to log after plugin modification for not to add dependent libraries to component's CLASSPATH --- .../hive/authorizer/RangerHiveAuthorizerFactory.java | 8 ++++++-- src/main/assembly/hbase-agent.xml | 1 + 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ranger-hive-plugin-shim/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerFactory.java b/ranger-hive-plugin-shim/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerFactory.java index 02d6db3e099..4b3a196ad77 100644 --- a/ranger-hive-plugin-shim/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerFactory.java +++ b/ranger-hive-plugin-shim/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerFactory.java @@ -97,8 +97,12 @@ public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreC LOG.debug("==> RangerHiveAuthorizerFactory.createHiveAuthorizer()"); } - ret = rangerHiveAuthorizerFactoryImpl.createHiveAuthorizer(metastoreClientFactory, conf, hiveAuthenticator, sessionContext); - + try { + activatePluginClassLoader(); + ret = rangerHiveAuthorizerFactoryImpl.createHiveAuthorizer(metastoreClientFactory, conf, hiveAuthenticator, sessionContext); + } finally { + deactivatePluginClassLoader(); + } if(LOG.isDebugEnabled()) { LOG.debug("<== RangerHiveAuthorizerFactory.createHiveAuthorizer()"); } diff --git a/src/main/assembly/hbase-agent.xml b/src/main/assembly/hbase-agent.xml index 0ffc65cf4d9..122c8c7933b 100644 --- a/src/main/assembly/hbase-agent.xml +++ b/src/main/assembly/hbase-agent.xml @@ -49,6 +49,7 @@ com.google.code.gson:gson* org.eclipse.persistence:eclipselink + org.eclipse.persistence:javax.persistence org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version} org.noggit:noggit:jar:${noggit.version} From 97d2ab306104a9b731bdabecce1ccde2203ca577 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Mon, 9 Nov 2015 11:54:23 +0530 Subject: [PATCH 096/202] RANGER-714 : Enhancements to the db admin setup scripts --- agents-common/scripts/enable-agent.sh | 11 +- hbase-agent/scripts/install.sh | 10 +- hdfs-agent/scripts/install.sh | 10 +- hive-agent/scripts/install.sh | 10 +- kms/scripts/db_setup.py | 72 +- kms/scripts/dba_script.py | 322 +++++-- kms/scripts/install.properties | 10 +- kms/scripts/setup.sh | 16 +- knox-agent/scripts/install.sh | 10 +- plugin-kms/scripts/enable-kms-plugin.sh | 11 +- security-admin/scripts/db_setup.py | 170 +++- security-admin/scripts/dba_script.py | 478 ++++++---- security-admin/scripts/install.properties | 34 +- security-admin/scripts/setup.sh | 831 +----------------- security-admin/src/bin/ranger_install.py | 163 ++-- .../java/org/apache/ranger/biz/XUserMgr.java | 113 ++- .../apache/ranger/common/AppConstants.java | 1 + .../handler/RangerAuthenticationProvider.java | 4 + .../webapp/scripts/prelogin/XAPrelogin.js | 13 +- storm-agent/scripts/install.sh | 10 +- 20 files changed, 1070 insertions(+), 1229 deletions(-) diff --git a/agents-common/scripts/enable-agent.sh b/agents-common/scripts/enable-agent.sh index 32e922d93b8..b9511d24de3 100755 --- a/agents-common/scripts/enable-agent.sh +++ b/agents-common/scripts/enable-agent.sh @@ -403,7 +403,16 @@ then export XAAUDIT_DB_JDBC_DRIVER="com.mysql.jdbc.Driver" elif [ "${db_flavor}" = "ORACLE" ] then - export XAAUDIT_DB_JDBC_URL="jdbc:oracle:thin:\@//${audit_db_hostname}" + count=$(grep -o ":" <<< "$audit_db_hostname" | wc -l) + #if [[ ${count} -eq 2 ]] ; then + if [ ${count} -eq 2 ] || [ ${count} -eq 0 ]; then + #jdbc:oracle:thin:@[HOST][:PORT]:SID or #jdbc:oracle:thin:@GL + newPropertyValue="jdbc:oracle:thin:@${audit_db_hostname}" + else + #jdbc:oracle:thin:@//[HOST][:PORT]/SERVICE + newPropertyValue="jdbc:oracle:thin:@//${audit_db_hostname}" + fi + export XAAUDIT_DB_JDBC_URL=${newPropertyValue} export XAAUDIT_DB_JDBC_DRIVER="oracle.jdbc.OracleDriver" elif [ "${db_flavor}" = "POSTGRES" ] then diff --git a/hbase-agent/scripts/install.sh b/hbase-agent/scripts/install.sh index a7b67f3ef20..265be1d0a2d 100644 --- a/hbase-agent/scripts/install.sh +++ b/hbase-agent/scripts/install.sh @@ -281,7 +281,15 @@ if [ "${DB_FLAVOR}" == "ORACLE" ] then audit_db_hostname=`grep '^XAAUDIT.DB.HOSTNAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` propertyName=XAAUDIT.DB.JDBC_URL - newPropertyValue="jdbc:oracle:thin:\@//${audit_db_hostname}" + count=$(grep -o ":" <<< "$audit_db_hostname" | wc -l) + #if [[ ${count} -eq 2 ]] ; then + if [ ${count} -eq 2 ] || [ ${count} -eq 0 ]; then + #jdbc:oracle:thin:@[HOST][:PORT]:SID or #jdbc:oracle:thin:@GL + newPropertyValue="jdbc:oracle:thin:@${audit_db_hostname}" + else + #jdbc:oracle:thin:@//[HOST][:PORT]/SERVICE + newPropertyValue="jdbc:oracle:thin:@//${audit_db_hostname}" + fi updatePropertyToFile $propertyName $newPropertyValue $to_file propertyName=XAAUDIT.DB.JDBC_DRIVER diff --git a/hdfs-agent/scripts/install.sh b/hdfs-agent/scripts/install.sh index 9eef8dabaf7..ea885467288 100644 --- a/hdfs-agent/scripts/install.sh +++ b/hdfs-agent/scripts/install.sh @@ -289,7 +289,15 @@ if [ "${DB_FLAVOR}" == "ORACLE" ] then audit_db_hostname=`grep '^XAAUDIT.DB.HOSTNAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` propertyName=XAAUDIT.DB.JDBC_URL - newPropertyValue="jdbc:oracle:thin:\@//${audit_db_hostname}" + count=$(grep -o ":" <<< "$audit_db_hostname" | wc -l) + #if [[ ${count} -eq 2 ]] ; then + if [ ${count} -eq 2 ] || [ ${count} -eq 0 ]; then + #jdbc:oracle:thin:@[HOST][:PORT]:SID + newPropertyValue="jdbc:oracle:thin:@${audit_db_hostname}" + else + #jdbc:oracle:thin:@//[HOST][:PORT]/SERVICE + newPropertyValue="jdbc:oracle:thin:@//${audit_db_hostname}" + fi updatePropertyToFile $propertyName $newPropertyValue $to_file propertyName=XAAUDIT.DB.JDBC_DRIVER diff --git a/hive-agent/scripts/install.sh b/hive-agent/scripts/install.sh index cf7180dd3e4..fa196348074 100644 --- a/hive-agent/scripts/install.sh +++ b/hive-agent/scripts/install.sh @@ -266,7 +266,15 @@ if [ "${DB_FLAVOR}" == "ORACLE" ] then audit_db_hostname=`grep '^XAAUDIT.DB.HOSTNAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` propertyName=XAAUDIT.DB.JDBC_URL - newPropertyValue="jdbc:oracle:thin:\@//${audit_db_hostname}" + count=$(grep -o ":" <<< "$audit_db_hostname" | wc -l) + #if [[ ${count} -eq 2 ]] ; then + if [ ${count} -eq 2 ] || [ ${count} -eq 0 ]; then + #jdbc:oracle:thin:@[HOST][:PORT]:SID or #jdbc:oracle:thin:@GL + newPropertyValue="jdbc:oracle:thin:@${audit_db_hostname}" + else + #jdbc:oracle:thin:@//[HOST][:PORT]/SERVICE + newPropertyValue="jdbc:oracle:thin:@//${audit_db_hostname}" + fi updatePropertyToFile $propertyName $newPropertyValue $to_file propertyName=XAAUDIT.DB.JDBC_DRIVER diff --git a/kms/scripts/db_setup.py b/kms/scripts/db_setup.py index bdac333b918..1484fa114c1 100644 --- a/kms/scripts/db_setup.py +++ b/kms/scripts/db_setup.py @@ -31,6 +31,8 @@ os_name = platform.system() os_name = os_name.upper() +jisql_debug=True + if os_name == "LINUX": RANGER_KMS_HOME = os.getenv("RANGER_KMS_HOME") if RANGER_KMS_HOME is None: @@ -76,6 +78,15 @@ def populate_global_dict(): value = value.strip() globalDict[key] = value +def jisql_log(query, db_password): + if jisql_debug == True: + if os_name == "WINDOWS": + query = query.replace(' -p "'+db_password+'"' , ' -p "********"') + log("[JISQL] "+query, "info") + else: + query = query.replace(" -p '"+db_password+"'" , " -p '********'") + log("[JISQL] "+query, "info") + class BaseDB(object): def check_connection(self, db_name, db_user, db_password): @@ -96,13 +107,12 @@ def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN): self.JAVA_BIN = JAVA_BIN def get_jisql_cmd(self, user, password ,db_name): - #path = os.getcwd() path = RANGER_KMS_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u '%s' -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN,self.SQL_CONNECTOR_JAR,path,self.host,db_name,user,password) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) + jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u \"%s\" -p \"%s\" -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -112,6 +122,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -query \"SELECT version();\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT version();\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('Production |'): log("[I] Checking connection passed.", "info") @@ -129,9 +140,11 @@ def import_db_file(self, db_name, db_user, db_password, file_name): get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) if os_name == "LINUX": query = get_cmd + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -input %s -c ;" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " DB schema imported successfully","info") @@ -149,6 +162,7 @@ def check_table(self, db_name, db_user, db_password, TABLE_NAME): query = get_cmd + " -query \"show tables like '%s';\"" %(TABLE_NAME) elif os_name == "WINDOWS": query = get_cmd + " -query \"show tables like '%s';\" -c ;" %(TABLE_NAME) + jisql_log(query, db_password) output = check_output(query) if output.strip(TABLE_NAME + " |"): log("[I] Table " + TABLE_NAME +" already exists in database '" + db_name + "'","info") @@ -166,17 +180,25 @@ def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN): self.JAVA_BIN = JAVA_BIN def get_jisql_cmd(self, user, password): - #path = os.getcwd() path = RANGER_KMS_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") - self.JAVA_BIN = self.JAVA_BIN + " -Djava.security.egd=file:///dev/urandom " + if not re.search('-Djava.security.egd=file:///dev/urandom', self.JAVA_BIN): + self.JAVA_BIN = self.JAVA_BIN + " -Djava.security.egd=file:///dev/urandom " + + #if self.host.count(":") == 2: + if self.host.count(":") == 2 or self.host.count(":") == 0: + #jdbc:oracle:thin:@[HOST][:PORT]:SID or #jdbc:oracle:thin:@GL + cstring="jdbc:oracle:thin:@%s" %(self.host) + else: + #jdbc:oracle:thin:@//[HOST][:PORT]/SERVICE + cstring="jdbc:oracle:thin:@//%s" %(self.host) + if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver oraclethin -cstring jdbc:oracle:thin:@%s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, self.host, user, password) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver oraclethin -cstring %s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, cstring, user, password) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver oraclethin -cstring jdbc:oracle:thin:@%s -u %s -p %s -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, user, password) + jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver oraclethin -cstring %s -u \"%s\" -p \"%s\" -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, cstring, user, password) return jisql_cmd - def check_connection(self, db_name, db_user, db_password): log("[I] Checking connection", "info") get_cmd = self.get_jisql_cmd(db_user, db_password) @@ -184,6 +206,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -c \; -query \"select * from v$version;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"select * from v$version;\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('Production |'): log("[I] Connection success", "info") @@ -200,9 +223,11 @@ def import_db_file(self, db_name, db_user, db_password, file_name): get_cmd = self.get_jisql_cmd(db_user, db_password) if os_name == "LINUX": query = get_cmd + " -input %s -c \;" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -input %s -c ;" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " imported successfully","info") @@ -220,6 +245,7 @@ def check_table(self, db_name, db_user, db_password, TABLE_NAME): query = get_cmd + " -c \; -query 'select default_tablespace from user_users;'" elif os_name == "WINDOWS": query = get_cmd + " -query \"select default_tablespace from user_users;\" -c ;" + jisql_log(query, db_password) output = check_output(query).strip() output = output.strip(' |') db_name = db_name.upper() @@ -231,6 +257,7 @@ def check_table(self, db_name, db_user, db_password, TABLE_NAME): query = get_cmd + " -c \; -query \"select UPPER(table_name) from all_tables where UPPER(tablespace_name)=UPPER('%s') and UPPER(table_name)=UPPER('%s');\"" %(db_name ,TABLE_NAME) elif os_name == "WINDOWS": query = get_cmd + " -query \"select UPPER(table_name) from all_tables where UPPER(tablespace_name)=UPPER('%s') and UPPER(table_name)=UPPER('%s');\" -c ;" %(db_name ,TABLE_NAME) + jisql_log(query, db_password) output = check_output(query) if output.strip(TABLE_NAME.upper() + ' |'): log("[I] Table " + TABLE_NAME +" already exists in tablespace " + db_name + "","info") @@ -253,13 +280,12 @@ def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN): def get_jisql_cmd(self, user, password, db_name): #TODO: User array for forming command - #path = os.getcwd() path = RANGER_KMS_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p %s -noheader -trim -c \;" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,self.host, db_name, user, password) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,self.host, db_name, user, password) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p %s -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) + jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p \"%s\" -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -269,6 +295,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -query \"SELECT 1;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT 1;\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('1 |'): log("[I] connection success", "info") @@ -284,9 +311,11 @@ def import_db_file(self, db_name, db_user, db_password, file_name): get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) if os_name == "LINUX": query = get_cmd + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -input %s -c ;" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " DB schema imported successfully","info") @@ -305,6 +334,7 @@ def check_table(self, db_name, db_user, db_password, TABLE_NAME): query = get_cmd + " -query \"select * from (select table_name from information_schema.tables where table_catalog='%s' and table_name = '%s') as temp;\"" %(db_name , TABLE_NAME) elif os_name == "WINDOWS": query = get_cmd + " -query \"select * from (select table_name from information_schema.tables where table_catalog='%s' and table_name = '%s') as temp;\" -c ;" %(db_name , TABLE_NAME) + jisql_log(query, db_password) output = check_output(query) if output.strip(TABLE_NAME +" |"): log("[I] Table " + TABLE_NAME +" already exists in database " + db_name, "info") @@ -323,13 +353,12 @@ def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN): def get_jisql_cmd(self, user, password, db_name): #TODO: User array for forming command - #path = os.getcwd() path = RANGER_KMS_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, user, password, self.host,db_name) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -p '%s' -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, user, password, self.host,db_name) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -p \"%s\" -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -339,6 +368,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -c \; -query \"SELECT 1;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT 1;\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('1 |'): log("[I] Connection success", "info") @@ -354,9 +384,11 @@ def import_db_file(self, db_name, db_user, db_password, file_name): get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) if os_name == "LINUX": query = get_cmd + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " DB schema imported successfully","info") @@ -373,6 +405,7 @@ def check_table(self, db_name, db_user, db_password, TABLE_NAME): query = get_cmd + " -c \; -query \"SELECT TABLE_NAME FROM information_schema.tables where table_name = '%s';\"" %(TABLE_NAME) elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT TABLE_NAME FROM information_schema.tables where table_name = '%s';\" -c ;" %(TABLE_NAME) + jisql_log(query, db_password) output = check_output(query) if output.strip(TABLE_NAME + " |"): log("[I] Table '" + TABLE_NAME + "' already exists in database '" + db_name + "'","info") @@ -392,9 +425,9 @@ def get_jisql_cmd(self, user, password, db_name): path = RANGER_KMS_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -p '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -p \"%s\" -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -404,6 +437,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -c \; -query \"SELECT 1;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT 1;\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('1 |'): log("[I] Connection success", "info") @@ -419,9 +453,11 @@ def import_db_file(self, db_name, db_user, db_password, file_name): get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) if os_name == "LINUX": query = get_cmd + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " DB schema imported successfully","info") @@ -439,6 +475,7 @@ def check_table(self, db_name, db_user, db_password, TABLE_NAME): query = get_cmd + " -c \; -query \"SELECT name FROM sysobjects where name = '%s' and type='U';\"" %(TABLE_NAME) elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT name FROM sysobjects where name = '%s' and type='U';\" -c ;" %(TABLE_NAME) + jisql_log(query, db_password) output = check_output(query) if output.strip(TABLE_NAME + " |"): log("[I] Table '" + TABLE_NAME + "' already exists in database '" + db_name + "'","info") @@ -453,16 +490,19 @@ def set_options(self, db_name, db_user, db_password, TABLE_NAME): query = get_cmd + " -c \; -query \"set option public.reserved_keywords='LIMIT';\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"set option public.reserved_keywords='LIMIT';\" -c ;" + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) if os_name == "LINUX": query = get_cmd + " -c \; -query \"set option public.max_statement_count=0;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"set option public.max_statement_count=0;\" -c;" + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) if os_name == "LINUX": query = get_cmd + " -c \; -query \"set option public.max_cursor_count=0;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"set option public.max_cursor_count=0;\" -c;" + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) def main(argv): @@ -551,8 +591,6 @@ def main(argv): log("[E] --------- NO SUCH SUPPORTED DB FLAVOUR!! ---------", "error") sys.exit(1) -# ''' - log("[I] --------- Verifying Ranger DB connection ---------","info") xa_sqlObj.check_connection(db_name, db_user, db_password) diff --git a/kms/scripts/dba_script.py b/kms/scripts/dba_script.py index d1da5d1513a..06a6a8c886e 100755 --- a/kms/scripts/dba_script.py +++ b/kms/scripts/dba_script.py @@ -30,6 +30,8 @@ os_name = platform.system() os_name = os_name.upper() +jisql_debug=True + if os_name == "LINUX": RANGER_KMS_HOME = os.getenv("RANGER_KMS_HOME") if RANGER_KMS_HOME is None: @@ -102,8 +104,20 @@ def password_validation(password, userType): else: log("[I] "+userType+" user password validated","info") else: - log("[E] Blank password is not allowed,please enter valid password.","error") - sys.exit(1) + if userType == "DBA root": + log("[I] "+userType+" user password validated","info") + else: + log("[E] Blank password is not allowed,please enter valid password.","error") + sys.exit(1) + +def jisql_log(query, db_root_password): + if jisql_debug == True: + if os_name == "WINDOWS": + query = query.replace(' -p "'+db_root_password+'"' , ' -p "********"') + log("[JISQL] "+query, "info") + else: + query = query.replace(" -p '"+db_root_password+"'" , " -p '********'") + log("[JISQL] "+query, "info") class BaseDB(object): @@ -116,8 +130,6 @@ def check_connection(self, db_name, db_user, db_password): def create_db(self, root_user, db_root_password, db_name, db_user, db_password,dryMode): log("[I] ---------- Verifying database ----------", "info") - - class MysqlConf(BaseDB): # Constructor def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN): @@ -129,10 +141,10 @@ def get_jisql_cmd(self, user, password ,db_name): #TODO: User array for forming command path = RANGER_KMS_HOME if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p %s -noheader -trim -c \;" %(self.JAVA_BIN,self.SQL_CONNECTOR_JAR,path,self.host,db_name,user,password) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN,self.SQL_CONNECTOR_JAR,path,self.host,db_name,user,password) elif os_name == "WINDOWS": self.JAVA_BIN = self.JAVA_BIN.strip("'") - jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p %s -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) + jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p \"%s\" -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) return jisql_cmd def verify_user(self, root_user, db_root_password, host, db_user, get_cmd,dryMode): @@ -142,6 +154,7 @@ def verify_user(self, root_user, db_root_password, host, db_user, get_cmd,dryMod query = get_cmd + " -query \"select user from mysql.user where user='%s' and host='%s';\"" %(db_user,host) elif os_name == "WINDOWS": query = get_cmd + " -query \"select user from mysql.user where user='%s' and host='%s';\" -c ;" %(db_user,host) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_user + " |"): return True @@ -155,6 +168,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -query \"SELECT version();\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT version();\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('Production |'): #log("[I] Checking connection passed.", "info") @@ -178,9 +192,11 @@ def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password log("[I] MySQL user " + db_user + " does not exists for host " + host, "info") if os_name == "LINUX": query = get_cmd + " -query \"create user '%s'@'%s';\"" %(db_user, host) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"create user '%s'@'%s';\" -c ;" %(db_user, host) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: if self.verify_user(root_user, db_root_password, host, db_user, get_cmd,dryMode): @@ -195,9 +211,11 @@ def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password log("[I] MySQL user " + db_user + " does not exists for host " + host, "info") if os_name == "LINUX": query = get_cmd + " -query \"create user '%s'@'%s' identified by '%s';\"" %(db_user, host, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"create user '%s'@'%s' identified by '%s';\" -c ;" %(db_user, host, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: if self.verify_user(root_user, db_root_password, host, db_user, get_cmd,dryMode): @@ -220,13 +238,13 @@ def verify_db(self, root_user, db_root_password, db_name,dryMode): query = get_cmd + " -query \"show databases like '%s';\"" %(db_name) elif os_name == "WINDOWS": query = get_cmd + " -query \"show databases like '%s';\" -c ;" %(db_name) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_name + " |"): return True else: return False - def create_db(self, root_user, db_root_password, db_name, db_user, db_password,dryMode): if self.verify_db(root_user, db_root_password, db_name,dryMode): if dryMode == False: @@ -239,6 +257,7 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d query = get_cmd + " -query \"create database %s;\" -c ;" %(db_name) if dryMode == False: log("[I] Database does not exist, Creating database " + db_name,"info") + jisql_log(query, db_root_password) if os_name == "LINUX": ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": @@ -256,42 +275,30 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d else: logFile("create database %s;" %(db_name)) - def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_password, is_revoke,dryMode): hosts_arr =["%", "localhost"] hosts_arr.append(self.host) - ''' - if is_revoke: - for host in hosts_arr: - get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'mysql') - query = get_cmd + " -query \"REVOKE ALL PRIVILEGES,GRANT OPTION FROM '%s'@'%s';\"" %(db_user, host) - ret = subprocess.call(shlex.split(query)) - if ret == 0: - query = get_cmd + " -query \"FLUSH PRIVILEGES;\"" - ret = subprocess.call(shlex.split(query)) - if ret != 0: - sys.exit(1) - else: - sys.exit(1) - ''' - for host in hosts_arr: if dryMode == False: log("[I] ---------- Granting privileges TO user '"+db_user+"'@'"+host+"' on db '"+db_name+"'----------" , "info") get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'mysql') if os_name == "LINUX": query = get_cmd + " -query \"grant all privileges on %s.* to '%s'@'%s' with grant option;\"" %(db_name,db_user, host) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"grant all privileges on %s.* to '%s'@'%s' with grant option;\" -c ;" %(db_name,db_user, host) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: log("[I] ---------- FLUSH PRIVILEGES ----------" , "info") if os_name == "LINUX": query = get_cmd + " -query \"FLUSH PRIVILEGES;\"" + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"FLUSH PRIVILEGES;\" -c ;" + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: log("[I] Privileges granted to '" + db_user + "' on '"+db_name+"'", "info") @@ -304,6 +311,17 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas else: logFile("grant all privileges on %s.* to '%s'@'%s' with grant option;" %(db_name,db_user, host)) + def writeDrymodeCmd(self, xa_db_root_user, xa_db_root_password, db_user, db_password, db_name): + logFile("# Login to MySQL Server from a MySQL dba user(i.e 'root') to execute below sql statements.") + hosts_arr =["%", "localhost"] + if not self.host == "localhost": hosts_arr.append(self.host) + for host in hosts_arr: + logFile("create user '%s'@'%s' identified by '%s';" %(db_user, host, db_password)) + logFile("create database %s;"%(db_name)) + for host in hosts_arr: + logFile("grant all privileges on %s.* to '%s'@'%s' with grant option;"%(db_name, db_user, host)) + logFile("FLUSH PRIVILEGES;") + class OracleConf(BaseDB): # Constructor @@ -315,11 +333,21 @@ def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN): def get_jisql_cmd(self, user, password): #TODO: User array for forming command path = RANGER_KMS_HOME - self.JAVA_BIN = self.JAVA_BIN + " -Djava.security.egd=file:///dev/urandom " + if not re.search('-Djava.security.egd=file:///dev/urandom', self.JAVA_BIN): + self.JAVA_BIN = self.JAVA_BIN + " -Djava.security.egd=file:///dev/urandom " + + #if self.host.count(":") == 2: + if self.host.count(":") == 2 or self.host.count(":") == 0: + #jdbc:oracle:thin:@[HOST][:PORT]:SID or #jdbc:oracle:thin:@GL + cstring="jdbc:oracle:thin:@%s" %(self.host) + else: + #jdbc:oracle:thin:@//[HOST][:PORT]/SERVICE + cstring="jdbc:oracle:thin:@//%s" %(self.host) + if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver oraclethin -cstring jdbc:oracle:thin:@%s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, self.host, user, password) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver oraclethin -cstring %s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, cstring, user, password) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver oraclethin -cstring jdbc:oracle:thin:@%s -u %s -p %s -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, user, password) + jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver oraclethin -cstring %s -u \"%s\" -p \"%s\" -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, cstring, user, password) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -329,6 +357,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -c \; -query \"select * from v$version;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"select * from v$version;\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('Production |'): log("[I] Connection success", "info") @@ -345,6 +374,7 @@ def verify_user(self, root_user, db_user, db_root_password,dryMode): query = get_cmd + " -c \; -query \"select username from all_users where upper(username)=upper('%s');\"" %(db_user) elif os_name == "WINDOWS": query = get_cmd + " -query \"select username from all_users where upper(username)=upper('%s');\" -c ;" %(db_user) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_user + " |"): return True @@ -362,9 +392,11 @@ def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password get_cmd = self.get_jisql_cmd(root_user, db_root_password) if os_name == "LINUX": query = get_cmd + " -c \; -query 'create user %s identified by \"%s\";'" %(db_user, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"create user %s identified by \"%s\";\" -c ;" %(db_user, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: if self.verify_user(root_user, db_user, db_root_password,dryMode): @@ -372,9 +404,11 @@ def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password log("[I] Granting permission to " + db_user, "info") if os_name == "LINUX": query = get_cmd + " -c \; -query 'GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'" % (db_user) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;\" -c ;" % (db_user) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: log("[I] Granting permissions to Oracle user '" + db_user + "' for %s done" %(self.host), "info") @@ -390,7 +424,6 @@ def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password else: logFile("create user %s identified by \"%s\";" %(db_user, db_password)) - def verify_tablespace(self, root_user, db_root_password, db_name,dryMode): if dryMode == False: log("[I] Verifying tablespace " + db_name, "info") @@ -399,6 +432,7 @@ def verify_tablespace(self, root_user, db_root_password, db_name,dryMode): query = get_cmd + " -c \; -query \"SELECT DISTINCT UPPER(TABLESPACE_NAME) FROM USER_TablespaceS where UPPER(Tablespace_Name)=UPPER(\'%s\');\"" %(db_name) elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT DISTINCT UPPER(TABLESPACE_NAME) FROM USER_TablespaceS where UPPER(Tablespace_Name)=UPPER(\'%s\');\" -c ;" %(db_name) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_name+' |'): return True @@ -415,6 +449,7 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d query = get_cmd + " -c \; -query 'select default_tablespace from user_users;'" elif os_name == "WINDOWS": query = get_cmd + " -query \"select default_tablespace from user_users;\" -c ;" + jisql_log(query, db_root_password) output = check_output(query).strip() db_name = db_name.upper() +' |' if output == db_name: @@ -430,9 +465,11 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d get_cmd = self.get_jisql_cmd(root_user, db_root_password) if os_name == "LINUX": query = get_cmd + " -c \; -query \"create tablespace %s datafile '%s.dat' size 10M autoextend on;\"" %(db_name, db_name) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"create tablespace %s datafile '%s.dat' size 10M autoextend on;\" -c ;" %(db_name, db_name) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: if self.verify_tablespace(root_user, db_root_password, db_name,dryMode): @@ -456,17 +493,21 @@ def assign_tablespace(self, root_user, db_root_password, db_user, db_password, d get_cmd = self.get_jisql_cmd(root_user , db_root_password) if os_name == "LINUX": query = get_cmd +" -c \; -query 'alter user %s identified by \"%s\" DEFAULT Tablespace %s;'" %(db_user, db_password, db_name) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd +" -query \"alter user %s identified by \"%s\" DEFAULT Tablespace %s;\" -c ;" %(db_user, db_password, db_name) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: log("[I] Granting permission to " + db_user, "info") if os_name == "LINUX": query = get_cmd + " -c \; -query 'GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'" % (db_user) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;\" -c ;" % (db_user) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: log("[I] Granting Oracle user '" + db_user + "' done", "info") @@ -487,9 +528,11 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas get_cmd = self.get_jisql_cmd(root_user ,db_root_password) if os_name == "LINUX": query = get_cmd + " -c \; -query 'GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'" % (db_user) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;\" -c ;" % (db_user) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: log("[I] Granted permission to " + db_user, "info") @@ -500,7 +543,13 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas else: logFile("GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;" % (db_user)) - + def writeDrymodeCmd(self, xa_db_root_user, xa_db_root_password, db_user, db_password, db_name): + logFile("# Login to ORACLE Server from a ORACLE dba user(i.e 'sys') to execute below sql statements.") + logFile('create user %s identified by "%s";'%(db_user, db_password)) + logFile('GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'%(db_user)) + logFile("create tablespace %s datafile '%s.dat' size 10M autoextend on;" %(db_name, db_name)) + logFile('alter user %s identified by "%s" DEFAULT Tablespace %s;'%(db_user, db_password, db_name)) + logFile('GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'%(db_user)) class PostgresConf(BaseDB): # Constructor @@ -514,9 +563,9 @@ def get_jisql_cmd(self, user, password, db_name): path = RANGER_KMS_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p %s -noheader -trim -c \;" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,self.host, db_name, user, password) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,self.host, db_name, user, password) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p %s -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) + jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p \"%s\" -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) return jisql_cmd def verify_user(self, root_user, db_root_password, db_user,dryMode): @@ -527,6 +576,7 @@ def verify_user(self, root_user, db_root_password, db_user,dryMode): query = get_cmd + " -query \"SELECT rolname FROM pg_roles WHERE rolname='%s';\"" %(db_user) elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT rolname FROM pg_roles WHERE rolname='%s';\" -c ;" %(db_user) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_user + " |"): return True @@ -540,6 +590,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -query \"SELECT 1;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT 1;\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('1 |'): #log("[I] connection success", "info") @@ -559,9 +610,11 @@ def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'postgres') if os_name == "LINUX": query = get_cmd + " -query \"CREATE USER %s WITH LOGIN PASSWORD '%s';\"" %(db_user, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"CREATE USER %s WITH LOGIN PASSWORD '%s';\" -c ;" %(db_user, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: if self.verify_user(root_user, db_root_password, db_user,dryMode): @@ -583,6 +636,7 @@ def verify_db(self, root_user, db_root_password, db_name,dryMode): query = get_cmd + " -query \"SELECT datname FROM pg_database where datname='%s';\"" %(db_name) elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT datname FROM pg_database where datname='%s';\" -c ;" %(db_name) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_name + " |"): return True @@ -600,9 +654,11 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'postgres') if os_name == "LINUX": query = get_cmd + " -query \"create database %s with OWNER %s;\"" %(db_name, db_user) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"create database %s with OWNER %s;\" -c ;" %(db_name, db_user) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret != 0: log("[E] Database creation failed..","error") @@ -623,9 +679,11 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas get_cmd = self.get_jisql_cmd(root_user, db_root_password, db_name) if os_name == "LINUX": query = get_cmd + " -query \"GRANT ALL PRIVILEGES ON DATABASE %s to %s;\"" %(db_name, db_user) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT ALL PRIVILEGES ON DATABASE %s to %s;\" -c ;" %(db_name, db_user) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret != 0: log("[E] Granting all privileges on database "+db_name+" to user "+db_user+" failed..", "error") @@ -633,9 +691,11 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas if os_name == "LINUX": query = get_cmd + " -query \"GRANT ALL PRIVILEGES ON SCHEMA public TO %s;\"" %(db_user) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT ALL PRIVILEGES ON SCHEMA public TO %s;\" -c ;" %(db_user) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret != 0: log("[E] Granting all privileges on schema public to user "+db_user+" failed..", "error") @@ -643,9 +703,11 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas if os_name == "LINUX": query = get_cmd + " -query \"SELECT table_name FROM information_schema.tables WHERE table_schema = 'public';\"" + jisql_log(query, db_root_password) output = check_output(query) elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT table_name FROM information_schema.tables WHERE table_schema = 'public';\" -c ;" + jisql_log(query, db_root_password) output = check_output(query) for each_line in output.split('\n'): if len(each_line) == 0 : continue @@ -654,12 +716,14 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas tablename = tablename.strip() if os_name == "LINUX": query1 = get_cmd + " -query \"GRANT ALL PRIVILEGES ON TABLE %s TO %s;\"" %(tablename,db_user) + jisql_log(query1, db_root_password) ret = subprocess.call(shlex.split(query1)) if ret != 0: log("[E] Granting all privileges on tablename "+tablename+" to user "+db_user+" failed..", "error") sys.exit(1) elif os_name == "WINDOWS": query1 = get_cmd + " -query \"GRANT ALL PRIVILEGES ON TABLE %s TO %s;\" -c ;" %(tablename,db_user) + jisql_log(query1, db_root_password) ret = subprocess.call(query1) if ret != 0: log("[E] Granting all privileges on tablename "+tablename+" to user "+db_user+" failed..", "error") @@ -668,9 +732,11 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas if os_name == "LINUX": query = get_cmd + " -query \"SELECT sequence_name FROM information_schema.sequences where sequence_schema='public';\"" + jisql_log(query, db_root_password) output = check_output(query) elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT sequence_name FROM information_schema.sequences where sequence_schema='public';\" -c ;" + jisql_log(query, db_root_password) output = check_output(query) for each_line in output.split('\n'): if len(each_line) == 0 : continue @@ -679,12 +745,14 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas sequence_name = sequence_name.strip() if os_name == "LINUX": query1 = get_cmd + " -query \"GRANT ALL PRIVILEGES ON SEQUENCE %s TO %s;\"" %(sequence_name,db_user) + jisql_log(query1, db_root_password) ret = subprocess.call(shlex.split(query1)) if ret != 0: log("[E] Granting all privileges on sequence "+sequence_name+" to user "+db_user+" failed..", "error") sys.exit(1) elif os_name == "WINDOWS": query1 = get_cmd + " -query \"GRANT ALL PRIVILEGES ON SEQUENCE %s TO %s;\" -c ;" %(sequence_name,db_user) + jisql_log(query1, db_root_password) ret = subprocess.call(query1) if ret != 0: log("[E] Granting all privileges on sequence "+sequence_name+" to user "+db_user+" failed..", "error") @@ -697,7 +765,13 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas logFile("GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO %s;" %(db_user)) logFile("GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO %s;" %(db_user)) - + def writeDrymodeCmd(self, xa_db_root_user, xa_db_root_password, db_user, db_password, db_name): + logFile("# Login to POSTGRES Server from a POSTGRES dba user(i.e 'postgres') to execute below sql statements.") + logFile("CREATE USER %s WITH LOGIN PASSWORD '%s';" %(db_user, db_password)) + logFile("CREATE DATABASE %s WITH OWNER %s;" %(db_name, db_user)) + logFile("# Login to POSTGRES Server from a POSTGRES dba user(i.e 'postgres') on '%s' database to execute below sql statements."%(db_name)) + logFile("GRANT ALL PRIVILEGES ON DATABASE %s to %s;" %(db_name, db_user)) + logFile("GRANT ALL PRIVILEGES ON SCHEMA public TO %s;" %(db_user)) class SqlServerConf(BaseDB): # Constructor @@ -711,9 +785,9 @@ def get_jisql_cmd(self, user, password, db_name): path = RANGER_KMS_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password, self.host,db_name) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -p '%s' -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password, self.host,db_name) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -p \"%s\" -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) return jisql_cmd def verify_user(self, root_user, db_root_password, db_user,dryMode): @@ -724,6 +798,7 @@ def verify_user(self, root_user, db_root_password, db_user,dryMode): query = get_cmd + " -c \; -query \"select name from sys.sql_logins where name = '%s';\"" %(db_user) elif os_name == "WINDOWS": query = get_cmd + " -query \"select name from sys.sql_logins where name = '%s';\" -c ;" %(db_user) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_user + " |"): return True @@ -737,6 +812,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -c \; -query \"SELECT 1;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT 1;\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('1 |'): log("[I] Connection success", "info") @@ -756,9 +832,11 @@ def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password log("[I] User does not exists, Creating Login user " + db_user, "info") if os_name == "LINUX": query = get_cmd + " -c \; -query \"CREATE LOGIN %s WITH PASSWORD = '%s';\"" %(db_user,db_password) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"CREATE LOGIN %s WITH PASSWORD = '%s';\" -c ;" %(db_user,db_password) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: if self.verify_user(root_user, db_root_password, db_user,dryMode): @@ -780,6 +858,7 @@ def verify_db(self, root_user, db_root_password, db_name,dryMode): query = get_cmd + " -c \; -query \"SELECT name from sys.databases where name='%s';\"" %(db_name) elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT name from sys.databases where name='%s';\" -c ;" %(db_name) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_name + " |"): return True @@ -796,9 +875,11 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'master') if os_name == "LINUX": query = get_cmd + " -c \; -query \"create database %s;\"" %(db_name) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"create database %s;\" -c ;" %(db_name) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret != 0: log("[E] Database creation failed..","error") @@ -821,6 +902,7 @@ def create_user(self, root_user, db_name ,db_user, db_password, db_root_password query = get_cmd + " -c \; -query \"USE %s SELECT name FROM sys.database_principals WHERE name = N'%s';\"" %(db_name, db_user) elif os_name == "WINDOWS": query = get_cmd + " -query \"USE %s SELECT name FROM sys.database_principals WHERE name = N'%s';\" -c ;" %(db_name, db_user) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_user + " |"): if dryMode == False: @@ -829,15 +911,18 @@ def create_user(self, root_user, db_name ,db_user, db_password, db_root_password if dryMode == False: if os_name == "LINUX": query = get_cmd + " -c \; -query \"USE %s CREATE USER %s for LOGIN %s;\"" %(db_name ,db_user, db_user) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"USE %s CREATE USER %s for LOGIN %s;\" -c ;" %(db_name ,db_user, db_user) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: if os_name == "LINUX": query = get_cmd + " -c \; -query \"USE %s SELECT name FROM sys.database_principals WHERE name = N'%s';\"" %(db_name ,db_user) elif os_name == "WINDOWS": query = get_cmd + " -query \"USE %s SELECT name FROM sys.database_principals WHERE name = N'%s';\" -c ;" %(db_name ,db_user) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_user + " |"): log("[I] User "+db_user+" exist ","info") @@ -856,15 +941,25 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas get_cmd = self.get_jisql_cmd(root_user, db_root_password, db_name) if os_name == "LINUX": query = get_cmd + " -c \; -query \" EXEC sp_addrolemember N'db_owner', N'%s';\"" %(db_user) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \" EXEC sp_addrolemember N'db_owner', N'%s';\" -c ;" %(db_user) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret != 0: sys.exit(1) else: logFile("EXEC sp_addrolemember N'db_owner', N'%s';" %(db_user)) + def writeDrymodeCmd(self, xa_db_root_user, xa_db_root_password, db_user, db_password, db_name): + logFile("# Login to MSSQL Server from a MSSQL dba user(i.e 'sa') to execute below sql statements.") + logFile("CREATE LOGIN %s WITH PASSWORD = '%s';" %(db_user, db_password)) + logFile("create database %s;" %(db_name)) + logFile("# Login to MSSQL Server from a MSSQL dba user(i.e 'sa') on '%s' database to execute below sql statements."%(db_name)) + logFile("USE %s CREATE USER %s for LOGIN %s;" %(db_name, db_user, db_user)) + logFile("EXEC sp_addrolemember N'db_owner', N'%s';" %(db_user)) + class SqlAnywhereConf(BaseDB): # Constructor def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN): @@ -877,10 +972,11 @@ def get_jisql_cmd(self, user, password, db_name): path = RANGER_KMS_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -p '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -p \"%s\" -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) return jisql_cmd + def verify_user(self, root_user, db_root_password, db_user,dryMode): if dryMode == False: log("[I] Verifying user " + db_user , "info") @@ -889,6 +985,7 @@ def verify_user(self, root_user, db_root_password, db_user,dryMode): query = get_cmd + " -c \; -query \"select name from syslogins where name = '%s';\"" %(db_user) elif os_name == "WINDOWS": query = get_cmd + " -query \"select name from syslogins where name = '%s';\" -c ;" %(db_user) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_user + " |"): return True @@ -902,6 +999,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -c \; -query \"SELECT 1;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT 1;\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('1 |'): log("[I] Connection success", "info") @@ -920,9 +1018,11 @@ def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password log("[I] User does not exists, Creating Login user " + db_user, "info") if os_name == "LINUX": query = get_cmd + " -c \; -query \"CREATE USER %s IDENTIFIED BY '%s';\"" %(db_user,db_password) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"CREATE USER %s IDENTIFIED BY '%s';\" -c ;" %(db_user,db_password) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: if self.verify_user(root_user, db_root_password, db_user,dryMode): @@ -944,6 +1044,7 @@ def verify_db(self, root_user, db_root_password, db_name,dryMode): query = get_cmd + " -c \; -query \"select alias from sa_db_info() where alias='%s';\"" %(db_name) elif os_name == "WINDOWS": query = get_cmd + " -query \"select alias from sa_db_info() where alias='%s';\" -c ;" %(db_name) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_name + " |"): return True @@ -959,9 +1060,11 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d get_cmd = self.get_jisql_cmd(root_user, db_root_password, '') if os_name == "LINUX": query = get_cmd + " -c \; -query \"create database '%s' dba user '%s' dba password '%s' database size 100MB;\"" %(db_name,db_user, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"create database '%s' dba user '%s' dba password '%s' database size 100MB;\" -c ;" %(db_name,db_user, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret != 0: log("[E] Database creation failed..","error") @@ -984,6 +1087,7 @@ def create_user(self, root_user, db_name ,db_user, db_password, db_root_password query = get_cmd + " -c \; -query \"select name from syslogins where name ='%s';\"" %(db_user) elif os_name == "WINDOWS": query = get_cmd + " -query \"select name from syslogins where name ='%s';\" -c ;" %(db_user) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_user + " |"): if dryMode == False: @@ -992,15 +1096,18 @@ def create_user(self, root_user, db_name ,db_user, db_password, db_root_password if dryMode == False: if os_name == "LINUX": query = get_cmd + " -c \; -query \"CREATE USER %s IDENTIFIED BY '%s';\"" %(db_user, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"CREATE USER %s IDENTIFIED BY '%s';\" -c ;" %(db_user, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: if os_name == "LINUX": query = get_cmd + " -c \; -query \"select name from syslogins where name ='%s';\"" %(db_user) elif os_name == "WINDOWS": query = get_cmd + " -query \"select name from syslogins where name ='%s';\" -c ;" %(db_user) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_user + " |"): log("[I] User "+db_user+" exist ","info") @@ -1012,15 +1119,18 @@ def create_user(self, root_user, db_name ,db_user, db_password, db_root_password sys.exit(1) else: logFile("CREATE USER %s IDENTIFIED BY '%s';" %(db_user, db_password)) + def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_password, is_revoke,dryMode): if dryMode == False: log("[I] Granting permission to user '" + db_user + "' on db '" + db_name + "'" , "info") get_cmd = self.get_jisql_cmd(root_user, db_root_password, '') if os_name == "LINUX": query = get_cmd + " -c \; -query \"GRANT CONNECT to %s IDENTIFIED BY '%s';\"" %(db_user, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT CONNECT to %s IDENTIFIED BY '%s';\" -c ;" %(db_user, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret != 0: sys.exit(1) @@ -1035,8 +1145,16 @@ def start_db(self,root_user, db_root_password, db_name,dryMode): query = get_cmd + " -c \; -query \"start database '%s' autostop off;\"" %(db_name) elif os_name == "WINDOWS": query = get_cmd + " -query \"start database '%s' autostop off;\" -c ;" %(db_name) + jisql_log(query, db_root_password) output = check_output(query) + def writeDrymodeCmd(self, xa_db_root_user, xa_db_root_password, db_user, db_password, db_name): + logFile("# Login to SQL Anywhere Server from a SQLA dba user(i.e 'dba') to execute below sql statements.") + logFile("CREATE USER %s IDENTIFIED BY '%s';" %(db_user, db_password)) + logFile("create database '%s' dba user '%s' dba password '%s' database size 100MB;" %(db_name, db_user ,db_password)) + logFile("start database '%s' autostop off;" %(db_name)) + logFile("GRANT CONNECT to %s IDENTIFIED BY '%s';" %(db_user, db_password)) + def main(argv): FORMAT = '%(asctime)-15s %(message)s' @@ -1047,10 +1165,6 @@ def main(argv): dryMode=False is_revoke=False - if len(argv) == 3: - password_validation(argv[1],argv[2]); - return; - if len(argv) > 1: for i in range(len(argv)): if str(argv[i]) == "-q": @@ -1100,20 +1214,23 @@ def main(argv): else: log("[E] ---------- JAVA Not Found, aborting installation. ----------", "error") sys.exit(1) + log("[I] Using Java:" + str(JAVA_BIN),"info") else: - if os.environ['JAVA_HOME'] == "": - log("[E] ---------- JAVA_HOME environment property not defined, aborting installation. ----------", "error") - sys.exit(1) - JAVA_BIN=os.path.join(os.environ['JAVA_HOME'],'bin','java') - if os_name == "WINDOWS" : - JAVA_BIN = JAVA_BIN+'.exe' - if os.path.isfile(JAVA_BIN): - pass - else : - while os.path.isfile(JAVA_BIN) == False: - log("Enter java executable path: :","info") - JAVA_BIN=raw_input() - log("[I] Using Java:" + str(JAVA_BIN),"info") + JAVA_BIN='' + if not dryMode: + if os.environ['JAVA_HOME'] == "": + log("[E] ---------- JAVA_HOME environment property not defined, aborting installation. ----------", "error") + sys.exit(1) + JAVA_BIN=os.path.join(os.environ['JAVA_HOME'],'bin','java') + if os_name == "WINDOWS" : + JAVA_BIN = JAVA_BIN+'.exe' + if os.path.isfile(JAVA_BIN): + pass + else : + while os.path.isfile(JAVA_BIN) == False: + log("Enter java executable path: :","info") + JAVA_BIN=raw_input() + log("[I] Using Java:" + str(JAVA_BIN),"info") if (quiteMode): XA_DB_FLAVOR=globalDict['DB_FLAVOR'] @@ -1129,70 +1246,84 @@ def main(argv): if (quiteMode): CONNECTOR_JAR=globalDict['SQL_CONNECTOR_JAR'] else: - if XA_DB_FLAVOR == "MYSQL" or XA_DB_FLAVOR == "ORACLE" or XA_DB_FLAVOR == "POSTGRES" or XA_DB_FLAVOR == "MSSQL": - log("Enter JDBC connector file for :"+XA_DB_FLAVOR,"info") - CONNECTOR_JAR=raw_input() - while os.path.isfile(CONNECTOR_JAR) == False: - log("JDBC connector file "+CONNECTOR_JAR+" does not exist, Please enter connector path :","error") + CONNECTOR_JAR='' + if not dryMode: + if XA_DB_FLAVOR == "MYSQL" or XA_DB_FLAVOR == "ORACLE" or XA_DB_FLAVOR == "POSTGRES" or XA_DB_FLAVOR == "MSSQL": + log("Enter JDBC connector file for :"+XA_DB_FLAVOR,"info") CONNECTOR_JAR=raw_input() - else: - log("[E] ---------- NO SUCH SUPPORTED DB FLAVOUR.. ----------", "error") - sys.exit(1) + while os.path.isfile(CONNECTOR_JAR) == False: + log("JDBC connector file "+CONNECTOR_JAR+" does not exist, Please enter connector path :","error") + CONNECTOR_JAR=raw_input() + else: + log("[E] ---------- NO SUCH SUPPORTED DB FLAVOUR.. ----------", "error") + sys.exit(1) if (quiteMode): xa_db_host = globalDict['db_host'] + log("[I] DB Host:" + str(xa_db_host),"info") else: - xa_db_host='' - while xa_db_host == "": - log("Enter DB Host :","info") - xa_db_host=raw_input() - log("[I] DB Host:" + str(xa_db_host),"info") + if (dryMode): + xa_db_host='127.0.0.1' + else: + xa_db_host='' + while xa_db_host == "": + log("Enter DB Host :","info") + xa_db_host=raw_input() if (quiteMode): xa_db_root_user = globalDict['db_root_user'] xa_db_root_password = globalDict['db_root_password'] else: - xa_db_root_user='' - while xa_db_root_user == "": - log("Enter db root user:","info") - xa_db_root_user=raw_input() - log("Enter db root password:","info") - xa_db_root_password = getpass.getpass("Enter db root password:") + if (dryMode): + xa_db_root_user='db_root_user' + xa_db_root_password='*****' + else: + xa_db_root_user='' + while xa_db_root_user == "": + log("Enter db root user:","info") + xa_db_root_user=raw_input() + log("Enter db root password:","info") + xa_db_root_password = getpass.getpass("Enter db root password:") if (quiteMode): db_name = globalDict['db_name'] else: - db_name = '' - while db_name == "": - log("Enter DB Name :","info") - db_name=raw_input() + if (dryMode): + db_name='ranger_kms_db' + else: + db_name = '' + while db_name == "": + log("Enter DB Name :","info") + db_name=raw_input() if (quiteMode): db_user = globalDict['db_user'] else: - db_user='' - while db_user == "": - log("Enter db user name:","info") - db_user=raw_input() + if (dryMode): + db_user='ranger_kms_user' + else: + db_user='' + while db_user == "": + log("Enter db user name:","info") + db_user=raw_input() if (quiteMode): db_password = globalDict['db_password'] else: - db_password='' - while db_password == "": - log("Enter db user password:","info") - db_password = getpass.getpass("Enter db user password:") + if (dryMode): + db_password='*****' + else: + db_password='' + while db_password == "": + log("Enter db user password:","info") + db_password = getpass.getpass("Enter db user password:") - #mysql_core_file = globalDict['mysql_core_file'] mysql_core_file = os.path.join('db','mysql','xa_core_db.sql') - #oracle_core_file = globalDict['oracle_core_file'] oracle_core_file = os.path.join('db','oracle','xa_core_db_oracle.sql') - #postgres_core_file = globalDict['postgres_core_file'] postgres_core_file = os.path.join('db','postgres','xa_core_db_postgres.sql') - #sqlserver_core_file = globalDict['sqlserver_core_file'] sqlserver_core_file = os.path.join('db','sqlserver','xa_core_db_sqlserver.sql') sqlanywhere_core_file = os.path.join('db','sqlanywhere','xa_core_db_sqlanywhere.sql') @@ -1207,10 +1338,9 @@ def main(argv): elif XA_DB_FLAVOR == "ORACLE": ORACLE_CONNECTOR_JAR=CONNECTOR_JAR - if os_name == "LINUX": + if xa_db_root_user.upper() == "SYS": xa_db_root_user = xa_db_root_user+" AS SYSDBA" - elif os_name == "WINDOWS": - xa_db_root_user = xa_db_root_user + xa_sqlObj = OracleConf(xa_db_host, ORACLE_CONNECTOR_JAR, JAVA_BIN) xa_db_core_file = os.path.join(RANGER_KMS_HOME,oracle_core_file) @@ -1239,18 +1369,18 @@ def main(argv): log("[E] ---------- NO SUCH SUPPORTED DB FLAVOUR.. ----------", "error") sys.exit(1) - log("[I] ---------- Verifing Ranger KMS db user password ---------- ","info") - password_validation(db_password,"KMS"); + if not dryMode: + log("[I] ---------- Verifing DB root password ---------- ","info") + password_validation(xa_db_root_password,"DBA root"); + log("[I] ---------- Verifing Ranger KMS db user password ---------- ","info") + password_validation(db_password,"KMS"); # Methods Begin if DBA_MODE == "TRUE" : if (dryMode==True): - log("[I] Dry run mode:"+str(dryMode),"info") log("[I] Logging DBA Script in file:"+str(globalDict["dryModeOutputFile"]),"info") logFile("===============================================\n") - xa_sqlObj.create_rangerdb_user(xa_db_root_user, db_user, db_password, xa_db_root_password,dryMode) - xa_sqlObj.create_db(xa_db_root_user, xa_db_root_password, db_name, db_user, db_password,dryMode) - xa_sqlObj.grant_xa_db_user(xa_db_root_user, db_name, db_user, db_password, xa_db_root_password, is_revoke,dryMode) + xa_sqlObj.writeDrymodeCmd(xa_db_root_user, xa_db_root_password, db_user, db_password, db_name) logFile("===============================================\n") if (dryMode==False): log("[I] ---------- Creating Ranger KMS db user ---------- ","info") diff --git a/kms/scripts/install.properties b/kms/scripts/install.properties index 247e499c319..cf5dd922400 100755 --- a/kms/scripts/install.properties +++ b/kms/scripts/install.properties @@ -25,12 +25,6 @@ PYTHON_COMMAND_INVOKER=python #DB_FLAVOR=MYSQL|ORACLE|POSTGRES|MSSQL|SQLA DB_FLAVOR=MYSQL -# -# The executable path to be used to invoke command-line MYSQL -# -#SQL_COMMAND_INVOKER='mysql' -#SQL_COMMAND_INVOKER='sqlplus' -SQL_COMMAND_INVOKER='mysql' # # Location of DB client library (please check the location of the jar file) @@ -51,6 +45,10 @@ SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar # ************************************************************************** # #db_root_user=root|SYS|postgres|sa|dba +#db_host=host:port # for DB_FLAVOR=MYSQL|POSTGRES|SQLA|MSSQL #for example: db_host=localhost:3306 +#db_host=host:port:SID # for DB_FLAVOR=ORACLE #for SID example: db_host=localhost:1521:ORCL +#db_host=host:port/ServiceName # for DB_FLAVOR=ORACLE #for Service example: db_host=localhost:1521/XE +#db_host=host:port:GL # for DB_FLAVOR=ORACLE #for TNSNAME example: db_host=localhost:1521:GL db_root_user=root db_root_password= db_host=localhost diff --git a/kms/scripts/setup.sh b/kms/scripts/setup.sh index 94b6e233d3e..0a825c71b35 100755 --- a/kms/scripts/setup.sh +++ b/kms/scripts/setup.sh @@ -52,7 +52,6 @@ get_prop(){ PYTHON_COMMAND_INVOKER=$(get_prop 'PYTHON_COMMAND_INVOKER' $PROPFILE) DB_FLAVOR=$(get_prop 'DB_FLAVOR' $PROPFILE) -SQL_COMMAND_INVOKER=$(get_prop 'SQL_COMMAND_INVOKER' $PROPFILE) SQL_CONNECTOR_JAR=$(get_prop 'SQL_CONNECTOR_JAR' $PROPFILE) db_root_user=$(get_prop 'db_root_user' $PROPFILE) db_root_password=$(get_prop 'db_root_password' $PROPFILE) @@ -413,7 +412,15 @@ update_properties() { if [ "${DB_FLAVOR}" == "ORACLE" ] then propertyName=ranger.ks.jpa.jdbc.url - newPropertyValue="jdbc:oracle:thin:\@//${DB_HOST}" + count=$(grep -o ":" <<< "$DB_HOST" | wc -l) + #if [[ ${count} -eq 2 ]] ; then + if [ ${count} -eq 2 ] || [ ${count} -eq 0 ]; then + #jdbc:oracle:thin:@[HOST][:PORT]:SID or #jdbc:oracle:thin:@GL + newPropertyValue="jdbc:oracle:thin:@${DB_HOST}" + else + #jdbc:oracle:thin:@//[HOST][:PORT]/SERVICE + newPropertyValue="jdbc:oracle:thin:@//${DB_HOST}" + fi updatePropertyToFilePy $propertyName $newPropertyValue $to_file propertyName=ranger.ks.jpa.jdbc.dialect @@ -720,5 +727,8 @@ else fi ./enable-kms-plugin.sh - +if [ "$?" != "0" ] +then + exit 1 +fi echo "Installation of Ranger KMS is completed." diff --git a/knox-agent/scripts/install.sh b/knox-agent/scripts/install.sh index 271a2d44e1c..41322d34d0e 100644 --- a/knox-agent/scripts/install.sh +++ b/knox-agent/scripts/install.sh @@ -185,7 +185,15 @@ if [ "${DB_FLAVOR}" == "ORACLE" ] then audit_db_hostname=`grep '^XAAUDIT.DB.HOSTNAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` propertyName=XAAUDIT.DB.JDBC_URL - newPropertyValue="jdbc:oracle:thin:\@//${audit_db_hostname}" + count=$(grep -o ":" <<< "$audit_db_hostname" | wc -l) + #if [[ ${count} -eq 2 ]] ; then + if [ ${count} -eq 2 ] || [ ${count} -eq 0 ]; then + #jdbc:oracle:thin:@[HOST][:PORT]:SID or #jdbc:oracle:thin:@GL + newPropertyValue="jdbc:oracle:thin:@${audit_db_hostname}" + else + #jdbc:oracle:thin:@//[HOST][:PORT]/SERVICE + newPropertyValue="jdbc:oracle:thin:@//${audit_db_hostname}" + fi updatePropertyToFile $propertyName $newPropertyValue $to_file propertyName=XAAUDIT.DB.JDBC_DRIVER diff --git a/plugin-kms/scripts/enable-kms-plugin.sh b/plugin-kms/scripts/enable-kms-plugin.sh index 468d39e1c3d..7bf6c62b932 100755 --- a/plugin-kms/scripts/enable-kms-plugin.sh +++ b/plugin-kms/scripts/enable-kms-plugin.sh @@ -371,7 +371,16 @@ then export XAAUDIT_DB_JDBC_DRIVER="com.mysql.jdbc.Driver" elif [ "${db_flavor}" = "ORACLE" ] then - export XAAUDIT_DB_JDBC_URL="jdbc:oracle:thin:\@//${audit_db_hostname}" + count=$(grep -o ":" <<< "$audit_db_hostname" | wc -l) + #if [[ ${count} -eq 2 ]] ; then + if [ ${count} -eq 2 ] || [ ${count} -eq 0 ]; then + #jdbc:oracle:thin:@[HOST][:PORT]:SID or #jdbc:oracle:thin:@GL + newPropertyValue="jdbc:oracle:thin:@${audit_db_hostname}" + else + #jdbc:oracle:thin:@//[HOST][:PORT]/SERVICE + newPropertyValue="jdbc:oracle:thin:@//${audit_db_hostname}" + fi + export XAAUDIT_DB_JDBC_URL=${newPropertyValue} export XAAUDIT_DB_JDBC_DRIVER="oracle.jdbc.OracleDriver" elif [ "${db_flavor}" = "POSTGRES" ] then diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py index 07a06557c7d..4b328d00a8d 100644 --- a/security-admin/scripts/db_setup.py +++ b/security-admin/scripts/db_setup.py @@ -31,6 +31,8 @@ os_name = platform.system() os_name = os_name.upper() +jisql_debug=True + if os_name == "LINUX": RANGER_ADMIN_HOME = os.getenv("RANGER_ADMIN_HOME") if RANGER_ADMIN_HOME is None: @@ -78,23 +80,14 @@ def populate_global_dict(): value = value.strip() globalDict[key] = value -def call_keystore(libpath,aliasKey,aliasValue , filepath,getorcreate): - finalLibPath = libpath.replace('\\','/').replace('//','/') - finalFilePath = 'jceks://file/'+filepath.replace('\\','/').replace('//','/') - if getorcreate == 'create': - commandtorun = ['java', '-cp', finalLibPath, 'org.apache.ranger.credentialapi.buildks' ,'create', aliasKey, '-value', aliasValue, '-provider',finalFilePath] - p = Popen(commandtorun,stdin=PIPE, stdout=PIPE, stderr=PIPE) - output, error = p.communicate() - statuscode = p.returncode - return statuscode - elif getorcreate == 'get': - commandtorun = ['java', '-cp', finalLibPath, 'org.apache.ranger.credentialapi.buildks' ,'get', aliasKey, '-provider',finalFilePath] - p = Popen(commandtorun,stdin=PIPE, stdout=PIPE, stderr=PIPE) - output, error = p.communicate() - statuscode = p.returncode - return statuscode, output - else: - print 'proper command not received for input need get or create' +def jisql_log(query, db_password): + if jisql_debug == True: + if os_name == "WINDOWS": + query = query.replace(' -p "'+db_password+'"' , ' -p "********"') + log("[JISQL] "+query, "info") + else: + query = query.replace(" -p '"+db_password+"'" , " -p '********'") + log("[JISQL] "+query, "info") class BaseDB(object): @@ -163,7 +156,7 @@ def get_jisql_cmd(self, user, password ,db_name): if os_name == "LINUX": jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u '%s' -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN,self.SQL_CONNECTOR_JAR,path,self.host,db_name,user,password) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) + jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u \"%s\" -p \"%s\" -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -173,6 +166,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -query \"SELECT version();\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT version();\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('Production |'): log("[I] Checking connection passed.", "info") @@ -190,9 +184,11 @@ def grant_audit_db_user(self, db_user, audit_db_name, audit_db_user, audit_db_pa get_cmd = self.get_jisql_cmd(db_user, db_password, audit_db_name) if os_name == "LINUX": query = get_cmd + " -query \"GRANT INSERT ON %s.%s TO '%s'@'%s';\"" %(audit_db_name,TABLE_NAME,audit_db_user,host) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT INSERT ON %s.%s TO '%s'@'%s';\" -c ;" %(audit_db_name,TABLE_NAME,audit_db_user,host) + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] Granting privileges to '" + audit_db_user+"' done on '"+ audit_db_name+"'", "info") @@ -207,9 +203,11 @@ def import_db_file(self, db_name, db_user, db_password, file_name): get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) if os_name == "LINUX": query = get_cmd + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -input %s -c ;" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " DB schema imported successfully","info") @@ -230,6 +228,7 @@ def import_db_patches(self, db_name, db_user, db_password, file_name): query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\"" %(version) elif os_name == "WINDOWS": query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c ;" %(version) + jisql_log(query, db_password) output = check_output(query) if output.strip(version + " |"): log("[I] Patch "+ name +" is already applied" ,"info") @@ -237,17 +236,21 @@ def import_db_patches(self, db_name, db_user, db_password, file_name): get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) if os_name == "LINUX": query = get_cmd + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -input %s -c ;" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " patch applied","info") if os_name == "LINUX": query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', now(), user(), now(), user()) ;\"" %(version) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', now(), user(), now(), user()) ;\" -c ;" %(version) + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] Patch version updated", "info") @@ -271,6 +274,7 @@ def import_auditdb_patches(self, xa_sqlObj,xa_db_host, audit_db_host, db_name, a query = get_cmd1 + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\"" %(version) elif os_name == "WINDOWS": query = get_cmd1 + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c ;" %(version) + jisql_log(query, db_password) output = check_output(query) if output.strip(version + " |"): log("[I] Patch "+ name +" is already applied" ,"info") @@ -278,17 +282,21 @@ def import_auditdb_patches(self, xa_sqlObj,xa_db_host, audit_db_host, db_name, a get_cmd2 = self.get_jisql_cmd(db_user, db_password, audit_db_name) if os_name == "LINUX": query = get_cmd2 + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd2 + " -input %s -c ;" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " patch applied","info") if os_name == "LINUX": query = get_cmd1 + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', now(), user(), now(), user()) ;\"" %(version) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd1 + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', now(), user(), now(), user()) ;\" -c ;" %(version) + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] Patch version updated", "info") @@ -308,6 +316,7 @@ def check_table(self, db_name, db_user, db_password, TABLE_NAME): query = get_cmd + " -query \"show tables like '%s';\"" %(TABLE_NAME) elif os_name == "WINDOWS": query = get_cmd + " -query \"show tables like '%s';\" -c ;" %(TABLE_NAME) + jisql_log(query, db_password) output = check_output(query) if output.strip(TABLE_NAME + " |"): log("[I] Table " + TABLE_NAME +" already exists in database '" + db_name + "'","info") @@ -361,6 +370,7 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): query = get_cmd + " -query \"select version from x_db_version_h where version = 'J%s' and active = 'Y';\"" %(version) elif os_name == "WINDOWS": query = get_cmd + " -query \"select version from x_db_version_h where version = 'J%s' and active = 'Y';\" -c ;" %(version) + jisql_log(query, db_password) output = check_output(query) if output.strip(version + " |"): log("[I] Java patch "+ className +" is already applied" ,"info") @@ -379,9 +389,11 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) if os_name == "LINUX": query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('J%s', now(), user(), now(), user()) ;\"" %(version) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('J%s', now(), user(), now(), user()) ;\" -c ;" %(version) + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log ("[I] java patch "+ className +" is applied..","info") @@ -401,11 +413,21 @@ def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN): def get_jisql_cmd(self, user, password): path = RANGER_ADMIN_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") - self.JAVA_BIN = self.JAVA_BIN + " -Djava.security.egd=file:///dev/urandom " + if not re.search('-Djava.security.egd=file:///dev/urandom', self.JAVA_BIN): + self.JAVA_BIN = self.JAVA_BIN + " -Djava.security.egd=file:///dev/urandom " + + #if self.host.count(":") == 2: + if self.host.count(":") == 2 or self.host.count(":") == 0: + #jdbc:oracle:thin:@[HOST][:PORT]:SID or #jdbc:oracle:thin:@GL + cstring="jdbc:oracle:thin:@%s" %(self.host) + else: + #jdbc:oracle:thin:@//[HOST][:PORT]/SERVICE + cstring="jdbc:oracle:thin:@//%s" %(self.host) + if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver oraclethin -cstring jdbc:oracle:thin:@%s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, user, password) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver oraclethin -cstring %s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, cstring, user, password) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver oraclethin -cstring jdbc:oracle:thin:@%s -u %s -p %s -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, user, password) + jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver oraclethin -cstring %s -u \"%s\" -p \"%s\" -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, cstring, user, password) return jisql_cmd @@ -416,6 +438,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -c \; -query \"select * from v$version;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"select * from v$version;\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('Production |'): log("[I] Connection success", "info") @@ -428,25 +451,31 @@ def grant_audit_db_user(self, audit_db_name ,db_user,audit_db_user,db_password,a get_cmd = self.get_jisql_cmd(db_user, db_password) if os_name == "LINUX": query = get_cmd + " -c \; -query 'GRANT CREATE SESSION TO %s;'" % (audit_db_user) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT CREATE SESSION TO %s;\" -c ;" % (audit_db_user) + jisql_log(query, db_password) ret = subprocess.call(query) if ret != 0: sys.exit(1) if os_name == "LINUX": query = get_cmd + " -c \; -query 'GRANT SELECT ON %s.XA_ACCESS_AUDIT_SEQ TO %s;'" % (db_user,audit_db_user) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT SELECT ON %s.XA_ACCESS_AUDIT_SEQ TO %s;\" -c ;" % (db_user,audit_db_user) + jisql_log(query, db_password) ret = subprocess.call(query) if ret != 0: sys.exit(1) if os_name == "LINUX": query = get_cmd + " -c \; -query 'GRANT INSERT ON %s.XA_ACCESS_AUDIT TO %s;'" % (db_user,audit_db_user) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT INSERT ON %s.XA_ACCESS_AUDIT TO %s;\" -c ;" % (db_user,audit_db_user) + jisql_log(query, db_password) ret = subprocess.call(query) if ret != 0: sys.exit(1) @@ -458,9 +487,11 @@ def import_db_file(self, db_name, db_user, db_password, file_name): get_cmd = self.get_jisql_cmd(db_user, db_password) if os_name == "LINUX": query = get_cmd + " -input %s -c \;" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -input %s -c ;" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " imported successfully","info") @@ -473,17 +504,21 @@ def create_synonym(self,db_name, db_user, db_password,audit_db_user): get_cmd = self.get_jisql_cmd(db_user, db_password) if os_name == "LINUX": query = get_cmd + " -c \; -query 'CREATE OR REPLACE SYNONYM %s.XA_ACCESS_AUDIT FOR %s.XA_ACCESS_AUDIT;'" % (audit_db_user,db_user) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"CREATE OR REPLACE SYNONYM %s.XA_ACCESS_AUDIT FOR %s.XA_ACCESS_AUDIT;\" -c ;" % (audit_db_user,db_user) + jisql_log(query, db_password) ret = subprocess.call(query) if ret != 0: sys.exit(1) if os_name == "LINUX": query = get_cmd + " -c \; -query 'CREATE OR REPLACE SYNONYM %s.XA_ACCESS_AUDIT_SEQ FOR %s.XA_ACCESS_AUDIT_SEQ;'" % (audit_db_user,db_user) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"CREATE OR REPLACE SYNONYM %s.XA_ACCESS_AUDIT_SEQ FOR %s.XA_ACCESS_AUDIT_SEQ;\" -c ;" % (audit_db_user,db_user) + jisql_log(query, db_password) ret = subprocess.call(query) if ret != 0: sys.exit(1) @@ -498,6 +533,7 @@ def import_db_patches(self, db_name, db_user, db_password, file_name): query = get_cmd + " -c \; -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\"" %(version) elif os_name == "WINDOWS": query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c ;" %(version) + jisql_log(query, db_password) output = check_output(query) if output.strip(version +" |"): log("[I] Patch "+ name +" is already applied" ,"info") @@ -505,17 +541,21 @@ def import_db_patches(self, db_name, db_user, db_password, file_name): get_cmd = self.get_jisql_cmd(db_user, db_password) if os_name == "LINUX": query = get_cmd + " -input %s -c /" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -input %s -c /" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " patch applied","info") if os_name == "LINUX": query = get_cmd + " -c \; -query \"insert into x_db_version_h (id,version, inst_at, inst_by, updated_at, updated_by) values ( X_DB_VERSION_H_SEQ.nextval,'%s', sysdate, '%s', sysdate, '%s');\"" %(version, db_user, db_user) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"insert into x_db_version_h (id,version, inst_at, inst_by, updated_at, updated_by) values ( X_DB_VERSION_H_SEQ.nextval,'%s', sysdate, '%s', sysdate, '%s');\" -c ;" %(version, db_user, db_user) + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] Patch version updated", "info") @@ -539,6 +579,7 @@ def import_auditdb_patches(self, xa_sqlObj,xa_db_host, audit_db_host, db_name, a query = get_cmd1 + " -c \; -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\"" %(version) elif os_name == "WINDOWS": query = get_cmd1 + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c ;" %(version) + jisql_log(query, db_password) output = check_output(query) if output.strip(version +" |"): log("[I] Patch "+ name +" is already applied" ,"info") @@ -546,17 +587,21 @@ def import_auditdb_patches(self, xa_sqlObj,xa_db_host, audit_db_host, db_name, a get_cmd2 = self.get_jisql_cmd(db_user, db_password) if os_name == "LINUX": query = get_cmd2 + " -input %s -c /" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd2 + " -input %s -c /" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " patch applied","info") if os_name == "LINUX": query = get_cmd1 + " -c \; -query \"insert into x_db_version_h (id,version, inst_at, inst_by, updated_at, updated_by) values ( X_DB_VERSION_H_SEQ.nextval,'%s', sysdate, '%s', sysdate, '%s');\"" %(version, db_user, db_user) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd1 + " -query \"insert into x_db_version_h (id,version, inst_at, inst_by, updated_at, updated_by) values ( X_DB_VERSION_H_SEQ.nextval,'%s', sysdate, '%s', sysdate, '%s');\" -c ;" %(version, db_user, db_user) + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] Patch version updated", "info") @@ -576,6 +621,7 @@ def check_table(self, db_name, db_user, db_password, TABLE_NAME): query = get_cmd + " -c \; -query 'select default_tablespace from user_users;'" elif os_name == "WINDOWS": query = get_cmd + " -query \"select default_tablespace from user_users;\" -c ;" + jisql_log(query, db_password) output = check_output(query).strip() output = output.strip(' |') db_name = db_name.upper() @@ -587,6 +633,7 @@ def check_table(self, db_name, db_user, db_password, TABLE_NAME): query = get_cmd + " -c \; -query \"select UPPER(table_name) from all_tables where UPPER(tablespace_name)=UPPER('%s') and UPPER(table_name)=UPPER('%s');\"" %(db_name ,TABLE_NAME) elif os_name == "WINDOWS": query = get_cmd + " -query \"select UPPER(table_name) from all_tables where UPPER(tablespace_name)=UPPER('%s') and UPPER(table_name)=UPPER('%s');\" -c ;" %(db_name ,TABLE_NAME) + jisql_log(query, db_password) output = check_output(query) if output.strip(TABLE_NAME.upper() + ' |'): log("[I] Table " + TABLE_NAME +" already exists in tablespace " + db_name + "","info") @@ -647,6 +694,7 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): query = get_cmd + " -c \; -query \"select version from x_db_version_h where version = 'J%s' and active = 'Y';\"" %(version) elif os_name == "WINDOWS": query = get_cmd + " -query \"select version from x_db_version_h where version = 'J%s' and active = 'Y';\" -c ;" %(version) + jisql_log(query, db_password) output = check_output(query) if output.strip(version + " |"): log("[I] java patch "+ className +" is already applied" ,"info") @@ -665,9 +713,11 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): get_cmd = self.get_jisql_cmd(db_user, db_password) if os_name == "LINUX": query = get_cmd + " -c \; -query \"insert into x_db_version_h (id,version, inst_at, inst_by, updated_at, updated_by) values ( X_DB_VERSION_H_SEQ.nextval,'J%s', sysdate, '%s', sysdate, '%s');\"" %(version, db_user, db_user) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"insert into x_db_version_h (id,version, inst_at, inst_by, updated_at, updated_by) values ( X_DB_VERSION_H_SEQ.nextval,'J%s', sysdate, '%s', sysdate, '%s');\" -c ;" %(version, db_user, db_user) + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] java patch "+ className +" applied", "info") @@ -690,9 +740,9 @@ def get_jisql_cmd(self, user, password, db_name): path = RANGER_ADMIN_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p %s -noheader -trim -c \;" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p %s -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) + jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p \"%s\" -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -702,6 +752,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -query \"SELECT 1;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT 1;\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('1 |'): log("[I] connection success", "info") @@ -717,9 +768,11 @@ def import_db_file(self, db_name, db_user, db_password, file_name): get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) if os_name == "LINUX": query = get_cmd + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -input %s -c ;" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " DB schema imported successfully","info") @@ -733,9 +786,11 @@ def grant_audit_db_user(self, audit_db_name , db_user, audit_db_user, db_passwor log("[I] Granting select and usage privileges to Postgres audit user '" + audit_db_user + "' on XA_ACCESS_AUDIT_SEQ", "info") if os_name == "LINUX": query = get_cmd + " -query 'GRANT SELECT,USAGE ON XA_ACCESS_AUDIT_SEQ TO %s;'" % (audit_db_user) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT SELECT,USAGE ON XA_ACCESS_AUDIT_SEQ TO %s;\" -c ;" % (audit_db_user) + jisql_log(query, db_password) ret = subprocess.call(query) if ret != 0: log("[E] Granting select privileges to Postgres user '" + audit_db_user + "' failed", "error") @@ -744,9 +799,11 @@ def grant_audit_db_user(self, audit_db_name , db_user, audit_db_user, db_passwor log("[I] Granting insert privileges to Postgres audit user '" + audit_db_user + "' on XA_ACCESS_AUDIT table", "info") if os_name == "LINUX": query = get_cmd + " -query 'GRANT INSERT ON XA_ACCESS_AUDIT TO %s;'" % (audit_db_user) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT INSERT ON XA_ACCESS_AUDIT TO %s;\" -c ;" % (audit_db_user) + jisql_log(query, db_password) ret = subprocess.call(query) if ret != 0: log("[E] Granting insert privileges to Postgres user '" + audit_db_user + "' failed", "error") @@ -762,23 +819,28 @@ def import_db_patches(self, db_name, db_user, db_password, file_name): query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\"" %(version) elif os_name == "WINDOWS": query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c ;" %(version) + jisql_log(query, db_password) output = check_output(query) if output.strip(version + " |"): log("[I] Patch "+ name +" is already applied" ,"info") else: if os_name == "LINUX": query = get_cmd + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -input %s -c ;" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " patch applied","info") if os_name == "LINUX": query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', now(), '%s@%s', now(), '%s@%s') ;\"" %(version,db_user,xa_db_host,db_user,xa_db_host) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', now(), '%s@%s', now(), '%s@%s') ;\" -c ;" %(version,db_user,xa_db_host,db_user,xa_db_host) + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] Patch version updated", "info") @@ -802,6 +864,7 @@ def import_auditdb_patches(self, xa_sqlObj,xa_db_host, audit_db_host, db_name, a query = get_cmd1 + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\"" %(version) elif os_name == "WINDOWS": query = get_cmd1 + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c ;" %(version) + jisql_log(query, db_password) output = check_output(query) if output.strip(version + " |"): log("[I] Patch "+ name +" is already applied" ,"info") @@ -809,17 +872,21 @@ def import_auditdb_patches(self, xa_sqlObj,xa_db_host, audit_db_host, db_name, a get_cmd2 = self.get_jisql_cmd(db_user, db_password, audit_db_name) if os_name == "LINUX": query = get_cmd2 + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd2 + " -input %s -c ;" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " patch applied","info") if os_name == "LINUX": query = get_cmd1 + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', now(), '%s@%s', now(), '%s@%s') ;\"" %(version,db_user,xa_db_host,db_user,xa_db_host) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd1 + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', now(), '%s@%s', now(), '%s@%s') ;\" -c ;" %(version,db_user,xa_db_host,db_user,xa_db_host) + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] Patch version updated", "info") @@ -840,6 +907,7 @@ def check_table(self, db_name, db_user, db_password, TABLE_NAME): query = get_cmd + " -query \"select * from (select table_name from information_schema.tables where table_catalog='%s' and table_name = '%s') as temp;\"" %(db_name , TABLE_NAME) elif os_name == "WINDOWS": query = get_cmd + " -query \"select * from (select table_name from information_schema.tables where table_catalog='%s' and table_name = '%s') as temp;\" -c ;" %(db_name , TABLE_NAME) + jisql_log(query, db_password) output = check_output(query) if output.strip(TABLE_NAME +" |"): log("[I] Table " + TABLE_NAME +" already exists in database " + db_name, "info") @@ -895,6 +963,7 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): query = get_cmd + " -query \"select version from x_db_version_h where version = 'J%s' and active = 'Y';\"" %(version) elif os_name == "WINDOWS": query = get_cmd + " -query \"select version from x_db_version_h where version = 'J%s' and active = 'Y';\" -c ;" %(version) + jisql_log(query, db_password) output = check_output(query) if output.strip(version + " |"): log("[I] java patch "+ className +" is already applied" ,"info") @@ -913,9 +982,11 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) if os_name == "LINUX": query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('J%s', now(), '%s@%s', now(), '%s@%s') ;\"" %(version,db_user,xa_db_host,db_user,xa_db_host) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('J%s', now(), '%s@%s', now(), '%s@%s') ;\" -c ;" %(version,db_user,xa_db_host,db_user,xa_db_host) + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] java patch "+ className +" applied", "info") @@ -939,9 +1010,9 @@ def get_jisql_cmd(self, user, password, db_name): path = RANGER_ADMIN_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -p '%s' -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -p \"%s\" -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -951,6 +1022,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -c \; -query \"SELECT 1;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT 1;\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('1 |'): log("[I] Connection success", "info") @@ -966,9 +1038,11 @@ def import_db_file(self, db_name, db_user, db_password, file_name): get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) if os_name == "LINUX": query = get_cmd + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " DB schema imported successfully","info") @@ -982,6 +1056,7 @@ def check_table(self, db_name, db_user, db_password, TABLE_NAME): query = get_cmd + " -c \; -query \"SELECT TABLE_NAME FROM information_schema.tables where table_name = '%s';\"" %(TABLE_NAME) elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT TABLE_NAME FROM information_schema.tables where table_name = '%s';\" -c ;" %(TABLE_NAME) + jisql_log(query, db_password) output = check_output(query) if output.strip(TABLE_NAME + " |"): log("[I] Table '" + TABLE_NAME + "' already exists in database '" + db_name + "'","info") @@ -995,9 +1070,11 @@ def grant_audit_db_user(self, audit_db_name, db_user, audit_db_user, db_password get_cmd = self.get_jisql_cmd(db_user, db_password,audit_db_name) if os_name == "LINUX": query = get_cmd + " -c \; -query \"USE %s GRANT SELECT,INSERT to %s;\"" %(audit_db_name ,audit_db_user) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"USE %s GRANT SELECT,INSERT to %s;\" -c ;" %(audit_db_name ,audit_db_user) + jisql_log(query, db_password) ret = subprocess.call(query) if ret != 0 : sys.exit(1) @@ -1014,23 +1091,28 @@ def import_db_patches(self, db_name, db_user, db_password, file_name): query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\"" %(version) elif os_name == "WINDOWS": query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c ;" %(version) + jisql_log(query, db_password) output = check_output(query) if output.strip(version + " |"): log("[I] Patch "+ name +" is already applied" ,"info") else: if os_name == "LINUX": query = get_cmd + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " patch applied","info") if os_name == "LINUX": query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c \;" %(version,db_user,xa_db_host,db_user,xa_db_host) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c ;" %(version,db_user,xa_db_host,db_user,xa_db_host) + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] Patch version updated", "info") @@ -1054,6 +1136,7 @@ def import_auditdb_patches(self, xa_sqlObj,xa_db_host, audit_db_host, db_name, a query = get_cmd1 + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\"" %(version) elif os_name == "WINDOWS": query = get_cmd1 + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c ;" %(version) + jisql_log(query, db_password) output = check_output(query) if output.strip(version + " |"): log("[I] Patch "+ name +" is already applied" ,"info") @@ -1061,17 +1144,21 @@ def import_auditdb_patches(self, xa_sqlObj,xa_db_host, audit_db_host, db_name, a get_cmd2 = self.get_jisql_cmd(db_user, db_password, audit_db_name) if os_name == "LINUX": query = get_cmd2 + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd2 + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " patch applied","info") if os_name == "LINUX": query = get_cmd1 + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c \;" %(version,db_user,xa_db_host,db_user,xa_db_host) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd1 + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c ;" %(version,db_user,xa_db_host,db_user,xa_db_host) + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] Patch version updated", "info") @@ -1131,6 +1218,7 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): query = get_cmd + " -query \"select version from x_db_version_h where version = 'J%s' and active = 'Y';\" -c \;" %(version) elif os_name == "WINDOWS": query = get_cmd + " -query \"select version from x_db_version_h where version = 'J%s' and active = 'Y';\" -c ;" %(version) + jisql_log(query, db_password) output = check_output(query) if output.strip(version + " |"): log("[I] java patch "+ className +" is already applied" ,"info") @@ -1149,9 +1237,11 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) if os_name == "LINUX": query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('J%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c \;" %(version,db_user,xa_db_host,db_user,xa_db_host) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('J%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c ;" %(version,db_user,xa_db_host,db_user,xa_db_host) + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] java patch "+ className +" applied", "info") @@ -1173,9 +1263,9 @@ def get_jisql_cmd(self, user, password, db_name): path = RANGER_ADMIN_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -p '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -p \"%s\" -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -1185,6 +1275,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -c \; -query \"SELECT 1;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT 1;\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('1 |'): log("[I] Connection success", "info") @@ -1200,9 +1291,11 @@ def import_db_file(self, db_name, db_user, db_password, file_name): get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) if os_name == "LINUX": query = get_cmd + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " DB schema imported successfully","info") @@ -1217,6 +1310,7 @@ def check_table(self, db_name, db_user, db_password, TABLE_NAME): query = get_cmd + " -c \; -query \"SELECT name FROM sysobjects where name = '%s' and type='U';\"" %(TABLE_NAME) elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT name FROM sysobjects where name = '%s' and type='U';\" -c ;" %(TABLE_NAME) + jisql_log(query, db_password) output = check_output(query) if output.strip(TABLE_NAME + " |"): log("[I] Table '" + TABLE_NAME + "' already exists in database '" + db_name + "'","info") @@ -1230,9 +1324,11 @@ def grant_audit_db_user(self, audit_db_name, db_user, audit_db_user, db_password get_cmd = self.get_jisql_cmd(db_user, db_password,audit_db_name) if os_name == "LINUX": query = get_cmd + " -c \; -query \"GRANT INSERT ON XA_ACCESS_AUDIT to %s;\"" %(audit_db_user) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT INSERT ON XA_ACCESS_AUDIT to %s;\" -c ;" %(audit_db_user) + jisql_log(query, db_password) ret = subprocess.call(query) if ret != 0 : sys.exit(1) @@ -1249,23 +1345,28 @@ def import_db_patches(self, db_name, db_user, db_password, file_name): query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\"" %(version) elif os_name == "WINDOWS": query = get_cmd + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c ;" %(version) + jisql_log(query, db_password) output = check_output(query) if output.strip(version + " |"): log("[I] Patch "+ name +" is already applied" ,"info") else: if os_name == "LINUX": query = get_cmd + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " patch applied","info") if os_name == "LINUX": query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c \;" %(version,db_user,xa_db_host,db_user,xa_db_host) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c ;" %(version,db_user,xa_db_host,db_user,xa_db_host) + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] Patch version updated", "info") @@ -1289,6 +1390,7 @@ def import_auditdb_patches(self, xa_sqlObj,xa_db_host, audit_db_host, db_name, a query = get_cmd1 + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\"" %(version) elif os_name == "WINDOWS": query = get_cmd1 + " -query \"select version from x_db_version_h where version = '%s' and active = 'Y';\" -c ;" %(version) + jisql_log(query, db_password) output = check_output(query) if output.strip(version + " |"): log("[I] Patch "+ name +" is already applied" ,"info") @@ -1296,17 +1398,21 @@ def import_auditdb_patches(self, xa_sqlObj,xa_db_host, audit_db_host, db_name, a get_cmd2 = self.get_jisql_cmd(db_user, db_password, audit_db_name) if os_name == "LINUX": query = get_cmd2 + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd2 + " -input %s" %file_name + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] "+name + " patch applied","info") if os_name == "LINUX": query = get_cmd1 + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c \;" %(version,db_user,xa_db_host,db_user,xa_db_host) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd1 + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c ;" %(version,db_user,xa_db_host,db_user,xa_db_host) + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] Patch version updated", "info") @@ -1367,6 +1473,7 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): query = get_cmd + " -query \"select version from x_db_version_h where version = 'J%s' and active = 'Y';\" -c \;" %(version) elif os_name == "WINDOWS": query = get_cmd + " -query \"select version from x_db_version_h where version = 'J%s' and active = 'Y';\" -c ;" %(version) + jisql_log(query, db_password) output = check_output(query) if output.strip(version + " |"): log("[I] java patch "+ className +" is already applied" ,"info") @@ -1385,9 +1492,11 @@ def execute_java_patches(self, xa_db_host, db_user, db_password, db_name): get_cmd = self.get_jisql_cmd(db_user, db_password, db_name) if os_name == "LINUX": query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('J%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c \;" %(version,db_user,xa_db_host,db_user,xa_db_host) + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ('J%s', GETDATE(), '%s@%s', GETDATE(), '%s@%s') ;\" -c ;" %(version,db_user,xa_db_host,db_user,xa_db_host) + jisql_log(query, db_password) ret = subprocess.call(query) if ret == 0: log("[I] java patch "+ className +" applied", "info") @@ -1404,16 +1513,19 @@ def set_options(self, db_name, db_user, db_password, TABLE_NAME): query = get_cmd + " -c \; -query \"set option public.reserved_keywords='LIMIT';\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"set option public.reserved_keywords='LIMIT';\" -c ;" + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) if os_name == "LINUX": query = get_cmd + " -c \; -query \"set option public.max_statement_count=0;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"set option public.max_statement_count=0;\" -c;" + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) if os_name == "LINUX": query = get_cmd + " -c \; -query \"set option public.max_cursor_count=0;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"set option public.max_cursor_count=0;\" -c;" + jisql_log(query, db_password) ret = subprocess.call(shlex.split(query)) def main(argv): @@ -1568,7 +1680,7 @@ def main(argv): else: log("[E] --------- NO SUCH SUPPORTED DB FLAVOUR!! ---------", "error") sys.exit(1) -# ''' + log("[I] --------- Verifying Ranger DB connection ---------","info") xa_sqlObj.check_connection(db_name, db_user, db_password) @@ -1605,7 +1717,7 @@ def main(argv): audit_sqlObj.auditdb_operation(xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_db_file, xa_access_audit) log("[I] --------- Applying Audit DB patches ---------","info") audit_sqlObj.apply_auditdb_patches(xa_sqlObj,xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_patch_file, xa_access_audit) -# ''' + if len(argv)>1: for i in range(len(argv)): if str(argv[i]) == "-javapatch": diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py index 40a6c496abc..5564737b12c 100644 --- a/security-admin/scripts/dba_script.py +++ b/security-admin/scripts/dba_script.py @@ -30,6 +30,8 @@ os_name = platform.system() os_name = os_name.upper() +jisql_debug=True + if os_name == "LINUX": RANGER_ADMIN_HOME = os.getenv("RANGER_ADMIN_HOME") if RANGER_ADMIN_HOME is None: @@ -104,8 +106,20 @@ def password_validation(password, userType): else: log("[I] "+userType+" user password validated","info") else: - log("[E] Blank password is not allowed,please enter valid password.","error") - sys.exit(1) + if userType == "DBA root": + log("[I] "+userType+" user password validated","info") + else: + log("[E] Blank password is not allowed,please enter valid password.","error") + sys.exit(1) + +def jisql_log(query, db_root_password): + if jisql_debug == True: + if os_name == "WINDOWS": + query = query.replace(' -p "'+db_root_password+'"' , ' -p "********"') + log("[JISQL] "+query, "info") + else: + query = query.replace(" -p '"+db_root_password+"'" , " -p '********'") + log("[JISQL] "+query, "info") class BaseDB(object): @@ -133,10 +147,10 @@ def get_jisql_cmd(self, user, password ,db_name): #TODO: User array for forming command path = RANGER_ADMIN_HOME if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p %s -noheader -trim -c \;" %(self.JAVA_BIN,self.SQL_CONNECTOR_JAR,path,self.host,db_name,user,password) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN,self.SQL_CONNECTOR_JAR,path,self.host,db_name,user,password) elif os_name == "WINDOWS": self.JAVA_BIN = self.JAVA_BIN.strip("'") - jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p %s -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) + jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p \"%s\" -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) return jisql_cmd def verify_user(self, root_user, db_root_password, host, db_user, get_cmd,dryMode): @@ -146,6 +160,7 @@ def verify_user(self, root_user, db_root_password, host, db_user, get_cmd,dryMod query = get_cmd + " -query \"select user from mysql.user where user='%s' and host='%s';\"" %(db_user,host) elif os_name == "WINDOWS": query = get_cmd + " -query \"select user from mysql.user where user='%s' and host='%s';\" -c ;" %(db_user,host) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_user + " |"): return True @@ -159,6 +174,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -query \"SELECT version();\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT version();\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('Production |'): #log("[I] Checking connection passed.", "info") @@ -182,9 +198,11 @@ def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password log("[I] MySQL user " + db_user + " does not exists for host " + host, "info") if os_name == "LINUX": query = get_cmd + " -query \"create user '%s'@'%s';\"" %(db_user, host) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"create user '%s'@'%s';\" -c ;" %(db_user, host) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: if self.verify_user(root_user, db_root_password, host, db_user, get_cmd, dryMode): @@ -199,9 +217,11 @@ def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password log("[I] MySQL user " + db_user + " does not exists for host " + host, "info") if os_name == "LINUX": query = get_cmd + " -query \"create user '%s'@'%s' identified by '%s';\"" %(db_user, host, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"create user '%s'@'%s' identified by '%s';\" -c ;" %(db_user, host, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: if self.verify_user(root_user, db_root_password, host, db_user, get_cmd,dryMode): @@ -224,6 +244,7 @@ def verify_db(self, root_user, db_root_password, db_name,dryMode): query = get_cmd + " -query \"show databases like '%s';\"" %(db_name) elif os_name == "WINDOWS": query = get_cmd + " -query \"show databases like '%s';\" -c ;" %(db_name) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_name + " |"): return True @@ -243,6 +264,7 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d query = get_cmd + " -query \"create database %s;\" -c ;" %(db_name) if dryMode == False: log("[I] Database does not exist, Creating database " + db_name,"info") + jisql_log(query, db_root_password) if os_name == "LINUX": ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": @@ -264,38 +286,27 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_password, is_revoke,dryMode): hosts_arr =["%", "localhost"] hosts_arr.append(self.host) - ''' - if is_revoke: - for host in hosts_arr: - get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'mysql') - query = get_cmd + " -query \"REVOKE ALL PRIVILEGES,GRANT OPTION FROM '%s'@'%s';\"" %(db_user, host) - ret = subprocess.call(shlex.split(query)) - if ret == 0: - query = get_cmd + " -query \"FLUSH PRIVILEGES;\"" - ret = subprocess.call(shlex.split(query)) - if ret != 0: - sys.exit(1) - else: - sys.exit(1) - ''' - for host in hosts_arr: if dryMode == False: log("[I] ---------- Granting privileges TO user '"+db_user+"'@'"+host+"' on db '"+db_name+"'----------" , "info") get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'mysql') if os_name == "LINUX": query = get_cmd + " -query \"grant all privileges on %s.* to '%s'@'%s' with grant option;\"" %(db_name,db_user, host) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"grant all privileges on %s.* to '%s'@'%s' with grant option;\" -c ;" %(db_name,db_user, host) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: log("[I] ---------- FLUSH PRIVILEGES ----------" , "info") if os_name == "LINUX": query = get_cmd + " -query \"FLUSH PRIVILEGES;\"" + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"FLUSH PRIVILEGES;\" -c ;" + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: log("[I] Privileges granted to '" + db_user + "' on '"+db_name+"'", "info") @@ -314,24 +325,28 @@ def create_auditdb_user(self, xa_db_host, audit_db_host, db_name, audit_db_name, if dryMode == False: log("[I] ---------- Setup audit user ----------","info") self.create_rangerdb_user(audit_db_root_user, audit_db_user, audit_db_password, audit_db_root_password,dryMode) - ''' - if is_revoke: - hosts_arr =["%", "localhost"] - for host in hosts_arr: - get_cmd = self.get_jisql_cmd(audit_db_root_user, audit_db_root_password ,'mysql') - query = get_cmd + " -query \"REVOKE ALL PRIVILEGES,GRANT OPTION FROM '%s'@'%s';\"" %(audit_db_user, host) - ret = subprocess.call(shlex.split(query)) - if ret == 0: - query = get_cmd + " -query \"FLUSH PRIVILEGES;\"" - ret = subprocess.call(shlex.split(query)) - if ret != 0: - sys.exit(1) - else: - sys.exit(1) - ''' self.create_db(audit_db_root_user, audit_db_root_password, audit_db_name, db_user, db_password,dryMode) self.grant_xa_db_user(audit_db_root_user, audit_db_name, db_user, db_password, audit_db_root_password, is_revoke,dryMode) + def writeDrymodeCmd(self, xa_db_host, audit_db_host, xa_db_root_user, xa_db_root_password, db_user, db_password, db_name, audit_db_root_user, audit_db_root_password, audit_db_user, audit_db_password, audit_db_name): + logFile("# Login to MySQL Server from a MySQL dba user(i.e 'root') to execute below sql statements.") + hosts_arr =["%", "localhost"] + if not self.host == "localhost": hosts_arr.append(self.host) + for host in hosts_arr: + logFile("create user '%s'@'%s' identified by '%s';" %(db_user, host, db_password)) + logFile("create database %s;"%(db_name)) + for host in hosts_arr: + logFile("grant all privileges on %s.* to '%s'@'%s' with grant option;"%(db_name, db_user, host)) + logFile("FLUSH PRIVILEGES;") + if not db_user == audit_db_user: + for host in hosts_arr: + logFile("create user '%s'@'%s' identified by '%s';"%(audit_db_user, host, audit_db_password)) + if not db_name == audit_db_name: + logFile("create database %s;"%(audit_db_name)) + if not db_name == audit_db_name: + for host in hosts_arr: + logFile("grant all privileges on %s.* to '%s'@'%s' with grant option;"%(audit_db_name, db_user, host)) + logFile("FLUSH PRIVILEGES;") class OracleConf(BaseDB): @@ -344,13 +359,21 @@ def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN): def get_jisql_cmd(self, user, password): #TODO: User array for forming command path = RANGER_ADMIN_HOME - #print "self.JAVA_BIN=" + self.JAVA_BIN - self.JAVA_BIN = self.JAVA_BIN + " -Djava.security.egd=file:///dev/urandom " + if not re.search('-Djava.security.egd=file:///dev/urandom', self.JAVA_BIN): + self.JAVA_BIN = self.JAVA_BIN + " -Djava.security.egd=file:///dev/urandom " + + #if self.host.count(":") == 2: + if self.host.count(":") == 2 or self.host.count(":") == 0: + #jdbc:oracle:thin:@[HOST][:PORT]:SID or #jdbc:oracle:thin:@GL + cstring="jdbc:oracle:thin:@%s" %(self.host) + else: + #jdbc:oracle:thin:@//[HOST][:PORT]/SERVICE + cstring="jdbc:oracle:thin:@//%s" %(self.host) + if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver oraclethin -cstring jdbc:oracle:thin:@%s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, self.host, user, password) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver oraclethin -cstring %s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, cstring, user, password) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver oraclethin -cstring jdbc:oracle:thin:@%s -u %s -p %s -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, user, password) - #print jisql_cmd + jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver oraclethin -cstring %s -u \"%s\" -p \"%s\" -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, cstring, user, password) return jisql_cmd def check_connection(self, db_name, db_user, db_password): @@ -360,6 +383,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -c \; -query \"select * from v$version;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"select * from v$version;\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('Production |'): log("[I] Connection success", "info") @@ -376,6 +400,7 @@ def verify_user(self, root_user, db_user, db_root_password,dryMode): query = get_cmd + " -c \; -query \"select username from all_users where upper(username)=upper('%s');\"" %(db_user) elif os_name == "WINDOWS": query = get_cmd + " -query \"select username from all_users where upper(username)=upper('%s');\" -c ;" %(db_user) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_user + " |"): return True @@ -393,9 +418,11 @@ def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password get_cmd = self.get_jisql_cmd(root_user, db_root_password) if os_name == "LINUX": query = get_cmd + " -c \; -query 'create user %s identified by \"%s\";'" %(db_user, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"create user %s identified by \"%s\";\" -c ;" %(db_user, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: if self.verify_user(root_user, db_user, db_root_password,dryMode): @@ -403,9 +430,11 @@ def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password log("[I] Granting permission to " + db_user, "info") if os_name == "LINUX": query = get_cmd + " -c \; -query 'GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'" % (db_user) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;\" -c ;" % (db_user) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: log("[I] Granting permissions to Oracle user '" + db_user + "' for %s done" %(self.host), "info") @@ -430,6 +459,7 @@ def verify_tablespace(self, root_user, db_root_password, db_name,dryMode): query = get_cmd + " -c \; -query \"SELECT DISTINCT UPPER(TABLESPACE_NAME) FROM USER_TablespaceS where UPPER(Tablespace_Name)=UPPER(\'%s\');\"" %(db_name) elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT DISTINCT UPPER(TABLESPACE_NAME) FROM USER_TablespaceS where UPPER(Tablespace_Name)=UPPER(\'%s\');\" -c ;" %(db_name) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_name+' |'): return True @@ -446,6 +476,7 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d query = get_cmd + " -c \; -query 'select default_tablespace from user_users;'" elif os_name == "WINDOWS": query = get_cmd + " -query \"select default_tablespace from user_users;\" -c ;" + jisql_log(query, db_root_password) output = check_output(query).strip() db_name = db_name.upper() +' |' if output == db_name: @@ -461,9 +492,11 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d get_cmd = self.get_jisql_cmd(root_user, db_root_password) if os_name == "LINUX": query = get_cmd + " -c \; -query \"create tablespace %s datafile '%s.dat' size 10M autoextend on;\"" %(db_name, db_name) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"create tablespace %s datafile '%s.dat' size 10M autoextend on;\" -c ;" %(db_name, db_name) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: if self.verify_tablespace(root_user, db_root_password, db_name,dryMode): @@ -487,17 +520,21 @@ def assign_tablespace(self, root_user, db_root_password, db_user, db_password, d get_cmd = self.get_jisql_cmd(root_user , db_root_password) if os_name == "LINUX": query = get_cmd +" -c \; -query 'alter user %s identified by \"%s\" DEFAULT Tablespace %s;'" %(db_user, db_password, db_name) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd +" -query \"alter user %s identified by \"%s\" DEFAULT Tablespace %s;\" -c ;" %(db_user, db_password, db_name) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: log("[I] Granting permission to " + db_user, "info") if os_name == "LINUX": query = get_cmd + " -c \; -query 'GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'" % (db_user) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;\" -c ;" % (db_user) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: log("[I] Granting Oracle user '" + db_user + "' done", "info") @@ -526,9 +563,11 @@ def create_auditdb(self, audit_db_root_user, db_name ,audit_db_name, db_user, au get_cmd = self.get_jisql_cmd(audit_db_root_user, audit_db_root_password) if os_name == "LINUX": query = get_cmd + " -c \; -query \"create tablespace %s datafile '%s.dat' size 10M autoextend on;\"" %(audit_db_name, audit_db_name) + jisql_log(query, audit_db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"create tablespace %s datafile '%s.dat' size 10M autoextend on;\" -c ;" %(audit_db_name, audit_db_name) + jisql_log(query, audit_db_root_password) ret = subprocess.call(query) if ret != 0: log("[E] Tablespace creation failed..","error") @@ -549,9 +588,11 @@ def create_auditdb(self, audit_db_root_user, db_name ,audit_db_name, db_user, au get_cmd = self.get_jisql_cmd(audit_db_root_user, audit_db_root_password) if os_name == "LINUX": query = get_cmd + " -c \; -query \"create tablespace %s datafile '%s.dat' size 10M autoextend on;\"" %(db_name, db_name) + jisql_log(query, audit_db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"create tablespace %s datafile '%s.dat' size 10M autoextend on;\" -c ;" %(db_name, db_name) + jisql_log(query, audit_db_root_password) ret = subprocess.call(query) if ret != 0: log("[E] Tablespace creation failed..","error") @@ -569,9 +610,11 @@ def create_auditdb(self, audit_db_root_user, db_name ,audit_db_name, db_user, au get_cmd = self.get_jisql_cmd(audit_db_root_user , audit_db_root_password) if os_name == "LINUX": query = get_cmd +" -c \; -query 'alter user %s identified by \"%s\" DEFAULT Tablespace %s;'" %(audit_db_user, audit_db_password, db_name) + jisql_log(query, audit_db_root_password) ret1 = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd +" -query \"alter user %s identified by \"%s\" DEFAULT Tablespace %s;\" -c ;" %(audit_db_user, audit_db_password, db_name) + jisql_log(query, audit_db_root_password) ret1 = subprocess.call(query) log("[I] Assign default tablespace " + audit_db_name + " to : " + audit_db_user, "info") @@ -579,18 +622,22 @@ def create_auditdb(self, audit_db_root_user, db_name ,audit_db_name, db_user, au get_cmd = self.get_jisql_cmd(audit_db_root_user , audit_db_root_password) if os_name == "LINUX": query = get_cmd +" -c \; -query 'alter user %s identified by \"%s\" DEFAULT Tablespace %s;'" %(audit_db_user, audit_db_password, audit_db_name) + jisql_log(query, audit_db_root_password) ret2 = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd +" -query \"alter user %s identified by \"%s\" DEFAULT Tablespace %s;\" -c ;" %(audit_db_user, audit_db_password, audit_db_name) + jisql_log(query, audit_db_root_password) ret2 = subprocess.call(query) if (ret1 == 0 and ret2 == 0): log("[I] Granting permission to " + db_user, "info") if os_name == "LINUX": query = get_cmd + " -c \; -query 'GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'" % (db_user) + jisql_log(query, audit_db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;\" -c ;" % (db_user) + jisql_log(query, audit_db_root_password) ret = subprocess.call(query) if ret == 0: return True @@ -609,9 +656,11 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas get_cmd = self.get_jisql_cmd(root_user ,db_root_password) if os_name == "LINUX": query = get_cmd + " -c \; -query 'GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'" % (db_user) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;\" -c ;" % (db_user) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: log("[I] Granted permission to " + db_user, "info") @@ -636,9 +685,11 @@ def create_auditdb_user(self, xa_db_host , audit_db_host , db_name ,audit_db_nam get_cmd = self.get_jisql_cmd(audit_db_root_user, audit_db_root_password) if os_name == "LINUX": query = get_cmd + " -c \; -query 'create user %s identified by \"%s\";'" %(db_user, db_password) + jisql_log(query, audit_db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"create user %s identified by \"%s\";\" -c ;" %(db_user, db_password) + jisql_log(query, audit_db_root_password) ret = subprocess.call(query) if ret == 0: if self.verify_user(audit_db_root_user, db_user, audit_db_root_password,dryMode): @@ -646,9 +697,11 @@ def create_auditdb_user(self, xa_db_host , audit_db_host , db_name ,audit_db_nam log("[I] Granting permission to " + db_user, "info") if os_name == "LINUX": query = get_cmd + " -c \; -query 'GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'" % (db_user) + jisql_log(query, audit_db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;\" -c ;" % (db_user) + jisql_log(query, audit_db_root_password) ret = subprocess.call(query) if ret == 0: log("[I] Granting permissions to Oracle user '" + db_user + "' for %s Done" %(self.host), "info") @@ -674,17 +727,21 @@ def create_auditdb_user(self, xa_db_host , audit_db_host , db_name ,audit_db_nam get_cmd = self.get_jisql_cmd(audit_db_root_user, audit_db_root_password) if os_name == "LINUX": query = get_cmd + " -c \; -query 'create user %s identified by \"%s\";'" %(audit_db_user, audit_db_password) + jisql_log(query, audit_db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"create user %s identified by \"%s\";\" -c ;" %(audit_db_user, audit_db_password) + jisql_log(query, audit_db_root_password) ret = subprocess.call(query) if ret == 0: if self.verify_user(audit_db_root_user, audit_db_user, audit_db_root_password,dryMode): if os_name == "LINUX": query = get_cmd + " -c \; -query \"GRANT CREATE SESSION TO %s;\"" %(audit_db_user) + jisql_log(query, audit_db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT CREATE SESSION TO %s;\" -c ;" %(audit_db_user) + jisql_log(query, audit_db_root_password) ret = subprocess.call(query) if ret == 0: log("[I] Granting permission to " + audit_db_user + " done", "info") @@ -700,6 +757,18 @@ def create_auditdb_user(self, xa_db_host , audit_db_host , db_name ,audit_db_nam if DBA_MODE == "TRUE": self.grant_xa_db_user(audit_db_root_user, audit_db_name, db_user, db_password, audit_db_root_password, False,dryMode) + def writeDrymodeCmd(self, xa_db_host, audit_db_host, xa_db_root_user, xa_db_root_password, db_user, db_password, db_name, audit_db_root_user, audit_db_root_password, audit_db_user, audit_db_password, audit_db_name): + logFile("# Login to ORACLE Server from a ORACLE dba user(i.e 'sys') to execute below sql statements.") + logFile('create user %s identified by "%s";'%(db_user, db_password)) + logFile('GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED TABLESPACE TO %s WITH ADMIN OPTION;'%(db_user)) + logFile("create tablespace %s datafile '%s.dat' size 10M autoextend on;" %(db_name, db_name)) + logFile('alter user %s identified by "%s" DEFAULT tablespace %s;'%(db_user, db_password, db_name)) + if not db_user == audit_db_user: + logFile('create user %s identified by "%s";'%(audit_db_user, audit_db_password)) + logFile('GRANT CREATE SESSION TO %s;' %(audit_db_user)) + logFile("create tablespace %s datafile '%s.dat' size 10M autoextend on;" %(audit_db_name, audit_db_name)) + logFile('alter user %s identified by "%s" DEFAULT tablespace %s;' %(audit_db_user, audit_db_password, audit_db_name)) + logFile('GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED TABLESPACE TO %s WITH ADMIN OPTION;'%(db_user)) class PostgresConf(BaseDB): # Constructor @@ -713,9 +782,9 @@ def get_jisql_cmd(self, user, password, db_name): path = RANGER_ADMIN_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p %s -noheader -trim -c \;" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, self.host, db_name, user, password) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, self.host, db_name, user, password) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p %s -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) + jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p \"%s\" -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password) return jisql_cmd def verify_user(self, root_user, db_root_password, db_user,dryMode): @@ -726,6 +795,7 @@ def verify_user(self, root_user, db_root_password, db_user,dryMode): query = get_cmd + " -query \"SELECT rolname FROM pg_roles WHERE rolname='%s';\"" %(db_user) elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT rolname FROM pg_roles WHERE rolname='%s';\" -c ;" %(db_user) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_user + " |"): return True @@ -739,6 +809,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -query \"SELECT 1;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT 1;\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('1 |'): #log("[I] connection success", "info") @@ -758,9 +829,11 @@ def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'postgres') if os_name == "LINUX": query = get_cmd + " -query \"CREATE USER %s WITH LOGIN PASSWORD '%s';\"" %(db_user, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"CREATE USER %s WITH LOGIN PASSWORD '%s';\" -c ;" %(db_user, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: if self.verify_user(root_user, db_root_password, db_user,dryMode): @@ -782,6 +855,7 @@ def verify_db(self, root_user, db_root_password, db_name,dryMode): query = get_cmd + " -query \"SELECT datname FROM pg_database where datname='%s';\"" %(db_name) elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT datname FROM pg_database where datname='%s';\" -c ;" %(db_name) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_name + " |"): return True @@ -799,9 +873,11 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'postgres') if os_name == "LINUX": query = get_cmd + " -query \"create database %s with OWNER %s;\"" %(db_name, db_user) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"create database %s with OWNER %s;\" -c ;" %(db_name, db_user) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret != 0: log("[E] Database creation failed..","error") @@ -822,9 +898,11 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas get_cmd = self.get_jisql_cmd(root_user, db_root_password, db_name) if os_name == "LINUX": query = get_cmd + " -query \"GRANT ALL PRIVILEGES ON DATABASE %s to %s;\"" %(db_name, db_user) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT ALL PRIVILEGES ON DATABASE %s to %s;\" -c ;" %(db_name, db_user) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret != 0: log("[E] Granting all privileges on database "+db_name+" to user "+db_user+" failed..", "error") @@ -832,9 +910,11 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas if os_name == "LINUX": query = get_cmd + " -query \"GRANT ALL PRIVILEGES ON SCHEMA public TO %s;\"" %(db_user) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"GRANT ALL PRIVILEGES ON SCHEMA public TO %s;\" -c ;" %(db_user) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret != 0: log("[E] Granting all privileges on schema public to user "+db_user+" failed..", "error") @@ -842,9 +922,11 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas if os_name == "LINUX": query = get_cmd + " -query \"SELECT table_name FROM information_schema.tables WHERE table_schema = 'public';\"" + jisql_log(query, db_root_password) output = check_output(query) elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT table_name FROM information_schema.tables WHERE table_schema = 'public';\" -c ;" + jisql_log(query, db_root_password) output = check_output(query) for each_line in output.split('\n'): if len(each_line) == 0 : continue @@ -853,12 +935,14 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas tablename = tablename.strip() if os_name == "LINUX": query1 = get_cmd + " -query \"GRANT ALL PRIVILEGES ON TABLE %s TO %s;\"" %(tablename,db_user) + jisql_log(query1, db_root_password) ret = subprocess.call(shlex.split(query1)) if ret != 0: log("[E] Granting all privileges on tablename "+tablename+" to user "+db_user+" failed..", "error") sys.exit(1) elif os_name == "WINDOWS": query1 = get_cmd + " -query \"GRANT ALL PRIVILEGES ON TABLE %s TO %s;\" -c ;" %(tablename,db_user) + jisql_log(query1, db_root_password) ret = subprocess.call(query1) if ret != 0: log("[E] Granting all privileges on tablename "+tablename+" to user "+db_user+" failed..", "error") @@ -870,6 +954,7 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas output = check_output(query) elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT sequence_name FROM information_schema.sequences where sequence_schema='public';\" -c ;" + jisql_log(query, db_root_password) output = check_output(query) for each_line in output.split('\n'): if len(each_line) == 0 : continue @@ -878,12 +963,14 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas sequence_name = sequence_name.strip() if os_name == "LINUX": query1 = get_cmd + " -query \"GRANT ALL PRIVILEGES ON SEQUENCE %s TO %s;\"" %(sequence_name,db_user) + jisql_log(query1, db_root_password) ret = subprocess.call(shlex.split(query1)) if ret != 0: log("[E] Granting all privileges on sequence "+sequence_name+" to user "+db_user+" failed..", "error") sys.exit(1) elif os_name == "WINDOWS": query1 = get_cmd + " -query \"GRANT ALL PRIVILEGES ON SEQUENCE %s TO %s;\" -c ;" %(sequence_name,db_user) + jisql_log(query1, db_root_password) ret = subprocess.call(query1) if ret != 0: log("[E] Granting all privileges on sequence "+sequence_name+" to user "+db_user+" failed..", "error") @@ -907,6 +994,25 @@ def create_auditdb_user(self, xa_db_host, audit_db_host, db_name, audit_db_name, if DBA_MODE == "TRUE": self.grant_xa_db_user(audit_db_root_user, audit_db_name, db_user, db_password, audit_db_root_password, False,dryMode) + def writeDrymodeCmd(self, xa_db_host, audit_db_host, xa_db_root_user, xa_db_root_password, db_user, db_password, db_name, audit_db_root_user, audit_db_root_password, audit_db_user, audit_db_password, audit_db_name): + logFile("# Login to POSTGRES Server from a POSTGRES dba user(i.e 'postgres') to execute below sql statements.") + logFile("CREATE USER %s WITH LOGIN PASSWORD '%s';" %(db_user, db_password)) + logFile("CREATE DATABASE %s WITH OWNER %s;" %(db_name, db_user)) + logFile("# Login to POSTGRES Server from a POSTGRES dba user(i.e 'postgres') on '%s' database to execute below sql statements."%(db_name)) + logFile("GRANT ALL PRIVILEGES ON DATABASE %s TO %s;" %(db_name, db_user)) + logFile("GRANT ALL PRIVILEGES ON SCHEMA public TO %s;" %(db_user)) + if not db_user == audit_db_user: + logFile("# Login to POSTGRES Server from a POSTGRES dba user(i.e 'postgres') to execute below sql statements.") + logFile("CREATE USER %s WITH LOGIN PASSWORD '%s';" %(audit_db_user, audit_db_password)) + if not db_name == audit_db_name: + if not db_user == audit_db_user: + pass + else: + logFile("# Login to POSTGRES Server from a POSTGRES dba user(i.e 'postgres') to execute below sql statements.") + logFile("CREATE DATABASE %s WITH OWNER %s;" %(audit_db_name, db_user)) + logFile("# Login to POSTGRES Server from a POSTGRES dba user(i.e 'postgres') on '%s' database to execute below sql statements."%(audit_db_name)) + logFile("GRANT ALL PRIVILEGES ON DATABASE %s TO %s;" %(audit_db_name, db_user)) + logFile("GRANT ALL PRIVILEGES ON SCHEMA public TO %s;" %(db_user)) class SqlServerConf(BaseDB): # Constructor @@ -920,9 +1026,9 @@ def get_jisql_cmd(self, user, password, db_name): path = RANGER_ADMIN_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password, self.host,db_name) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -p '%s' -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password, self.host,db_name) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -p \"%s\" -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name) return jisql_cmd def verify_user(self, root_user, db_root_password, db_user,dryMode): @@ -933,6 +1039,7 @@ def verify_user(self, root_user, db_root_password, db_user,dryMode): query = get_cmd + " -c \; -query \"select name from sys.sql_logins where name = '%s';\"" %(db_user) elif os_name == "WINDOWS": query = get_cmd + " -query \"select name from sys.sql_logins where name = '%s';\" -c ;" %(db_user) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_user + " |"): return True @@ -946,6 +1053,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -c \; -query \"SELECT 1;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT 1;\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('1 |'): log("[I] Connection success", "info") @@ -965,9 +1073,11 @@ def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password log("[I] User does not exists, Creating Login user " + db_user, "info") if os_name == "LINUX": query = get_cmd + " -c \; -query \"CREATE LOGIN %s WITH PASSWORD = '%s';\"" %(db_user,db_password) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"CREATE LOGIN %s WITH PASSWORD = '%s';\" -c ;" %(db_user,db_password) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: if self.verify_user(root_user, db_root_password, db_user,dryMode): @@ -989,6 +1099,7 @@ def verify_db(self, root_user, db_root_password, db_name,dryMode): query = get_cmd + " -c \; -query \"SELECT name from sys.databases where name='%s';\"" %(db_name) elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT name from sys.databases where name='%s';\" -c ;" %(db_name) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_name + " |"): return True @@ -1005,9 +1116,11 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'master') if os_name == "LINUX": query = get_cmd + " -c \; -query \"create database %s;\"" %(db_name) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"create database %s;\" -c ;" %(db_name) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret != 0: log("[E] Database creation failed..","error") @@ -1029,6 +1142,7 @@ def create_user(self, root_user, db_name ,db_user, db_password, db_root_password query = get_cmd + " -c \; -query \"SELECT name FROM sys.database_principals WHERE name = N'%s';\"" %(db_user) elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT name FROM sys.database_principals WHERE name = N'%s';\" -c ;" %(db_user) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_user + " |"): if dryMode == False: @@ -1037,15 +1151,18 @@ def create_user(self, root_user, db_name ,db_user, db_password, db_root_password if dryMode == False: if os_name == "LINUX": query = get_cmd + " -c \; -query \"CREATE USER %s for LOGIN %s;\"" %(db_user, db_user) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"CREATE USER %s for LOGIN %s;\" -c ;" %(db_user, db_user) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: if os_name == "LINUX": query = get_cmd + " -c \; -query \"SELECT name FROM sys.database_principals WHERE name = N'%s';\"" %(db_user) elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT name FROM sys.database_principals WHERE name = N'%s';\" -c ;" %(db_user) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_user + " |"): log("[I] User "+db_user+" exist ","info") @@ -1064,9 +1181,11 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas get_cmd = self.get_jisql_cmd(root_user, db_root_password, db_name) if os_name == "LINUX": query = get_cmd + " -c \; -query \" EXEC sp_addrolemember N'db_owner', N'%s';\"" %(db_user) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \" EXEC sp_addrolemember N'db_owner', N'%s';\" -c ;" %(db_user) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret != 0: sys.exit(1) @@ -1085,6 +1204,35 @@ def create_auditdb_user(self, xa_db_host, audit_db_host, db_name, audit_db_name, self.create_user(xa_db_root_user, audit_db_name ,db_user, db_password, xa_db_root_password,dryMode) self.grant_xa_db_user(audit_db_root_user, audit_db_name, db_user, db_password, audit_db_root_password, is_revoke, dryMode) + def writeDrymodeCmd(self, xa_db_host, audit_db_host, xa_db_root_user, xa_db_root_password, db_user, db_password, db_name, audit_db_root_user, audit_db_root_password, audit_db_user, audit_db_password, audit_db_name): + logFile("# Login to MSSQL Server from a MSSQL dba user(i.e 'sa') to execute below sql statements.") + logFile("CREATE LOGIN %s WITH PASSWORD = '%s';" %(db_user, db_password)) + logFile("create database %s;" %(db_name)) + logFile("# Login to MSSQL Server from a MSSQL dba user(i.e 'sa') on '%s' database to execute below sql statements."%(db_name)) + logFile("CREATE USER %s for LOGIN %s;" %(db_user, db_user)) + logFile("EXEC sp_addrolemember N'db_owner', N'%s';" %(db_user)) + if not db_user == audit_db_user: + logFile("# Login to MSSQL Server from a MSSQL dba user(i.e 'sa') to execute below sql statements.") + logFile("CREATE LOGIN %s WITH PASSWORD = '%s';" %(audit_db_user, audit_db_password)) + if not db_name == audit_db_name: + if not db_user == audit_db_user: + pass + else: + logFile("# Login to MSSQL Server from a MSSQL dba user(i.e 'sa') to execute below sql statements.") + logFile("create database %s;"%(audit_db_name)) + if db_name == audit_db_name and db_user!=audit_db_user: + logFile("# Login to MSSQL Server from a MSSQL dba user(i.e 'sa') on '%s' database to execute below sql statements."%(audit_db_name)) + logFile("CREATE USER %s for LOGIN %s;" %(audit_db_user, audit_db_user)) + if db_name != audit_db_name: + logFile("# Login to MSSQL Server from a MSSQL dba user(i.e 'sa') on '%s' database to execute below sql statements."%(audit_db_name)) + if db_user==audit_db_user: + logFile("CREATE USER %s for LOGIN %s;" %(db_user, db_user)) + else: + logFile("CREATE USER %s for LOGIN %s;" %(audit_db_user, audit_db_user)) + logFile("CREATE USER %s for LOGIN %s;" %(db_user, db_user)) + logFile("EXEC sp_addrolemember N'db_owner', N'%s';" %(db_user)) + + class SqlAnywhereConf(BaseDB): # Constructor def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN): @@ -1096,9 +1244,9 @@ def get_jisql_cmd(self, user, password, db_name): path = RANGER_ADMIN_HOME self.JAVA_BIN = self.JAVA_BIN.strip("'") if os_name == "LINUX": - jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) + jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -p '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host) elif os_name == "WINDOWS": - jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) + jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -p \"%s\" -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host) return jisql_cmd def verify_user(self, root_user, db_root_password, db_user,dryMode): @@ -1109,6 +1257,7 @@ def verify_user(self, root_user, db_root_password, db_user,dryMode): query = get_cmd + " -c \; -query \"select name from syslogins where name = '%s';\"" %(db_user) elif os_name == "WINDOWS": query = get_cmd + " -query \"select name from syslogins where name = '%s';\" -c ;" %(db_user) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_user + " |"): return True @@ -1122,6 +1271,7 @@ def check_connection(self, db_name, db_user, db_password): query = get_cmd + " -c \; -query \"SELECT 1;\"" elif os_name == "WINDOWS": query = get_cmd + " -query \"SELECT 1;\" -c ;" + jisql_log(query, db_password) output = check_output(query) if output.strip('1 |'): log("[I] Connection success", "info") @@ -1141,9 +1291,11 @@ def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password log("[I] User does not exists, Creating Login user " + db_user, "info") if os_name == "LINUX": query = get_cmd + " -c \; -query \"CREATE USER %s IDENTIFIED BY '%s';\"" %(db_user,db_password) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"CREATE USER %s IDENTIFIED BY '%s';\" -c ;" %(db_user,db_password) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: if self.verify_user(root_user, db_root_password, db_user,dryMode): @@ -1165,6 +1317,7 @@ def start_db(self,root_user, db_root_password, db_name,dryMode): query = get_cmd + " -c \; -query \"start database '%s' autostop off;\"" %(db_name) elif os_name == "WINDOWS": query = get_cmd + " -query \"start database '%s' autostop off;\" -c ;" %(db_name) + jisql_log(query, db_root_password) output = check_output(query) def verify_db(self, root_user, db_root_password, db_name,dryMode): @@ -1175,6 +1328,7 @@ def verify_db(self, root_user, db_root_password, db_name,dryMode): query = get_cmd + " -c \; -query \"select alias from sa_db_info() where alias='%s';\"" %(db_name) elif os_name == "WINDOWS": query = get_cmd + " -query \"select alias from sa_db_info() where alias='%s';\" -c ;" %(db_name) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_name + " |"): return True @@ -1191,9 +1345,11 @@ def create_db(self, root_user, db_root_password, db_name, db_user, db_password,d get_cmd = self.get_jisql_cmd(root_user, db_root_password, '') if os_name == "LINUX": query = get_cmd + " -c \; -query \"create database '%s' dba user '%s' dba password '%s' database size 100MB;\"" %(db_name,db_user, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"create database '%s' dba user '%s' dba password '%s' database size 100MB;\" -c ;" %(db_name,db_user, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret != 0: log("[E] Database creation failed..","error") @@ -1216,6 +1372,7 @@ def create_user(self, root_user, db_name ,db_user, db_password, db_root_password query = get_cmd + " -c \; -query \"select name from syslogins where name ='%s';\"" %(db_user) elif os_name == "WINDOWS": query = get_cmd + " -query \"select name from syslogins where name ='%s';\" -c ;" %(db_user) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_user + " |"): if dryMode == False: @@ -1224,15 +1381,18 @@ def create_user(self, root_user, db_name ,db_user, db_password, db_root_password if dryMode == False: if os_name == "LINUX": query = get_cmd + " -c \; -query \"CREATE USER %s IDENTIFIED BY '%s';\"" %(db_user, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \"CREATE USER %s IDENTIFIED BY '%s';\" -c ;" %(db_user, db_password) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: if os_name == "LINUX": query = get_cmd + " -c \; -query \"select name from syslogins where name ='%s';\"" %(db_user) elif os_name == "WINDOWS": query = get_cmd + " -query \"select name from syslogins where name ='%s';\" -c ;" %(db_user) + jisql_log(query, db_root_password) output = check_output(query) if output.strip(db_user + " |"): log("[I] User "+db_user+" exist ","info") @@ -1251,9 +1411,11 @@ def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_pas get_cmd = self.get_jisql_cmd(root_user, db_root_password, db_name) if os_name == "LINUX": query = get_cmd + " -c \; -query \" GRANT CONNECT to %s IDENTIFIED BY '%s';\"" %(db_user,db_password) + jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": query = get_cmd + " -query \" GRANT CONNECT to %s IDENTIFIED BY '%s';\"" %(db_user,db_password) + jisql_log(query, db_root_password) ret = subprocess.call(query) if ret != 0: sys.exit(1) @@ -1271,6 +1433,21 @@ def create_auditdb_user(self, xa_db_host, audit_db_host, db_name, audit_db_name, self.create_user(xa_db_root_user, audit_db_name ,db_user, db_password, xa_db_root_password,dryMode) self.grant_xa_db_user(db_user, audit_db_name, audit_db_user, audit_db_password, db_password, is_revoke, dryMode) + def writeDrymodeCmd(self, xa_db_host, audit_db_host, xa_db_root_user, xa_db_root_password, db_user, db_password, db_name, audit_db_root_user, audit_db_root_password, audit_db_user, audit_db_password, audit_db_name): + logFile("# Login to SQL Anywhere Server from a SQLA dba user(i.e 'dba') to execute below sql statements.") + logFile("CREATE USER %s IDENTIFIED BY '%s';" %(db_user, db_password)) + logFile("create database '%s' dba user '%s' dba password '%s' database size 100MB;" %(db_name, db_user ,db_password)) + logFile("start database '%s' autostop off;" %(db_name)) + if not db_user == audit_db_user: + logFile("CREATE USER %s IDENTIFIED BY '%s';" %(audit_db_user, audit_db_password)) + if not db_name == audit_db_name: + logFile("create database '%s' dba user '%s' dba password '%s' database size 100MB;" %(audit_db_name, db_user ,db_password)) + logFile("start database '%s' autostop off;" %(audit_db_name)) + if not db_user == audit_db_user: + logFile("# Login to SQL Anywhere Server from '%s' user on '%s' database to execute below sql statements."%(db_user,audit_db_name)) + logFile("GRANT CONNECT to %s IDENTIFIED BY '%s';" %(audit_db_user, audit_db_password)) + + def main(argv): FORMAT = '%(asctime)-15s %(message)s' @@ -1281,7 +1458,7 @@ def main(argv): dryMode=False is_revoke=False - if len(argv) == 3: + if len(argv) == 4 and argv[3] == 'password_validation': password_validation(argv[1],argv[2]); return; @@ -1334,20 +1511,24 @@ def main(argv): else: log("[E] ---------- JAVA Not Found, aborting installation. ----------", "error") sys.exit(1) + log("[I] Using Java:" + str(JAVA_BIN),"info") else: - if os.environ['JAVA_HOME'] == "": - log("[E] ---------- JAVA_HOME environment property not defined, aborting installation. ----------", "error") - sys.exit(1) - JAVA_BIN=os.path.join(os.environ['JAVA_HOME'],'bin','java') - if os_name == "WINDOWS" : - JAVA_BIN = JAVA_BIN+'.exe' - if os.path.isfile(JAVA_BIN): - pass - else : - while os.path.isfile(JAVA_BIN) == False: - log("Enter java executable path: :","info") - JAVA_BIN=raw_input() - log("[I] Using Java:" + str(JAVA_BIN),"info") + JAVA_BIN='' + if not dryMode: + if os.environ['JAVA_HOME'] == "": + log("[E] ---------- JAVA_HOME environment property not defined, aborting installation. ----------", "error") + sys.exit(1) + JAVA_BIN=os.path.join(os.environ['JAVA_HOME'],'bin','java') + if os_name == "WINDOWS" : + JAVA_BIN = JAVA_BIN+'.exe' + if os.path.isfile(JAVA_BIN): + pass + else : + while os.path.isfile(JAVA_BIN) == False: + log("Enter java executable path: :","info") + JAVA_BIN=raw_input() + log("[I] Using Java:" + str(JAVA_BIN),"info") + if (quiteMode): XA_DB_FLAVOR=globalDict['DB_FLAVOR'] @@ -1366,121 +1547,135 @@ def main(argv): if (quiteMode): CONNECTOR_JAR=globalDict['SQL_CONNECTOR_JAR'] else: - if XA_DB_FLAVOR == "MYSQL" or XA_DB_FLAVOR == "ORACLE" or XA_DB_FLAVOR == "POSTGRES" or XA_DB_FLAVOR == "MSSQL": - log("Enter JDBC connector file for :"+XA_DB_FLAVOR,"info") - CONNECTOR_JAR=raw_input() - while os.path.isfile(CONNECTOR_JAR) == False: - log("JDBC connector file "+CONNECTOR_JAR+" does not exist, Please enter connector path :","error") + CONNECTOR_JAR='' + if not dryMode: + if XA_DB_FLAVOR == "MYSQL" or XA_DB_FLAVOR == "ORACLE" or XA_DB_FLAVOR == "POSTGRES" or XA_DB_FLAVOR == "MSSQL" or XA_DB_FLAVOR == "SQLA": + log("Enter JDBC connector file for :"+XA_DB_FLAVOR,"info") CONNECTOR_JAR=raw_input() - else: - log("[E] ---------- NO SUCH SUPPORTED DB FLAVOUR.. ----------", "error") - sys.exit(1) + while os.path.isfile(CONNECTOR_JAR) == False: + log("JDBC connector file "+CONNECTOR_JAR+" does not exist, Please enter connector path :","error") + CONNECTOR_JAR=raw_input() + else: + log("[E] ---------- NO SUCH SUPPORTED DB FLAVOUR.. ----------", "error") + sys.exit(1) if (quiteMode): xa_db_host = globalDict['db_host'] audit_db_host = globalDict['db_host'] + log("[I] DB Host:" + str(xa_db_host),"info") else: - xa_db_host='' - while xa_db_host == "": - log("Enter DB Host :","info") - xa_db_host=raw_input() - audit_db_host=xa_db_host - log("[I] DB Host:" + str(xa_db_host),"info") + if (dryMode): + xa_db_host='127.0.0.1' + audit_db_host='127.0.0.1' + else: + xa_db_host='' + while xa_db_host == "": + log("Enter DB Host :","info") + xa_db_host=raw_input() + audit_db_host=xa_db_host + log("[I] DB Host:" + str(xa_db_host),"info") if (quiteMode): xa_db_root_user = globalDict['db_root_user'] xa_db_root_password = globalDict['db_root_password'] else: - xa_db_root_user='' - while xa_db_root_user == "": - log("Enter db root user:","info") - xa_db_root_user=raw_input() - log("Enter db root password:","info") - xa_db_root_password = getpass.getpass("Enter db root password:") + if (dryMode): + xa_db_root_user='db_root_user' + xa_db_root_password='*****' + else: + xa_db_root_user='' + while xa_db_root_user == "": + log("Enter db root user:","info") + xa_db_root_user=raw_input() + log("Enter db root password:","info") + xa_db_root_password = getpass.getpass("Enter db root password:") if (quiteMode): db_name = globalDict['db_name'] else: - db_name = '' - while db_name == "": - log("Enter DB Name :","info") - db_name=raw_input() + if (dryMode): + db_name='ranger_db' + else: + db_name = '' + while db_name == "": + log("Enter DB Name :","info") + db_name=raw_input() if (quiteMode): db_user = globalDict['db_user'] else: - db_user='' - while db_user == "": - log("Enter db user name:","info") - db_user=raw_input() + if (dryMode): + db_user='ranger_admin_user' + else: + db_user='' + while db_user == "": + log("Enter db user name:","info") + db_user=raw_input() if (quiteMode): db_password = globalDict['db_password'] else: - db_password='' - while db_password == "": - log("Enter db user password:","info") - db_password = getpass.getpass("Enter db user password:") + if (dryMode): + db_password='*****' + else: + db_password='' + while db_password == "": + log("Enter db user password:","info") + db_password = getpass.getpass("Enter db user password:") if (quiteMode): audit_db_name = globalDict['audit_db_name'] else: - audit_db_name='' - while audit_db_name == "": - log("Enter audit db name:","info") - audit_db_name = raw_input() + if (dryMode): + audit_db_name='ranger_audit_db' + else: + audit_db_name='' + while audit_db_name == "": + log("Enter audit db name:","info") + audit_db_name = raw_input() if (quiteMode): audit_db_user = globalDict['audit_db_user'] else: - audit_db_user='' - while audit_db_user == "": - log("Enter audit user name:","info") - audit_db_user = raw_input() + if (dryMode): + audit_db_user='ranger_logger_user' + else: + audit_db_user='' + while audit_db_user == "": + log("Enter audit user name:","info") + audit_db_user = raw_input() if (quiteMode): audit_db_password = globalDict['audit_db_password'] else: - audit_db_password='' - while audit_db_password == "": - log("Enter audit db user password:","info") - audit_db_password = getpass.getpass("Enter audit db user password:") + if (dryMode): + audit_db_password='*****' + else: + audit_db_password='' + while audit_db_password == "": + log("Enter audit db user password:","info") + audit_db_password = getpass.getpass("Enter audit db user password:") audit_db_root_user = xa_db_root_user audit_db_root_password = xa_db_root_password - #audit_db_root_user = globalDict['db_root_user'] - #audit_db_root_password = globalDict['db_root_password'] - #print "Enter audit_db_root_password :" - #log("Enter audit db root user:","info") - #audit_db_root_user = raw_input() - #log("Enter db root password:","info") - #xa_db_root_password = raw_input() mysql_dbversion_catalog = os.path.join('db','mysql','create_dbversion_catalog.sql') - #mysql_core_file = globalDict['mysql_core_file'] mysql_core_file = os.path.join('db','mysql','xa_core_db.sql') - #mysql_audit_file = globalDict['mysql_audit_file'] mysql_audit_file = os.path.join('db','mysql','xa_audit_db.sql') mysql_patches = os.path.join('db','mysql','patches') oracle_dbversion_catalog = os.path.join('db','oracle','create_dbversion_catalog.sql') - #oracle_core_file = globalDict['oracle_core_file'] oracle_core_file = os.path.join('db','oracle','xa_core_db_oracle.sql') - #oracle_audit_file = globalDict['oracle_audit_file'] oracle_audit_file = os.path.join('db','oracle','xa_audit_db_oracle.sql') oracle_patches = os.path.join('db','oracle','patches') postgres_dbversion_catalog = os.path.join('db','postgres','create_dbversion_catalog.sql') - #postgres_core_file = globalDict['postgres_core_file'] postgres_core_file = os.path.join('db','postgres','xa_core_db_postgres.sql') - #postgres_audit_file = globalDict['postgres_audit_file'] postgres_audit_file = os.path.join('db','postgres','xa_audit_db_postgres.sql') postgres_patches = os.path.join('db','postgres','patches') sqlserver_dbversion_catalog = os.path.join('db','sqlserver','create_dbversion_catalog.sql') - #sqlserver_core_file = globalDict['sqlserver_core_file'] sqlserver_core_file = os.path.join('db','sqlserver','xa_core_db_sqlserver.sql') - #sqlserver_audit_file = globalDict['sqlserver_audit_file'] sqlserver_audit_file = os.path.join('db','sqlserver','xa_audit_db_sqlserver.sql') sqlserver_patches = os.path.join('db','sqlserver','patches') @@ -1494,8 +1689,6 @@ def main(argv): x_user = 'x_portal_user' if XA_DB_FLAVOR == "MYSQL": - #MYSQL_CONNECTOR_JAR=globalDict['SQL_CONNECTOR_JAR'] - #MYSQL_CONNECTOR_JAR='/usr/share/java/mysql-connector-java.jar' MYSQL_CONNECTOR_JAR=CONNECTOR_JAR xa_sqlObj = MysqlConf(xa_db_host, MYSQL_CONNECTOR_JAR, JAVA_BIN) xa_db_version_file = os.path.join(RANGER_ADMIN_HOME,mysql_dbversion_catalog) @@ -1503,21 +1696,16 @@ def main(argv): xa_patch_file = os.path.join(RANGER_ADMIN_HOME,mysql_patches) elif XA_DB_FLAVOR == "ORACLE": - #ORACLE_CONNECTOR_JAR=globalDict['SQL_CONNECTOR_JAR'] - #ORACLE_CONNECTOR_JAR='/usr/share/java/ojdbc6.jar' ORACLE_CONNECTOR_JAR=CONNECTOR_JAR - if os_name == "LINUX": + if xa_db_root_user.upper() == "SYS" : xa_db_root_user = xa_db_root_user+" AS SYSDBA" - elif os_name == "WINDOWS": - xa_db_root_user = xa_db_root_user + xa_sqlObj = OracleConf(xa_db_host, ORACLE_CONNECTOR_JAR, JAVA_BIN) xa_db_version_file = os.path.join(RANGER_ADMIN_HOME,oracle_dbversion_catalog) xa_db_core_file = os.path.join(RANGER_ADMIN_HOME,oracle_core_file) xa_patch_file = os.path.join(RANGER_ADMIN_HOME,oracle_patches) elif XA_DB_FLAVOR == "POSTGRES": - #POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] - #POSTGRES_CONNECTOR_JAR='/usr/share/java/postgresql.jar' db_user=db_user.lower() db_name=db_name.lower() POSTGRES_CONNECTOR_JAR=CONNECTOR_JAR @@ -1527,8 +1715,6 @@ def main(argv): xa_patch_file = os.path.join(RANGER_ADMIN_HOME,postgres_patches) elif XA_DB_FLAVOR == "MSSQL": - #SQLSERVER_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] - #SQLSERVER_CONNECTOR_JAR='/usr/share/java/sqljdbc4-2.0.jar' SQLSERVER_CONNECTOR_JAR=CONNECTOR_JAR xa_sqlObj = SqlServerConf(xa_db_host, SQLSERVER_CONNECTOR_JAR, JAVA_BIN) xa_db_version_file = os.path.join(RANGER_ADMIN_HOME,sqlserver_dbversion_catalog) @@ -1550,35 +1736,26 @@ def main(argv): sys.exit(1) if AUDIT_DB_FLAVOR == "MYSQL": - #MYSQL_CONNECTOR_JAR=globalDict['SQL_CONNECTOR_JAR'] - #MYSQL_CONNECTOR_JAR='/usr/share/java/mysql-connector-java.jar' MYSQL_CONNECTOR_JAR=CONNECTOR_JAR audit_sqlObj = MysqlConf(audit_db_host,MYSQL_CONNECTOR_JAR,JAVA_BIN) audit_db_file = os.path.join(RANGER_ADMIN_HOME,mysql_audit_file) elif AUDIT_DB_FLAVOR == "ORACLE": - #ORACLE_CONNECTOR_JAR=globalDict['SQL_CONNECTOR_JAR'] - #ORACLE_CONNECTOR_JAR='/usr/share/java/ojdbc6.jar' ORACLE_CONNECTOR_JAR=CONNECTOR_JAR - if os_name == "LINUX": + if audit_db_root_user.upper() == "SYS": audit_db_root_user = audit_db_root_user+" AS SYSDBA" - if os_name == "WINDOWS": - audit_db_root_user = audit_db_root_user + audit_sqlObj = OracleConf(audit_db_host, ORACLE_CONNECTOR_JAR, JAVA_BIN) audit_db_file = os.path.join(RANGER_ADMIN_HOME,oracle_audit_file) elif AUDIT_DB_FLAVOR == "POSTGRES": - #POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] - #POSTGRES_CONNECTOR_JAR='/usr/share/java/postgresql.jar' audit_db_user=audit_db_user.lower() - audit_db_name=audit_db_name.lower() + audit_db_name=audit_db_name.lower() POSTGRES_CONNECTOR_JAR=CONNECTOR_JAR audit_sqlObj = PostgresConf(audit_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN) audit_db_file = os.path.join(RANGER_ADMIN_HOME,postgres_audit_file) elif AUDIT_DB_FLAVOR == "MSSQL": - #SQLSERVER_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] - #SQLSERVER_CONNECTOR_JAR='/usr/share/java/sqljdbc4-2.0.jar' SQLSERVER_CONNECTOR_JAR=CONNECTOR_JAR audit_sqlObj = SqlServerConf(audit_db_host, SQLSERVER_CONNECTOR_JAR, JAVA_BIN) audit_db_file = os.path.join(RANGER_ADMIN_HOME,sqlserver_audit_file) @@ -1599,22 +1776,19 @@ def main(argv): if audit_store is None or audit_store == "": audit_store = "db" audit_store=audit_store.lower() - - log("[I] ---------- Verifing Ranger Admin db user password ---------- ","info") - password_validation(db_password,"admin"); - log("[I] ---------- Verifing Ranger Audit db user password ---------- ","info") - password_validation(audit_db_password,"audit"); + if not dryMode: + log("[I] ---------- Verifing DB root password ---------- ","info") + password_validation(xa_db_root_password,"DBA root"); + log("[I] ---------- Verifing Ranger Admin db user password ---------- ","info") + password_validation(db_password,"admin"); + log("[I] ---------- Verifing Ranger Audit db user password ---------- ","info") + password_validation(audit_db_password,"audit"); # Methods Begin if DBA_MODE == "TRUE" : if (dryMode==True): - log("[I] Dry run mode:"+str(dryMode),"info") log("[I] Logging DBA Script in file:"+str(globalDict["dryModeOutputFile"]),"info") logFile("===============================================\n") - xa_sqlObj.create_rangerdb_user(xa_db_root_user, db_user, db_password, xa_db_root_password,dryMode) - xa_sqlObj.create_db(xa_db_root_user, xa_db_root_password, db_name, db_user, db_password,dryMode) - if not XA_DB_FLAVOR == "SQLA": - xa_sqlObj.grant_xa_db_user(xa_db_root_user, db_name, db_user, db_password, xa_db_root_password, is_revoke,dryMode) - audit_sqlObj.create_auditdb_user(xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode) + xa_sqlObj.writeDrymodeCmd(xa_db_host, audit_db_host, xa_db_root_user, xa_db_root_password, db_user, db_password, db_name, audit_db_root_user, audit_db_root_password, audit_db_user, audit_db_password, audit_db_name) logFile("===============================================\n") if (dryMode==False): log("[I] ---------- Creating Ranger Admin db user ---------- ","info") diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties index eb0c7ecb3b6..f3af716fef3 100644 --- a/security-admin/scripts/install.properties +++ b/security-admin/scripts/install.properties @@ -26,11 +26,6 @@ PYTHON_COMMAND_INVOKER=python #DB_FLAVOR=MYSQL|ORACLE|POSTGRES|MSSQL|SQLA DB_FLAVOR=MYSQL # -# The executable path to be used to invoke command-line MYSQL -# -#SQL_COMMAND_INVOKER='mysql' -#SQL_COMMAND_INVOKER='sqlplus' -SQL_COMMAND_INVOKER='mysql' # # Location of DB client library (please check the location of the jar file) @@ -51,6 +46,9 @@ SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar # ************************************************************************** # #db_root_user=root|SYS|postgres|sa|dba +#db_host=host:port # for DB_FLAVOR=MYSQL|POSTGRES|SQLA|MSSQL #for example: db_host=localhost:3306 +#db_host=host:port:SID # for DB_FLAVOR=ORACLE #for SID example: db_host=localhost:1521:ORCL +#db_host=host:port/ServiceName # for DB_FLAVOR=ORACLE #for Service example: db_host=localhost:1521/XE db_root_user=root db_root_password= db_host=localhost @@ -129,16 +127,16 @@ authServicePort=5151 # # Sample Settings # -#xa_ldap_url="ldap://127.0.0.1:389" -#xa_ldap_userDNpattern="uid={0},ou=users,dc=xasecure,dc=net" -#xa_ldap_groupSearchBase="ou=groups,dc=xasecure,dc=net" -#xa_ldap_groupSearchFilter="(member=uid={0},ou=users,dc=xasecure,dc=net)" -#xa_ldap_groupRoleAttribute="cn" -#xa_ldap_base_dn="dc=xasecure,dc=net" -#xa_ldap_bind_dn="cn=admin,ou=users,dc=xasecure,dc=net" +#xa_ldap_url=ldap://127.0.0.1:389 +#xa_ldap_userDNpattern=uid={0},ou=users,dc=xasecure,dc=net +#xa_ldap_groupSearchBase=ou=groups,dc=xasecure,dc=net +#xa_ldap_groupSearchFilter=(member=uid={0},ou=users,dc=xasecure,dc=net) +#xa_ldap_groupRoleAttribute=cn +#xa_ldap_base_dn=dc=xasecure,dc=net +#xa_ldap_bind_dn=cn=admin,ou=users,dc=xasecure,dc=net #xa_ldap_bind_password= #xa_ldap_referral=follow|ignore -#xa_ldap_userSearchFilter="(uid={0})" +#xa_ldap_userSearchFilter=(uid={0}) xa_ldap_url= xa_ldap_userDNpattern= @@ -154,13 +152,13 @@ xa_ldap_userSearchFilter= # # Sample Settings # -#xa_ldap_ad_domain="xasecure.net" -#xa_ldap_ad_url="ldap://127.0.0.1:389" -#xa_ldap_ad_base_dn="dc=xasecure,dc=net" -#xa_ldap_ad_bind_dn="cn=administrator,ou=users,dc=xasecure,dc=net" +#xa_ldap_ad_domain=xasecure.net +#xa_ldap_ad_url=ldap://127.0.0.1:389 +#xa_ldap_ad_base_dn=dc=xasecure,dc=net +#xa_ldap_ad_bind_dn=cn=administrator,ou=users,dc=xasecure,dc=net #xa_ldap_ad_bind_password= #xa_ldap_ad_referral=follow|ignore -#xa_ldap_ad_userSearchFilter="(sAMAccountName={0})" +#xa_ldap_ad_userSearchFilter=(sAMAccountName={0}) xa_ldap_ad_domain= xa_ldap_ad_url= diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index 11b72b4eca0..36696a036cf 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -22,7 +22,6 @@ PROPFILE=$PWD/install.properties propertyValue='' -#. $PROPFILE if [ ! $? = "0" ];then log "$PROPFILE file not found....!!"; exit 1; @@ -42,12 +41,16 @@ get_prop(){ validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi value=$(echo $validateProperty | cut -d "=" -f2-) - echo $value + if [[ $1 == *password* ]] + then + echo $value + else + echo $value | tr -d \'\" + fi } PYTHON_COMMAND_INVOKER=$(get_prop 'PYTHON_COMMAND_INVOKER' $PROPFILE) DB_FLAVOR=$(get_prop 'DB_FLAVOR' $PROPFILE) -SQL_COMMAND_INVOKER=$(get_prop 'SQL_COMMAND_INVOKER' $PROPFILE) SQL_CONNECTOR_JAR=$(get_prop 'SQL_CONNECTOR_JAR' $PROPFILE) db_root_user=$(get_prop 'db_root_user' $PROPFILE) db_root_password=$(get_prop 'db_root_password' $PROPFILE) @@ -167,18 +170,6 @@ getPropertyFromFile(){ eval $3="'$value'" } -#Update Properties to File -#$1 -> propertyName $2 -> newPropertyValue $3 -> fileName -updatePropertyToFile(){ - sed -i 's@^'$1'=[^ ]*$@'$1'='$2'@g' $3 - #validate=`sed -i 's/^'$1'=[^ ]*$/'$1'='$2'/g' $3` #for validation - validate=$(sed '/^\#/d' $3 | grep "^$1" | tail -n 1 | cut -d "=" -f2-) # for validation - #echo 'V1:'$validate - if test -z "$validate" ; then log "[E] '$1' not found in $3 file while Updating....!!"; exit 1; fi - log "[I] File $3 Updated successfully : {'$1'}" -} - - #Update Properties to File #$1 -> propertyName $2 -> newPropertyValue $3 -> fileName updatePropertyToFilePy(){ @@ -195,78 +186,18 @@ init_logfiles () { init_variables(){ curDt=`date '+%Y%m%d%H%M%S'` - VERSION=`cat ${PWD}/version` - XAPOLICYMGR_DIR=$PWD - RANGER_ADMIN_INITD=ranger-admin-initd - RANGER_ADMIN=ranger-admin - INSTALL_DIR=${XAPOLICYMGR_DIR} - WEBAPP_ROOT=${INSTALL_DIR}/ews/webapp - DB_FLAVOR=`echo $DB_FLAVOR | tr '[:lower:]' '[:upper:]'` if [ "${DB_FLAVOR}" == "" ] then DB_FLAVOR="MYSQL" fi log "[I] DB_FLAVOR=${DB_FLAVOR}" - - #getPropertyFromFile 'db_root_user' $PROPFILE db_root_user - #getPropertyFromFile 'db_root_password' $PROPFILE db_user - #getPropertyFromFile 'db_user' $PROPFILE db_user - #getPropertyFromFile 'db_password' $PROPFILE db_password - #if [ "${audit_store}" == "solr" ] - #then - # getPropertyFromFile 'audit_solr_urls' $PROPFILE audit_solr_urls - # getPropertyFromFile 'audit_solr_user' $PROPFILE audit_solr_user - # getPropertyFromFile 'audit_solr_password' $PROPFILE audit_solr_password - # getPropertyFromFile 'audit_solr_zookeepers' $PROPFILE audit_solr_zookeepers - #else - # getPropertyFromFile 'audit_db_user' $PROPFILE audit_db_user - # getPropertyFromFile 'audit_db_password' $PROPFILE audit_db_password - #fi -} - -wait_for_tomcat_shutdown() { - i=1 - touch $TMPFILE - while [ $i -le 20 ] - do - ps -ef | grep catalina.startup.Bootstrap | grep -v grep > $TMPFILE - if [ $? -eq 1 ]; then - log "[I] Tomcat stopped" - i=21 - else - log "[I] stopping Tomcat.." - i=`expr $i + 1` - sleep 1 - fi - done -} - -check_db_version() { - if [ "${DB_FLAVOR}" == "MYSQL" ] - then - if is_command ${SQL_COMMAND_INVOKER} ; then - log "[I] '${SQL_COMMAND_INVOKER}' command found" - else - log "[E] '${SQL_COMMAND_INVOKER}' command not found" - exit 1; - fi - fi - if [ "${DB_FLAVOR}" == "ORACLE" ] - then - if is_command ${SQL_COMMAND_INVOKER} ; then - log "[I] '${SQL_COMMAND_INVOKER}' command found" - else - log "[E] '${SQL_COMMAND_INVOKER}' command not found" - exit 1; - fi - fi } check_python_command() { @@ -319,13 +250,6 @@ check_java_version() { log "[E] Java 1.7 is required, current java version is $version" exit 1; fi - - - #$JAVA_BIN -version 2>&1 | grep -q "$JAVA_ORACLE" - #if [ $? != 0 ] ; then - #log "[E] Oracle Java is required" - #exit 1; - #fi } sanity_check_files() { @@ -389,436 +313,6 @@ create_rollback_point() { cp "$APP" "$BAK_FILE" } -create_db_user(){ - check_db_user_password - strError="ERROR" - if [ "${DB_FLAVOR}" == "MYSQL" ] - then - log "[I] Creating ${DB_FLAVOR} user '${db_user}'" - for thost in '%' localhost - do - usercount=`$SQL_COMMAND_INVOKER -B -u "$db_root_user" --password="$db_root_password" -h $DB_HOST --skip-column-names -e "select count(*) from mysql.user where user = '$db_user' and host = '$thost';"` - if [ ${usercount} -eq 0 ] - then - $SQL_COMMAND_INVOKER -B -u "$db_root_user" --password="$db_root_password" -h $DB_HOST -e "create user '$db_user'@'$thost' identified by '$db_password';" - log "[I] Creating user '$db_user' for host $thost done" - fi - dbquery="REVOKE ALL PRIVILEGES,GRANT OPTION FROM '$db_user'@'$thost';FLUSH PRIVILEGES;" - echo "${dbquery}" | $SQL_COMMAND_INVOKER -u "$db_root_user" --password="$db_root_password" -h $DB_HOST - check_ret_status $? "'$DB_FLAVOR' revoke *.* privileges from user '$db_user'@'$thost' failed" - done - log "[I] Creating ${DB_FLAVOR} user '${db_user}' DONE" - fi - if [ "${DB_FLAVOR}" == "ORACLE" ] - then - #check user exist or not - result3=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "select UPPER(username) from all_users where UPPER(username)=UPPER('${db_user}');"` - username=`echo ${db_user} | tr '[:lower:]' '[:upper:]'` - #if does not contains username so create user - if test "${result3#*$username}" == "$result3" - then - #create user - result4=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "create user ${db_user} identified by \"${db_password}\";"` - result3=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "select UPPER(username) from all_users where UPPER(username)=UPPER('${db_user}');"` - username=`echo ${db_user} | tr '[:lower:]' '[:upper:]'` - #if user is not created print error message - if test "${result3#*$username}" == "$result3" - then - log "[E] Creating User: ${db_user} Failed"; - log "[E] $result4" - exit 1 - else - log "[I] Creating User: ${db_user} Success"; - fi - fi - result5=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED TABLESPACE TO ${db_user} WITH ADMIN OPTION;"` - if test "${result5#*$strError}" == "$result5" - then - log "[I] Granting User: ${db_user} Success"; - else - log "[E] Granting User: ${db_user} Failed"; - log "[E] $result5" - exit 1 - fi - log "[I] Creating $DB_FLAVOR user '${db_user}' DONE" - fi -} - -check_db_admin_password () { - count=0 - msg='' - cmdStatus='' - strError="ERROR" - if [ "${DB_FLAVOR}" == "MYSQL" ] - then - log "[I] Checking ${DB_FLAVOR} $db_root_user password" - msg=`$SQL_COMMAND_INVOKER -u "$db_root_user" --password="$db_root_password" -h "$DB_HOST" -s -e "select version();" 2>&1` - cmdStatus=$? - fi - - if [ "${DB_FLAVOR}" == "ORACLE" ] - then - log "[I] Checking ${DB_FLAVOR} $db_root_user password" - msg=`echo "select 1 from dual;" | $SQL_COMMAND_INVOKER -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA>&1` - cmdStatus=$? - fi - if test "${msg#*$strError}" != "$msg" - then - cmdStatus=1 - else - cmdStatus=0 # $substring is not in $string - fi - while : - do - if [ $cmdStatus != 0 ]; then - if [ $count != 0 ] - then - if [ "${DB_FLAVOR}" == "MYSQL" ] - then - log "[I] COMMAND: mysql -u $db_root_user --password=...... -h $DB_HOST : FAILED with error message:" - fi - if [ "${DB_FLAVOR}" == "ORACLE" ] - then - log "[I] COMMAND: sqlplus $db_root_user/...... @$DB_HOST AS SYSDBA : FAILED with error message:" - fi - log "*******************************************${sg}*******************************************" - fi - if [ $count -gt 2 ] - then - log "[E] Unable to continue as db connectivity fails." - exit 1 - fi - trap 'stty echo; exit 1' 2 3 15 - if [ "${DB_FLAVOR}" == "MYSQL" ] - then - printf "Please enter password for mysql user-id, $db_root_user@${DB_HOST} : " - fi - if [ "${DB_FLAVOR}" == "ORACLE" ] - then - log="[msg] ${msg}" - printf "Please enter password for oracle user-id, $db_root_user@${DB_HOST} AS SYSDBA: " - fi - stty -echo - read db_root_password - stty echo - printf "\n" - trap '' 2 3 15 - count=`expr ${count} + 1` - if [ "${DB_FLAVOR}" == "MYSQL" ] - then - msg=`$SQL_COMMAND_INVOKER -u "$db_root_user" --password="$db_root_password" -h "$DB_HOST" -s -e "select version();" 2>&1` - cmdStatus=$? - fi - if [ "${DB_FLAVOR}" == "ORACLE" ] - then - msg=`echo "select 1 from dual;" | $SQL_COMMAND_INVOKER -L -S "${db_root_user}"/"\"${db_root_password}\""@"{$DB_HOST}" AS SYSDBA >&1` - cmdStatus=$? - fi - if test "${msg#*$strError}" != "$msg" - then - cmdStatus=1 - else - cmdStatus=0 # $substring is not in $string - fi - else - log "[I] Checking DB password DONE" - break; - fi - done - return 0; -} - -check_db_user_password() { - count=0 - muser=${db_user}@${DB_HOST} - while [ "${db_password}" = "" ] - do - if [ $count -gt 0 ] - then - log "[I] You can not have a empty password for user: (${muser})." - fi - if [ ${count} -gt 2 ] - then - log "[E] Unable to continue as user, ${muser} does not have a non-empty password." - fi - printf "Please enter password for the Ranger schema owner (${muser}): " - trap 'stty echo; exit 1' 2 3 15 - stty -echo - read db_password - stty echo - printf "\n" - trap '' 2 3 15 - count=`expr ${count} + 1` - done -} - - -check_audit_user_password() { - count=0 - muser=${audit_db_user}@${DB_HOST} - while [ "${audit_db_password}" = "" ] - do - if [ $count -gt 0 ] - then - log "[I] You can not have a empty password for user: (${muser})." - fi - if [ ${count} -gt 2 ] - then - log "[E] Unable to continue as user, ${muser} does not have a non-empty password." - fi - printf "Please enter password for the Ranger Audit Table owner (${muser}): " - trap 'stty echo; exit 1' 2 3 15 - stty -echo - read audit_db_password - stty echo - printf "\n" - trap '' 2 3 15 - count=`expr ${count} + 1` - done -} - -upgrade_db() { - log "[I] - starting upgradedb ... " - if [ "${DB_FLAVOR}" == "MYSQL" ] - then - DBVERSION_CATALOG_CREATION=db/mysql/create_dbversion_catalog.sql - if [ -f ${DBVERSION_CATALOG_CREATION} ] - then - log "[I] Verifying database version catalog table .... " - ${mysqlexec} < ${DBVERSION_CATALOG_CREATION} - `${SQL_COMMAND_INVOKER} -u "${db_root_user}" --password="${db_root_password}" -h ${DB_HOST} -D ${db_name} < ${DBVERSION_CATALOG_CREATION}` - check_ret_status $? "Verifying database version catalog table Failed." - fi - - dt=`date '+%s'` - tempFile=/tmp/sql_${dt}_$$.sql - sqlfiles=`ls -1 db/mysql/patches/*.sql 2> /dev/null | awk -F/ '{ print $NF }' | awk -F- '{ print $1, $0 }' | sort -k1 -n | awk '{ printf("db/mysql/patches/%s\n",$2) ; }'` - for sql in ${sqlfiles} - do - if [ -f ${sql} ] - then - bn=`basename ${sql}` - version=`echo ${bn} | awk -F'-' '{ print $1 }'` - if [ "${version}" != "" ] - then - c=`${SQL_COMMAND_INVOKER} -u "${db_root_user}" --password="${db_root_password}" -h ${DB_HOST} -D ${db_name} -B --skip-column-names -e "select count(id) from x_db_version_h where version = '${version}' and active = 'Y'"` - check_ret_status $? "DBVerionCheck - ${version} Failed." - if [ ${c} -eq 0 ] - then - cat ${sql} > ${tempFile} - echo >> ${tempFile} - echo "insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ( '${version}', now(), user(), now(), user()) ;" >> ${tempFile} - log "[I] - patch [${version}] is being applied." - `${SQL_COMMAND_INVOKER} -u "${db_root_user}" --password="${db_root_password}" -h ${DB_HOST} -D ${db_name} < ${tempFile}` - check_ret_status $? "Update patch - ${version} Failed. See sql file : [${tempFile}]" - rm -f ${tempFile} - else - log "[I] - patch [${version}] is already applied. Skipping ..." - fi - fi - fi - done - fi - #### - if [ "${DB_FLAVOR}" == "ORACLE" ] - then - strError="ERROR" - DBVERSION_CATALOG_CREATION=db/oracle/create_dbversion_catalog.sql - VERSION_TABLE=x_db_version_h - log "[I] Verifying table $VERSION_TABLE in database $db_name"; - if [ -f ${DBVERSION_CATALOG_CREATION} ] - then - result1=`${SQL_COMMAND_INVOKER} -L -S "${db_user}"/"\"${db_password}\""@"${DB_HOST}" <<< "select UPPER(table_name) from all_tables where UPPER(tablespace_name)=UPPER('${db_name}') and UPPER(table_name)=UPPER('${VERSION_TABLE}');"` - tablename=`echo $VERSION_TABLE | tr '[:lower:]' '[:upper:]'` - if test "${result1#*$tablename}" == "$result1" #does not contains tablename so create table - then - log "[I] Importing Version Catalog file: $DBVERSION_CATALOG_CREATION..." - result2=`echo "exit"|${SQL_COMMAND_INVOKER} -L -S "${db_user}"/"\"${db_password}\""@"${DB_HOST}" @$DBVERSION_CATALOG_CREATION` - if test "${result2#*$strError}" == "$result2" - then - log "[I] Importing Version Catalog file : $DBVERSION_CATALOG_CREATION DONE"; - else - log "[E] Importing Version Catalog file : $DBVERSION_CATALOG_CREATION Failed"; - log "[E] $result2" - fi - else - log "[I] Table $VERSION_TABLE already exists in database ${db_name}" - fi - fi - - dt=`date '+%s'` - tempFile=/tmp/sql_${dt}_$$.sql - sqlfiles=`ls -1 db/oracle/patches/*.sql 2> /dev/null | awk -F/ '{ print $NF }' | awk -F- '{ print $1, $0 }' | sort -k1 -n | awk '{ printf("db/oracle/patches/%s\n",$2) ; }'` - for sql in ${sqlfiles} - do - if [ -f ${sql} ] - then - bn=`basename ${sql}` - version=`echo ${bn} | awk -F'-' '{ print $1 }'` - if [ "${version}" != "" ] - then - result2=`${SQL_COMMAND_INVOKER} -L -S "${db_user}"/"\"${db_password}\""@"${DB_HOST}" <<< "select version from x_db_version_h where version = '${version}' and active = 'Y';"` - #does not contains record so insert - if test "${result2#*$version}" == "$result2" - then - cat ${sql} > ${tempFile} - echo >> ${tempFile} - echo "insert into x_db_version_h (id,version, inst_at, inst_by, updated_at, updated_by) values ( X_DB_VERSION_H_SEQ.nextval,'${version}', sysdate, '${db_user}', sysdate, '${db_user}') ;" >> ${tempFile} - log "[I] - patch [${version}] is being applied. $tempFile" - result3=`echo "exit"|${SQL_COMMAND_INVOKER} -L -S "${db_user}"/"\"${db_password}\""@"${DB_HOST}" @$tempFile` - log "[+]$result3" - if test "${result3#*$strError}" == "$result3" - then - log "[I] Update patch - ${version} applied. See sql file : [${tempFile}]" - else - log "[E] Update patch - ${version} Failed. See sql file : [${tempFile}]" - fi - rm -f ${tempFile} - elif test "${result2#*$strError}" != "$result2" - then - log "[E] - patch [${version}] could not applied. Skipping ..." - exit 1 - else - log "[I] - patch [${version}] is already applied. Skipping ..." - fi - fi - fi - done - fi - log "[I] - upgradedb completed." -} - -import_db(){ - if [ "${DB_FLAVOR}" == "MYSQL" ] - then - log "[I] Verifying Database: ${db_name}"; - existdb=`${SQL_COMMAND_INVOKER} -u "${db_root_user}" --password="${db_root_password}" -h $DB_HOST -B --skip-column-names -e "show databases like '${db_name}' ;"` - if [ "${existdb}" = "${db_name}" ] - then - log "[I] - database ${db_name} already exists. Ignoring import_db ..." - else - log "[I] Creating Database: $db_name"; - $SQL_COMMAND_INVOKER -u "$db_root_user" --password="$db_root_password" -h $DB_HOST -e "create database $db_name" - check_ret_status $? "Creating database Failed.." - log "[I] Importing Core Database file: $mysql_core_file " - $SQL_COMMAND_INVOKER -u "$db_root_user" --password="$db_root_password" -h $DB_HOST $db_name < $mysql_core_file - check_ret_status $? "Importing Database Failed.." - if [ -f "${mysql_asset_file}" ] - then - $SQL_COMMAND_INVOKER -u "$db_root_user" --password="$db_root_password" -h $DB_HOST ${db_name} < ${mysql_asset_file} - check_ret_status $? "Reset of DB repositories failed" - fi - log "[I] Importing Database file : $mysql_core_file DONE"; - fi - for thost in '%' localhost - do - mysqlquery="GRANT ALL ON $db_name.* TO '$db_user'@'$thost' ; - GRANT ALL PRIVILEGES ON $db_name.* to '$db_user'@'$thost' WITH GRANT OPTION; - FLUSH PRIVILEGES;" - echo "${mysqlquery}" | $SQL_COMMAND_INVOKER -u "$db_root_user" --password="$db_root_password" -h $DB_HOST - check_ret_status $? "'$db_user' grant privileges on '$db_name' failed" - log "[I] Granting MYSQL user '$db_user' for host $thost DONE" - done - fi - if [ "${DB_FLAVOR}" == "ORACLE" ] - then - log "[I] Importing TABLESPACE: ${db_name}"; - strError="ERROR" - existdb="false" - - #Verifying Users - log "[I] Verifying DB User: ${db_user}"; - result3=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "select UPPER(username) from all_users where UPPER(username)=UPPER('${db_user}');"` - username=`echo ${db_user} | tr '[:lower:]' '[:upper:]'` - if test "${result3#*$username}" == "$result3" #does not contains username so create user - then - #create user - result4=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "create user ${db_user} identified by \"${db_password}\";"` - result3=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "select UPPER(username) from all_users where UPPER(username)=UPPER('${db_user}');"` - username=`echo ${db_user} | tr '[:lower:]' '[:upper:]'` - if test "${result3#*$username}" == "$result3" #does not contains username so create user - then - log "[E] Creating User: ${db_user} Failed"; - log "[E] ${result4}"; - exit 1 - else - log "[I] Creating User: ${db_user} Success"; - fi - else - log "[I] User: ${db_user} exist"; - fi - - #creating db/tablespace - result1=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "SELECT DISTINCT UPPER(TABLESPACE_NAME) FROM USER_TABLESPACES where UPPER(TABLESPACE_NAME)=UPPER('${db_name}');"` - tablespace=`echo ${db_name} | tr '[:lower:]' '[:upper:]'` - if test "${result1#*$tablespace}" == "$result1" #does not contains tablespace so create tablespace - then - log "[I] Creating TABLESPACE: ${db_name}"; - result2=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "create tablespace ${db_name} datafile '${db_name}.dat' size 10M autoextend on;"` - if test "${result2#*$strError}" == "$result2" - then - log "[I] TABLESPACE ${db_name} created."; - existdb="true" - else - log "[E] Creating TABLESPACE: ${db_name} Failed"; - log "[E] $result2"; - exit 1 - fi - else - log "[I] TABLESPACE ${db_name} already exists."; - fi - - #verify table space - result1a=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "SELECT DISTINCT UPPER(TABLESPACE_NAME) FROM USER_TABLESPACES where UPPER(TABLESPACE_NAME)=UPPER('${db_name}');"` - tablespace1a=`echo ${db_name} | tr '[:lower:]' '[:upper:]'` - if test "${result1a#*$tablespace1a}" == "$result1a" #does not contains tablespace so exit - then - log "[E] TABLESPACE: ${db_name} Does not exist!!"; - exit 1 - fi - - #verify user - result3=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "select UPPER(username) from all_users where UPPER(username)=UPPER('${db_user}');"` - username=`echo ${db_user} | tr '[:lower:]' '[:upper:]'` - if test "${result3#*$username}" == "$result3" #does not contains username so exit - then - log "[E] User: ${db_user} Does not exist!!"; - exit 1 - fi - - # ASSIGN DEFAULT TABLESPACE ${db_name} - result8=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "alter user ${db_user} identified by \"${db_password}\" DEFAULT TABLESPACE ${db_name};"` - - #grant user - result5=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED TABLESPACE TO ${db_user} WITH ADMIN OPTION;"` - if test "${result5#*$strError}" == "$result5" - then - log "[I] Granting User: ${db_user} Success"; - else - log "[E] Granting User: ${db_user} Failed"; - log "[E] $result5"; - exit 1 - fi - - #if does not contains tables create tables - if [ "${existdb}" == "true" ] - then - log "[I] Importing XA Database file: ${oracle_core_file}..." - result7=`echo "exit"|${SQL_COMMAND_INVOKER} -L -S "${db_user}"/"\"${db_password}\""@"${DB_HOST}" @${oracle_core_file}` - if test "${result7#*$strError}" == "$result7" - then - log "[I] Importing XA Database file : ${oracle_core_file} DONE"; - else - log "[E] Importing XA Database file : ${oracle_core_file} Failed"; - log "[E] $result7"; - exit 1 - fi - else - log "[I] - database ${db_name} already exists. Ignoring import_db ..." ; - fi - fi -} - copy_db_connector(){ log "[I] Copying ${DB_FLAVOR} Connector to $app_home/WEB-INF/lib "; cp -f $SQL_CONNECTOR_JAR $app_home/WEB-INF/lib @@ -874,11 +368,18 @@ update_properties() { if [ "${DB_FLAVOR}" == "ORACLE" ] then propertyName=ranger.jpa.jdbc.url - newPropertyValue="jdbc:oracle:thin:@${DB_HOST}" + count=$(grep -o ":" <<< "$DB_HOST" | wc -l) + #if [[ ${count} -eq 2 ]] ; then + if [ ${count} -eq 2 ] || [ ${count} -eq 0 ]; then + #jdbc:oracle:thin:@[HOST][:PORT]:SID or #jdbc:oracle:thin:@GL + newPropertyValue="jdbc:oracle:thin:@${DB_HOST}" + else + #jdbc:oracle:thin:@//[HOST][:PORT]/SERVICE + newPropertyValue="jdbc:oracle:thin:@//${DB_HOST}" + fi updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger propertyName=ranger.jpa.audit.jdbc.url - newPropertyValue="jdbc:oracle:thin:@${DB_HOST}" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger propertyName=ranger.jpa.jdbc.dialect @@ -994,7 +495,6 @@ update_properties() { newPropertyValue=${audit_store} updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger - propertyName=ranger.externalurl newPropertyValue="${policymgr_external_url}" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger @@ -1022,7 +522,6 @@ update_properties() { then mkdir -p `dirname "${keystore}"` $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$db_password_alias" -v "$db_password" -c 1 - #$JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$db_password_alias" -value "$db_password" -provider jceks://file$keystore propertyName=ranger.credential.provider.path newPropertyValue="${keystore}" @@ -1065,18 +564,10 @@ update_properties() { if [ "${keystore}" != "" ] then $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$audit_db_password_alias" -v "$audit_db_password" -c 1 - #$JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$audit_db_password_alias" -value "$audit_db_password" -provider jceks://file$keystore propertyName=ranger.jpa.audit.jdbc.credential.alias newPropertyValue="${audit_db_password_alias}" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default - - #Use the same provider file for both audit/admin db - # propertyName=audit.jdbc.credential.provider.path - #propertyName=ranger.credential.provider.path - #newPropertyValue="${keystore}" - #updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger - propertyName=ranger.jpa.audit.jdbc.password newPropertyValue="_" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger @@ -1117,7 +608,6 @@ update_properties() { audit_solr_password_alias=ranger.solr.password $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$audit_solr_password_alias" -v "$audit_solr_password" -c 1 -# $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$audit_solr_password_alias" -value "$audit_solr_password" -provider jceks://file$keystore propertyName=ranger.solr.audit.credential.alias newPropertyValue="${audit_solr_password_alias}" @@ -1143,183 +633,6 @@ update_properties() { fi } -create_audit_db_user(){ - check_audit_user_password - AUDIT_DB="${audit_db_name}" - AUDIT_USER="${audit_db_user}" - AUDIT_PASSWORD="${audit_db_password}" - strError="ERROR" - #Verifying Database - if [ "${DB_FLAVOR}" == "MYSQL" ] - then - log "[I] Verifying Database: $AUDIT_DB"; - existdb=`${SQL_COMMAND_INVOKER} -u "$db_root_user" --password="$db_root_password" -h $DB_HOST -B --skip-column-names -e "show databases like '$AUDIT_DB' ;"` - if [ "${existdb}" = "$AUDIT_DB" ] - then - log "[I] Database $AUDIT_DB already exists." - else - log "[I] Creating Database: $audit_db_name"; - $SQL_COMMAND_INVOKER -u "$db_root_user" --password="$db_root_password" -h $DB_HOST -e "create database $AUDIT_DB" - check_ret_status $? "Creating database $AUDIT_DB Failed.." - fi - fi - if [ "${DB_FLAVOR}" == "ORACLE" ] - then - log "[I] Verifying TABLESPACE: $AUDIT_DB"; - result1=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "SELECT distinct UPPER(TABLESPACE_NAME) FROM USER_TABLESPACES where UPPER(TABLESPACE_NAME)=UPPER('${AUDIT_DB}');"` - tablespace=`echo $AUDIT_DB | tr '[:lower:]' '[:upper:]'` - if test "${result1#*$tablespace}" == "$result1" #does not contains tablespace so create tablespace - then - log "[I] Creating TABLESPACE: $AUDIT_DB"; - result2=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "create tablespace $AUDIT_DB datafile '$AUDIT_DB.dat' size 10M autoextend on;"` - if test "${result2#*$strError}" == "$result2" - then - log "[I] TABLESPACE $AUDIT_DB created." - else - log "[E] Creating TABLESPACE: $AUDIT_DB Failed"; - log "[E] $result2" - exit 1 - fi - else - log "[I] TABLESPACE $AUDIT_DB already exists." - fi - fi - - #Verifying Users - log "[I] Verifying Audit User: $AUDIT_USER"; - if [ "${DB_FLAVOR}" == "MYSQL" ] - then - for thost in '%' localhost - do - usercount=`$SQL_COMMAND_INVOKER -B -u "$db_root_user" --password="$db_root_password" -h $DB_HOST --skip-column-names -e "select count(*) from mysql.user where user = '$AUDIT_USER' and host = '$thost';"` - if [ ${usercount} -eq 0 ] - then - log "[I] Creating ${DB_FLAVOR} user '$AUDIT_USER'@'$thost'" - $SQL_COMMAND_INVOKER -B -u "$db_root_user" --password="$db_root_password" -h $DB_HOST -e "create user '$AUDIT_USER'@'$thost' identified by '$AUDIT_PASSWORD';" - check_ret_status $? "${DB_FLAVOR} create user failed" - fi - if [ "${AUDIT_USER}" != "${db_user}" ] - then - mysqlquery="REVOKE ALL PRIVILEGES,GRANT OPTION FROM '$AUDIT_USER'@'$thost' ; - FLUSH PRIVILEGES;" - echo "${mysqlquery}" | $SQL_COMMAND_INVOKER -u "$db_root_user" --password="$db_root_password" -h $DB_HOST - check_ret_status $? "'$DB_FLAVOR' revoke privileges from user '$AUDIT_USER'@'$thost' failed" - log "[I] '$DB_FLAVOR' revoke all privileges from user '$AUDIT_USER'@'$thost' DONE" - fi - done - fi - if [ "${DB_FLAVOR}" == "ORACLE" ] - then - result3=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "select UPPER(username) from all_users where UPPER(username)=UPPER('${AUDIT_USER}');"` - username=`echo $AUDIT_USER | tr '[:lower:]' '[:upper:]'` - if test "${result3#*$username}" == "$result3" #does not contains username so create user - then - #create user - result4=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "create user ${AUDIT_USER} identified by \"${AUDIT_PASSWORD}\" DEFAULT TABLESPACE ${AUDIT_DB};"` - if test "${result4#*$strError}" == "$result4" - then - log "[I] Creating User: ${AUDIT_USER} Success"; - else - log "[E] Creating User: ${AUDIT_USER} Failed"; - log "[E] $result4" - exit 1 - fi - else - log "[I] User: ${AUDIT_USER} exist"; - fi - result5=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "GRANT CREATE SESSION TO ${AUDIT_USER};"` - if test "${result5#*$strError}" == "$result5" - then - log "[I] Granting User: $AUDIT_USER Success"; - else - log "[E] Granting User: $AUDIT_USER Failed"; - log "[E] $result5" - exit 1 - fi - fi - - #Verifying audit table - AUDIT_TABLE=xa_access_audit - if [ "${DB_FLAVOR}" == "MYSQL" ] - then - log "[I] Verifying table $AUDIT_TABLE in audit database $AUDIT_DB"; - existtbl=`${SQL_COMMAND_INVOKER} -u "$db_root_user" --password="$db_root_password" -D $AUDIT_DB -h $DB_HOST -B --skip-column-names -e "show tables like '$AUDIT_TABLE' ;"` - if [ "${existtbl}" != "$AUDIT_TABLE" ] - then - log "[I] Importing Audit Database file: $mysql_audit_file..." - $SQL_COMMAND_INVOKER -u "$db_root_user" --password="$db_root_password" -h $DB_HOST $AUDIT_DB < $mysql_audit_file - check_ret_status $? "Importing Audit Database Failed.." - log "[I] Importing Audit Database file : $mysql_audit_file DONE"; - else - log "[I] Table $AUDIT_TABLE already exists in audit database $AUDIT_DB" - fi - fi - if [ "${DB_FLAVOR}" == "ORACLE" ] - then - log "[I] Verifying table $AUDIT_TABLE in TABLESPACE $db_name"; - # ASSIGN DEFAULT TABLESPACE ${db_name} - result8=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "alter user ${AUDIT_USER} identified by \"${AUDIT_PASSWORD}\" DEFAULT TABLESPACE ${AUDIT_DB};"` - result6=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "select UPPER(table_name) from all_tables where UPPER(tablespace_name)=UPPER('$db_name') and UPPER(table_name)=UPPER('${AUDIT_TABLE}');"` - tablename=`echo $AUDIT_TABLE | tr '[:lower:]' '[:upper:]'` - if test "${result6#*$tablename}" == "$result6" #does not contains tablename so create table - then - log "[I] Importing Audit Database file: $oracle_audit_file..." - result7=`echo "exit"|${SQL_COMMAND_INVOKER} -L -S "${db_user}"/"\"${db_password}\""@"${DB_HOST}" @$oracle_audit_file` - if test "${result7#*$strError}" == "$result7" - then - log "[I] Importing Audit Database file : $oracle_audit_file DONE"; - else - log "[E] Importing Audit Database file : $oracle_audit_file failed"; - log "[E] $result7" - fi - else - log "[I] Table $AUDIT_TABLE already exists in TABLESPACE $db_name" - fi - fi - - #Granting Users - log "[I] Granting Privileges to User: $AUDIT_USER"; - if [ "${DB_FLAVOR}" == "MYSQL" ] - then - for thost in '%' localhost - do - mysqlquery="GRANT ALL ON $AUDIT_DB.* TO '$db_user'@'$thost' ; - GRANT ALL PRIVILEGES ON $AUDIT_DB.* to '$db_user'@'$thost' WITH GRANT OPTION; - FLUSH PRIVILEGES;" - echo "${mysqlquery}" | $SQL_COMMAND_INVOKER -u "$db_root_user" --password="$db_root_password" -h $DB_HOST - check_ret_status $? "'$db_user' grant privileges on '$AUDIT_DB' failed" - log "[I] Creating MYSQL user '$AUDIT_USER' for host $thost DONE" - - mysqlquery="GRANT INSERT ON $AUDIT_DB.$AUDIT_TABLE TO '$AUDIT_USER'@'$thost' ; - FLUSH PRIVILEGES;" - echo "${mysqlquery}" | $SQL_COMMAND_INVOKER -u "$db_root_user" --password="$db_root_password" -h $DB_HOST - check_ret_status $? "'$DB_FLAVOR' grant INSERT privileges to user '$AUDIT_USER'@'$thost' on $AUDIT_TABLE failed" - log "[I] '$DB_FLAVOR' grant INSERT privileges to user '$AUDIT_USER'@'$thost' on $AUDIT_TABLE DONE" - done - fi - if [ "${DB_FLAVOR}" == "ORACLE" ] - then - if [ "${AUDIT_USER}" != "${db_user}" ] - then - result11=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "GRANT SELECT ON ${db_user}.XA_ACCESS_AUDIT_SEQ TO ${AUDIT_USER};"` - result12=`${SQL_COMMAND_INVOKER} -L -S "${db_root_user}"/"\"${db_root_password}\""@"${DB_HOST}" AS SYSDBA <<< "GRANT INSERT ON ${db_user}.${AUDIT_TABLE} TO ${AUDIT_USER};"` - if test "${result11#*$strError}" != "$result11" - then - log "[E] Granting User: $AUDIT_USER Failed"; - log "[E] $result11"; - exit1 - elif test "${result12#*$strError}" != "$result12" - then - log "[E] Granting User: $AUDIT_USER Failed"; - log "[E] $result12"; - exit 1 - else - log "[I] Granting User: $AUDIT_USER Success"; - fi - fi - fi -} - do_unixauth_setup() { ldap_file=$app_home/WEB-INF/classes/conf/ranger-admin-site.xml @@ -1356,40 +669,33 @@ do_authentication_setup(){ ldap_file=$app_home/WEB-INF/classes/conf/ranger-admin-site.xml if test -f $ldap_file; then log "[I] $ldap_file file found" -# propertyName=xa_ldap_url propertyName=ranger.ldap.url newPropertyValue="${xa_ldap_url}" - updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file -# propertyName=xa_ldap_userDNpattern propertyName=ranger.ldap.user.dnpattern newPropertyValue="${xa_ldap_userDNpattern}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file -# propertyName=xa_ldap_groupSearchBase propertyName=ranger.ldap.group.searchbase newPropertyValue="${xa_ldap_groupSearchBase}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file -# propertyName=xa_ldap_groupSearchFilter propertyName=ranger.ldap.group.searchfilter newPropertyValue="${xa_ldap_groupSearchFilter}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file -# propertyName=xa_ldap_groupRoleAttribute propertyName=ranger.ldap.group.roleattribute newPropertyValue="${xa_ldap_groupRoleAttribute}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file -# propertyName=authentication_method propertyName=ranger.authentication.method newPropertyValue="${authentication_method}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file if [ "${xa_ldap_base_dn}" != "" ] && [ "${xa_ldap_bind_dn}" != "" ] && [ "${xa_ldap_bind_password}" != "" ] then - $PYTHON_COMMAND_INVOKER dba_script.py ${xa_ldap_bind_password} 'LDAP' + $PYTHON_COMMAND_INVOKER dba_script.py ${xa_ldap_bind_password} 'LDAP' 'password_validation' if [ "$?" != "0" ] then exit 1 @@ -1419,7 +725,6 @@ do_authentication_setup(){ ldap_password_alias=ranger.ldap.binddn.password $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$ldap_password_alias" -v "$xa_ldap_bind_password" -c 1 -# $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$ldap_password_alias" -value "$xa_ldap_bind_password" -provider jceks://file$keystore to_file_default=$app_home/WEB-INF/classes/conf/ranger-admin-default-site.xml @@ -1464,24 +769,21 @@ do_authentication_setup(){ ldap_file=$app_home/WEB-INF/classes/conf/ranger-admin-site.xml if test -f $ldap_file; then log "[I] $ldap_file file found" -# propertyName=xa_ldap_ad_url propertyName=ranger.ldap.ad.url newPropertyValue="${xa_ldap_ad_url}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file -# propertyName=xa_ldap_ad_domain propertyName=ranger.ldap.ad.domain newPropertyValue="${xa_ldap_ad_domain}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file -# propertyName=authentication_method propertyName=ranger.authentication.method newPropertyValue="${authentication_method}" updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file if [ "${xa_ldap_ad_base_dn}" != "" ] && [ "${xa_ldap_ad_bind_dn}" != "" ] && [ "${xa_ldap_ad_bind_password}" != "" ] then - $PYTHON_COMMAND_INVOKER dba_script.py ${xa_ldap_ad_bind_password} 'AD' + $PYTHON_COMMAND_INVOKER dba_script.py ${xa_ldap_ad_bind_password} 'AD' 'password_validation' if [ "$?" != "0" ] then exit 1 @@ -1510,7 +812,6 @@ do_authentication_setup(){ ad_password_alias=ranger.ad.binddn.password $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$ad_password_alias" -v "$xa_ldap_ad_bind_password" -c 1 -# $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$ad_password_alias" -value "$xa_ldap_ad_bind_password" -provider jceks://file$keystore to_file_default=$app_home/WEB-INF/classes/conf/ranger-admin-default-site.xml @@ -1564,18 +865,12 @@ do_authentication_setup(){ log "[I] Finished setup based on user authentication method=$authentication_method"; } - #===================================================================== - setup_unix_user_group(){ - log "[I] Setting up UNIX user : ${unix_user} and group: ${unix_group}"; - groupadd ${unix_group} check_ret_status_for_groupadd $? "Creating group ${unix_group} failed" - id -u ${unix_user} > /dev/null 2>&1 - if [ $? -ne 0 ] then log "[I] Creating new user and adding to group"; @@ -1585,14 +880,11 @@ setup_unix_user_group(){ log "[I] User already exists, adding it to group"; usermod -g ${unix_group} ${unix_user} fi - log "[I] Setting up UNIX user : ${unix_user} and group: ${unix_group} DONE"; } setup_install_files(){ - log "[I] Setting up installation files and directory"; - if [ ! -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then log "[I] Copying ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist ${WEBAPP_ROOT}/WEB-INF/classes/conf" mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/conf @@ -1684,88 +976,6 @@ setup_install_files(){ fi } -execute_java_patches(){ - if [ "${DB_FLAVOR}" == "MYSQL" ] - then - dt=`date '+%s'` - tempFile=/tmp/sql_${dt}_$$.sql - #mysqlexec="${SQL_COMMAND_INVOKER} -u ${db_root_user} --password="${db_root_password}" -h ${DB_HOST} ${db_name}" - javaFiles=`ls -1 $app_home/WEB-INF/classes/org/apache/ranger/patch/Patch*.class 2> /dev/null | awk -F/ '{ print $NF }' | awk -F_J '{ print $2, $0 }' | sort -k1 -n | awk '{ printf("%s\n",$2) ; }'` - for javaPatch in ${javaFiles} - do - if test -f "$app_home/WEB-INF/classes/org/apache/ranger/patch/$javaPatch"; then - className=$(basename "$javaPatch" .class) - version=`echo ${className} | awk -F'_' '{ print $2 }'` - if [ "${version}" != "" ] - then - #c=`${mysqlexec} -B --skip-column-names -e "select count(id) from x_db_version_h where version = '${version}' and active = 'Y'"` - c=`$JAVA_HOME/bin/java -cp $SQL_CONNECTOR_JAR:jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://$DB_HOST/$db_name -u ${db_user} -p "${db_password}" -noheader -trim -delimiter '' -c \; -query "select version from x_db_version_h where version = '${version}' and active = 'Y';"` - check_ret_status $? "DBVerionCheck - ${version} Failed." - #if [ ${c} -eq 0 ] - if [ "${c}" != "${version}" ] - then - log "[I] patch ${javaPatch} is being applied.."; - msg=`$JAVA_HOME/bin/java -cp "$app_home/WEB-INF/classes/conf:$app_home/WEB-INF/classes/lib/*:$app_home/WEB-INF/:$app_home/META-INF/:$app_home/WEB-INF/lib/*:$app_home/WEB-INF/classes/:$app_home/WEB-INF/classes/META-INF:$SQL_CONNECTOR_JAR" org.apache.ranger.patch.${className}` - check_ret_status $? "Unable to apply patch:$javaPatch. $msg" - touch ${tempFile} - echo >> ${tempFile} - echo "insert into x_db_version_h (version, inst_at, inst_by, updated_at, updated_by) values ( '${version}', now(), user(), now(), user()) ;" >> ${tempFile} - #${mysqlexec} < ${tempFile} - c=`$JAVA_HOME/bin/java -cp $SQL_CONNECTOR_JAR:jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://$DB_HOST/$db_name -u ${db_user} -p "${db_password}" -noheader -trim -delimiter '' -c \; -input ${tempFile}` - check_ret_status $? "Update patch - ${javaPatch} has failed." - rm -f ${tempFile} - log "[I] patch ${javaPatch} has been applied!!"; - else - log "[I] - patch [${javaPatch}] is already applied. Skipping ..." - fi - fi - fi - done - fi - if [ "${DB_FLAVOR}" == "ORACLE" ] - then - dt=`date '+%s'` - tempFile=/tmp/sql_${dt}_$$.sql - javaFiles=`ls -1 $app_home/WEB-INF/classes/org/apache/ranger/patch/Patch*.class 2> /dev/null | awk -F/ '{ print $NF }' | awk -F_J '{ print $2, $0 }' | sort -k1 -n | awk '{ printf("%s\n",$2) ; }'` - for javaPatch in ${javaFiles} - do - if test -f "$app_home/WEB-INF/classes/org/apache/ranger/patch/$javaPatch"; then - className=$(basename "$javaPatch" .class) - version=`echo ${className} | awk -F'_' '{ print $2 }'` - if [ "${version}" != "" ] - then - #result2=`${SQL_COMMAND_INVOKER} -L -S "${db_user}"/"\"${db_password}\""@"${DB_HOST}" <<< "select version from x_db_version_h where version = '${version}' and active = 'Y';"` - result2=`$JAVA_HOME/bin/java -cp $SQL_CONNECTOR_JAR:jisql/lib/* org.apache.util.sql.Jisql -driver oraclethin -cstring jdbc:oracle:thin:@$DB_HOST -u ${db_user} -p "${db_password}" -noheader -trim -delimiter '' -c \; -query "select version from x_db_version_h where version = '${version}' and active = 'Y';"` - #does not contains record so insert - if test "${result2#*$version}" == "$result2" - then - log "[I] patch ${javaPatch} is being applied.."; - msg=`$JAVA_HOME/bin/java -cp "$app_home/WEB-INF/classes/conf:$app_home/WEB-INF/classes/lib/*:$app_home/WEB-INF/:$app_home/META-INF/:$app_home/WEB-INF/lib/*:$app_home/WEB-INF/classes/:$app_home/WEB-INF/classes/META-INF/" org.apache.ranger.patch.${className}` - check_ret_status $? "Unable to apply patch:$javaPatch. $msg" - touch ${tempFile} - echo >> ${tempFile} - echo "insert into x_db_version_h (id,version, inst_at, inst_by, updated_at, updated_by) values ( X_DB_VERSION_H_SEQ.nextval,'${version}', sysdate, '${db_user}', sysdate, '${db_user}') ;" >> ${tempFile} - #result3=`echo "exit"|${SQL_COMMAND_INVOKER} -L -S "${db_user}"/"\"${db_password}\""@"${DB_HOST}" @$tempFile` - result3=`$JAVA_HOME/bin/java -cp $SQL_CONNECTOR_JAR:jisql/lib/* org.apache.util.sql.Jisql -driver oraclethin -cstring jdbc:oracle:thin:@$DB_HOST -u ${db_user} -p "${db_password}" -noheader -trim -delimiter '' -c \; -input ${tempFile}` - if test "${result3#*$strError}" == "$result3" - then - log "[I] patch ${javaPatch} has been applied!!"; - else - log "[E] patch ${javaPatch} has failed." - fi - rm -f ${tempFile} - elif test "${result2#*$strError}" != "$result2" - then - log "[E] - patch [${javaPatch}] could not applied. Skipping ..." - exit 1 - else - log "[I] - patch [${javaPatch}] is already applied. Skipping ..." - fi - fi - fi - done - fi -} init_logfiles log " --------- Running Ranger PolicyManager Web Application Install Script --------- " log "[I] uname=`uname`" @@ -1773,17 +983,11 @@ log "[I] hostname=`hostname`" init_variables get_distro check_java_version -#check_db_version check_db_connector setup_unix_user_group setup_install_files sanity_check_files -#check_db_admin_password -#create_db_user copy_db_connector -#import_db -#upgrade_db -#create_audit_db_user check_python_command run_dba_steps if [ "$?" == "0" ] @@ -1800,7 +1004,6 @@ else log "[E] DB schema setup failed! Please contact Administrator." exit 1 fi -#execute_java_patches $PYTHON_COMMAND_INVOKER db_setup.py -javapatch if [ "$?" == "0" ] then diff --git a/security-admin/src/bin/ranger_install.py b/security-admin/src/bin/ranger_install.py index 294f0da13e0..0cbe43dbcdf 100644 --- a/security-admin/src/bin/ranger_install.py +++ b/security-admin/src/bin/ranger_install.py @@ -43,6 +43,8 @@ def log(msg,type): if type == 'info': logging.info(" %s",msg) + if type == 'error': + logging.error(" %s",msg) if type == 'debug': logging.debug(" %s",msg) if type == 'warning': @@ -50,21 +52,16 @@ def log(msg,type): if type == 'exception': logging.exception(" %s",msg) -#def check_mysql_connector(): -# global MYSQL_CONNECTOR_JAR -# ### From properties file -# MYSQL_CONNECTOR_JAR = os.getenv("MYSQL_CONNECTOR_JAR") -# debugMsg = "Checking MYSQL CONNECTOR FILE : " + MYSQL_CONNECTOR_JAR -# log(debugMsg, 'debug') -# log( "Checking MYSQL CONNECTOR FILE : " + MYSQL_CONNECTOR_JAR, "debug") -# ### From properties file -# if os.path.isfile(MYSQL_CONNECTOR_JAR): -# log(" MYSQL CONNECTOR FILE :" + MYSQL_CONNECTOR_JAR + "file found",'info') -# else: -# log(" MYSQL CONNECTOR FILE : "+MYSQL_CONNECTOR_JAR+" file does not exist",'info') -#pass - - +def password_validation(password, userType): + if password: + if re.search("[\\\`'\"]",password): + log("[E] "+userType+" user password contains one of the unsupported special characters like \" ' \ `","error") + sys.exit(1) + else: + log("[I] "+userType+" user password validated","info") + else: + log("[E] Blank password is not allowed,please enter valid password.","error") + sys.exit(1) def resolve_sym_link(path): path = os.path.realpath(path) @@ -738,70 +735,78 @@ def update_properties(): log("SQL_HOST is : " + MYSQL_HOST,"debug") if RANGER_DB_FLAVOR == "MYSQL": - propertyName="ranger.jpa.jdbc.url" - newPropertyValue="jdbc:log4jdbc:mysql://%s:%s/%s" %(MYSQL_HOST ,RANGER_ADMIN_DB_PORT, db_name) - updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) + propertyName="ranger.jpa.jdbc.url" + newPropertyValue="jdbc:log4jdbc:mysql://%s:%s/%s" %(MYSQL_HOST ,RANGER_ADMIN_DB_PORT, db_name) + updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) + + propertyName="ranger.jpa.jdbc.user" + newPropertyValue=db_user + updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) - propertyName="ranger.jpa.jdbc.user" - newPropertyValue=db_user - updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) + propertyName="ranger.jpa.audit.jdbc.user" + newPropertyValue=audit_db_user + updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) + + propertyName="ranger.jpa.audit.jdbc.url" + newPropertyValue="jdbc:log4jdbc:mysql://%s:%s/%s" %(MYSQL_HOST, RANGER_AUDIT_DB_PORT, audit_db_name) + updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) + + propertyName="ranger.jpa.jdbc.dialect" + newPropertyValue="org.eclipse.persistence.platform.database.MySQLPlatform" + updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_default) + + propertyName="ranger.jpa.audit.jdbc.dialect" + newPropertyValue="org.eclipse.persistence.platform.database.MySQLPlatform" + updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_default) + + propertyName="ranger.jpa.jdbc.driver" + newPropertyValue="net.sf.log4jdbc.DriverSpy" + updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) + + propertyName="ranger.jpa.audit.jdbc.driver" + newPropertyValue="net.sf.log4jdbc.DriverSpy" + updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) - propertyName="ranger.jpa.audit.jdbc.user" - newPropertyValue=audit_db_user - updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) - - propertyName="ranger.jpa.audit.jdbc.url" - newPropertyValue="jdbc:log4jdbc:mysql://%s:%s/%s" %(MYSQL_HOST, RANGER_AUDIT_DB_PORT, audit_db_name) - updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) - - propertyName="ranger.jpa.jdbc.dialect" - newPropertyValue="org.eclipse.persistence.platform.database.MySQLPlatform" - updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_default) - - propertyName="ranger.jpa.audit.jdbc.dialect" - newPropertyValue="org.eclipse.persistence.platform.database.MySQLPlatform" - updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_default) - - propertyName="ranger.jpa.jdbc.driver" - newPropertyValue="net.sf.log4jdbc.DriverSpy" - updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) - - propertyName="ranger.jpa.audit.jdbc.driver" - newPropertyValue="net.sf.log4jdbc.DriverSpy" - updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) - elif RANGER_DB_FLAVOR == "ORACLE": - propertyName="ranger.jpa.jdbc.url" - newPropertyValue="jdbc:oracle:thin:@%s" %(MYSQL_HOST) - updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) - - propertyName="ranger.jpa.jdbc.user" - newPropertyValue=db_user - updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) - - propertyName="ranger.jpa.audit.jdbc.user" - newPropertyValue=audit_db_user - updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) - - propertyName="ranger.jpa.audit.jdbc.url" - newPropertyValue="jdbc:oracle:thin:@%s" %(MYSQL_HOST) - updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) - - propertyName="ranger.jpa.jdbc.dialect" - newPropertyValue="org.eclipse.persistence.platform.database.OraclePlatform" - updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_default) - - propertyName="ranger.jpa.audit.jdbc.dialect" - newPropertyValue="org.eclipse.persistence.platform.database.OraclePlatform" - updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_default) - - propertyName="ranger.jpa.jdbc.driver" - newPropertyValue="oracle.jdbc.OracleDriver" - updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) - - propertyName="ranger.jpa.audit.jdbc.driver" - newPropertyValue="oracle.jdbc.OracleDriver" - updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) + propertyName="ranger.jpa.jdbc.url" + #if MYSQL_HOST.count(":") == 2: + if MYSQL_HOST.count(":") == 2 or MYSQL_HOST.count(":") == 0: + #jdbc:oracle:thin:@[HOST][:PORT]:SID or #jdbc:oracle:thin:@GL + cstring="jdbc:oracle:thin:@%s" %(MYSQL_HOST) + else: + #jdbc:oracle:thin:@//[HOST][:PORT]/SERVICE + cstring="jdbc:oracle:thin:@//%s" %(MYSQL_HOST) + + newPropertyValue=cstring + updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) + + propertyName="ranger.jpa.jdbc.user" + newPropertyValue=db_user + updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) + + propertyName="ranger.jpa.audit.jdbc.user" + newPropertyValue=audit_db_user + updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) + + propertyName="ranger.jpa.audit.jdbc.url" + newPropertyValue=cstring + updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) + + propertyName="ranger.jpa.jdbc.dialect" + newPropertyValue="org.eclipse.persistence.platform.database.OraclePlatform" + updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_default) + + propertyName="ranger.jpa.audit.jdbc.dialect" + newPropertyValue="org.eclipse.persistence.platform.database.OraclePlatform" + updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_default) + + propertyName="ranger.jpa.jdbc.driver" + newPropertyValue="oracle.jdbc.OracleDriver" + updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) + + propertyName="ranger.jpa.audit.jdbc.driver" + newPropertyValue="oracle.jdbc.OracleDriver" + updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) elif RANGER_DB_FLAVOR == "POSTGRES": propertyName="ranger.jpa.jdbc.url" @@ -905,6 +910,9 @@ def update_properties(): updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) if os.getenv("RANGER_AUTHENTICATION_METHOD") == "LDAP": + + password_validation(os.getenv("RANGER_LDAP_BIND_PASSWORD"), "LDAP_BIND") + propertyName="ranger.authentication.method" newPropertyValue=os.getenv("RANGER_AUTHENTICATION_METHOD") updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) @@ -950,6 +958,9 @@ def update_properties(): updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) elif os.getenv("RANGER_AUTHENTICATION_METHOD") == "ACTIVE_DIRECTORY": + + password_validation(os.getenv("RANGER_LDAP_AD_BIND_PASSWORD"), "AD_BIND") + propertyName="ranger.authentication.method" newPropertyValue=os.getenv("RANGER_AUTHENTICATION_METHOD") updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index 572323f495e..2d4337922c0 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -175,7 +175,12 @@ public void deleteXUser(Long id, boolean force) { } public VXUser getXUserByUserName(String userName) { - return xUserService.getXUserByUserName(userName); + VXUser vXUser=null; + vXUser=xUserService.getXUserByUserName(userName); + if(vXUser!=null && !hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)){ + vXUser=getMaskedVXUser(vXUser); + } + return vXUser; } public VXUser createXUser(VXUser vXUser) { @@ -533,8 +538,12 @@ public VXGroupUser createXGroupUser(VXGroupUser vXGroupUser) { } public VXUser getXUser(Long id) { - return xUserService.readResourceWithOutLogin(id); - + VXUser vXUser=null; + vXUser=xUserService.readResourceWithOutLogin(id); + if(vXUser!=null && !hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)){ + vXUser=getMaskedVXUser(vXUser); + } + return vXUser; } public VXGroupUser getXGroupUser(Long id) { @@ -543,8 +552,12 @@ public VXGroupUser getXGroupUser(Long id) { } public VXGroup getXGroup(Long id) { - return xGroupService.readResourceWithOutLogin(id); - + VXGroup vXGroup=null; + vXGroup=xGroupService.readResourceWithOutLogin(id); + if(vXGroup!=null && !hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)){ + vXGroup=getMaskedVXGroup(vXGroup); + } + return vXGroup; } /** @@ -1305,4 +1318,94 @@ public VXStringList getStringListFromUserRoleList( return vXStringList; } + public boolean hasAccess(String loginID) { + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if(session.isUserAdmin() || session.getLoginId().equalsIgnoreCase(loginID)){ + return true; + } + } + return false; + } + + public VXUser getMaskedVXUser(VXUser vXUser) { + if(vXUser!=null){ + if(vXUser.getGroupIdList()!=null && vXUser.getGroupIdList().size()>0){ + vXUser.setGroupIdList(new ArrayList()); + } + if(vXUser.getGroupNameList()!=null && vXUser.getGroupNameList().size()>0){ + vXUser.setGroupNameList(getMaskedCollection(vXUser.getGroupNameList())); + } + if(vXUser.getUserRoleList()!=null && vXUser.getUserRoleList().size()>0){ + vXUser.setUserRoleList(getMaskedCollection(vXUser.getUserRoleList())); + } + vXUser.setUpdatedBy(AppConstants.Masked_String); + } + return vXUser; + } + + public VXGroup getMaskedVXGroup(VXGroup vXGroup) { + if(vXGroup!=null){ + vXGroup.setUpdatedBy(AppConstants.Masked_String); + } + return vXGroup; + } + + @Override + public VXUserList searchXUsers(SearchCriteria searchCriteria) { + VXUserList vXUserList = new VXUserList(); + vXUserList=xUserService.searchXUsers(searchCriteria); + if(vXUserList!=null && !hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)){ + List vXUsers = new ArrayList(); + if(vXUserList!=null && vXUserList.getListSize()>0){ + for(VXUser vXUser:vXUserList.getList()){ + vXUser=getMaskedVXUser(vXUser); + vXUsers.add(vXUser); + } + vXUserList.setVXUsers(vXUsers); + } + } + return vXUserList; + } + + @Override + public VXGroupList searchXGroups(SearchCriteria searchCriteria) { + VXGroupList vXGroupList=null; + vXGroupList=xGroupService.searchXGroups(searchCriteria); + if(vXGroupList!=null && !hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)){ + if(vXGroupList!=null && vXGroupList.getListSize()>0){ + List listMasked=new ArrayList(); + for(VXGroup vXGroup:vXGroupList.getList()){ + vXGroup=getMaskedVXGroup(vXGroup); + listMasked.add(vXGroup); + } + vXGroupList.setVXGroups(listMasked); + } + } + return vXGroupList; + } + + public Collection getMaskedCollection(Collection listunMasked){ + List listMasked=new ArrayList(); + if(listunMasked!=null && listunMasked.size()>0){ + for(String content:listunMasked){ + listMasked.add(AppConstants.Masked_String); + } + } + return listMasked; + } + + public boolean hasAccessToModule(String moduleName){ + UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + if (userSession != null && userSession.getLoginId()!=null){ + VXUser vxUser = xUserService.getXUserByUserName(userSession.getLoginId()); + if(vxUser!=null){ + List permissionList = daoManager.getXXModuleDef().findAccessibleModulesByUserId(userSession.getUserId(), vxUser.getId()); + if(permissionList!=null && permissionList.contains(moduleName)){ + return true; + } + } + } + return false; + } } diff --git a/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java b/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java index 5de18f6fb33..0f81e6b4572 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java +++ b/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java @@ -563,6 +563,7 @@ public class AppConstants extends RangerCommonEnums { public static final int HIST_OBJ_STATUS_DELETED = 3; public static final int MAX_HIST_OBJ_STATUS = 3; + public static final String Masked_String = "*****"; static public String getLabelFor_AssetType( int elementValue ) { diff --git a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java index abf4db47834..40b08c414ca 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java +++ b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java @@ -505,6 +505,10 @@ private Authentication getJDBCAuthentication(Authentication authentication,Strin final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths); authentication= authenticator.authenticate(finalAuthentication); return authentication; + }else{ + if(authentication!=null&&!authentication.isAuthenticated()){ + throw new BadCredentialsException("Bad credentials"); + } } } catch (BadCredentialsException e) { throw e; diff --git a/security-admin/src/main/webapp/scripts/prelogin/XAPrelogin.js b/security-admin/src/main/webapp/scripts/prelogin/XAPrelogin.js index 3d33d8678b3..c226d6340c7 100644 --- a/security-admin/src/main/webapp/scripts/prelogin/XAPrelogin.js +++ b/security-admin/src/main/webapp/scripts/prelogin/XAPrelogin.js @@ -33,18 +33,19 @@ if (!Array.indexOf) { function doLogin() { - if ($("#username").val() === '' || $('#password').val() === '') { + var userName = $('#username').val().trim(); + var passwd = $('#password').val().trim(); + + if (userName === '' || passwd === '') { $('#errorBox').show(); $('#signInLoading').hide(); $('#signIn').removeAttr('disabled'); $('#errorBox .errorMsg').text("The username or password you entered is incorrect.."); return false; } - var userName = $('#username').val().trim(); - var passwd = $('#password').val().trim(); var regexEmail = /^([a-zA-Z0-9_\.\-\+])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$/; - var regexPlain = /^([a-zA-Z0-9_\.\-\+])+$/; + var regexPlain = /^([a-zA-Z0-9_\.\-\+ ])+$/; if(!regexPlain.test(userName)){ if(!regexEmail.test(userName)){ $('#errorBox').show(); @@ -63,8 +64,8 @@ function doLogin() { $.ajax({ data : { - j_username : userName, - j_password : passwd + j_username : $('#username').val(), + j_password : $('#password').val() }, url : url, type : 'POST', diff --git a/storm-agent/scripts/install.sh b/storm-agent/scripts/install.sh index ab57bb996ee..955ceb5c670 100644 --- a/storm-agent/scripts/install.sh +++ b/storm-agent/scripts/install.sh @@ -228,7 +228,15 @@ if [ "${DB_FLAVOR}" == "ORACLE" ] then audit_db_hostname=`grep '^XAAUDIT.DB.HOSTNAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` propertyName=XAAUDIT.DB.JDBC_URL - newPropertyValue="jdbc:oracle:thin:\@//${audit_db_hostname}" + count=$(grep -o ":" <<< "$audit_db_hostname" | wc -l) + #if [[ ${count} -eq 2 ]] ; then + if [ ${count} -eq 2 ] || [ ${count} -eq 0 ]; then + #jdbc:oracle:thin:@[HOST][:PORT]:SID or #jdbc:oracle:thin:@GL + newPropertyValue="jdbc:oracle:thin:@${audit_db_hostname}" + else + #jdbc:oracle:thin:@//[HOST][:PORT]/SERVICE + newPropertyValue="jdbc:oracle:thin:@//${audit_db_hostname}" + fi updatePropertyToFile $propertyName $newPropertyValue $to_file propertyName=XAAUDIT.DB.JDBC_DRIVER From 4ce695353550d74b5ad8fd0fc7cf17b31fec11ef Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Mon, 9 Nov 2015 12:39:01 -0800 Subject: [PATCH 097/202] RANGER-725 Add the correct .gitignore file to projects, refactor existing .gitignore files --- .gitignore | 1 - ranger-examples/.gitignore | 2 ++ ranger-hbase-plugin-shim/.gitignore | 2 ++ ranger-hdfs-plugin-shim/.gitignore | 2 ++ ranger-hive-plugin-shim/.gitignore | 2 ++ ranger-knox-plugin-shim/.gitignore | 2 ++ ranger-plugin-classloader/.gitignore | 2 ++ ranger-storm-plugin-shim/.gitignore | 2 ++ ranger-yarn-plugin-shim/.gitignore | 2 ++ tagsync/.gitignore | 2 ++ ugsync/ldapconfigchecktool/ldapconfigcheck/.gitignore | 3 +++ 11 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 ranger-examples/.gitignore create mode 100644 ranger-hbase-plugin-shim/.gitignore create mode 100644 ranger-hdfs-plugin-shim/.gitignore create mode 100644 ranger-hive-plugin-shim/.gitignore create mode 100644 ranger-knox-plugin-shim/.gitignore create mode 100644 ranger-plugin-classloader/.gitignore create mode 100644 ranger-storm-plugin-shim/.gitignore create mode 100644 ranger-yarn-plugin-shim/.gitignore create mode 100644 tagsync/.gitignore create mode 100644 ugsync/ldapconfigchecktool/ldapconfigcheck/.gitignore diff --git a/.gitignore b/.gitignore index bced5a76351..c2def9d8a1d 100644 --- a/.gitignore +++ b/.gitignore @@ -8,5 +8,4 @@ /target/ winpkg/target .DS_Store -.gitignore .idea diff --git a/ranger-examples/.gitignore b/ranger-examples/.gitignore new file mode 100644 index 00000000000..b9c5b0ba7a3 --- /dev/null +++ b/ranger-examples/.gitignore @@ -0,0 +1,2 @@ +/target/ +.settings/ diff --git a/ranger-hbase-plugin-shim/.gitignore b/ranger-hbase-plugin-shim/.gitignore new file mode 100644 index 00000000000..b9c5b0ba7a3 --- /dev/null +++ b/ranger-hbase-plugin-shim/.gitignore @@ -0,0 +1,2 @@ +/target/ +.settings/ diff --git a/ranger-hdfs-plugin-shim/.gitignore b/ranger-hdfs-plugin-shim/.gitignore new file mode 100644 index 00000000000..b9c5b0ba7a3 --- /dev/null +++ b/ranger-hdfs-plugin-shim/.gitignore @@ -0,0 +1,2 @@ +/target/ +.settings/ diff --git a/ranger-hive-plugin-shim/.gitignore b/ranger-hive-plugin-shim/.gitignore new file mode 100644 index 00000000000..b9c5b0ba7a3 --- /dev/null +++ b/ranger-hive-plugin-shim/.gitignore @@ -0,0 +1,2 @@ +/target/ +.settings/ diff --git a/ranger-knox-plugin-shim/.gitignore b/ranger-knox-plugin-shim/.gitignore new file mode 100644 index 00000000000..b9c5b0ba7a3 --- /dev/null +++ b/ranger-knox-plugin-shim/.gitignore @@ -0,0 +1,2 @@ +/target/ +.settings/ diff --git a/ranger-plugin-classloader/.gitignore b/ranger-plugin-classloader/.gitignore new file mode 100644 index 00000000000..b9c5b0ba7a3 --- /dev/null +++ b/ranger-plugin-classloader/.gitignore @@ -0,0 +1,2 @@ +/target/ +.settings/ diff --git a/ranger-storm-plugin-shim/.gitignore b/ranger-storm-plugin-shim/.gitignore new file mode 100644 index 00000000000..b9c5b0ba7a3 --- /dev/null +++ b/ranger-storm-plugin-shim/.gitignore @@ -0,0 +1,2 @@ +/target/ +.settings/ diff --git a/ranger-yarn-plugin-shim/.gitignore b/ranger-yarn-plugin-shim/.gitignore new file mode 100644 index 00000000000..b9c5b0ba7a3 --- /dev/null +++ b/ranger-yarn-plugin-shim/.gitignore @@ -0,0 +1,2 @@ +/target/ +.settings/ diff --git a/tagsync/.gitignore b/tagsync/.gitignore new file mode 100644 index 00000000000..b9c5b0ba7a3 --- /dev/null +++ b/tagsync/.gitignore @@ -0,0 +1,2 @@ +/target/ +.settings/ diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/.gitignore b/ugsync/ldapconfigchecktool/ldapconfigcheck/.gitignore new file mode 100644 index 00000000000..034279e6958 --- /dev/null +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/.gitignore @@ -0,0 +1,3 @@ +/target/ +.settings/ +dependency-reduced-pom.xml From e7d18115c903cac57bc599bf77587ede1f7e90bf Mon Sep 17 00:00:00 2001 From: Madhan Neethiraj Date: Wed, 11 Nov 2015 10:27:24 -0800 Subject: [PATCH 098/202] RANGER-702: optimize policy download performance --- .../ranger/plugin/util/RangerPerfTracer.java | 80 ++ .../ranger/biz/RangerPolicyRetriever.java | 658 ++++++++++++++ .../org/apache/ranger/biz/ServiceDBStore.java | 20 +- .../ranger/db/XXPolicyItemAccessDao.java | 26 + .../ranger/db/XXPolicyItemConditionDao.java | 26 + .../org/apache/ranger/db/XXPolicyItemDao.java | 16 + .../ranger/db/XXPolicyItemGroupPermDao.java | 25 + .../ranger/db/XXPolicyItemUserPermDao.java | 25 + .../apache/ranger/db/XXPolicyResourceDao.java | 13 + .../ranger/db/XXPolicyResourceMapDao.java | 25 + .../org/apache/ranger/rest/ServiceREST.java | 247 +++++- .../service/RangerBaseModelService.java | 133 ++- .../ranger/service/RangerPolicyService.java | 11 +- .../service/RangerPolicyServiceBase.java | 104 --- .../RangerPolicyWithAssignedIdService.java | 13 +- .../resources/META-INF/jpa_named_queries.xml | 104 ++- .../src/main/webapp/WEB-INF/log4j.xml | 16 + .../service/TestRangerPolicyService.java | 813 ------------------ 18 files changed, 1352 insertions(+), 1003 deletions(-) create mode 100644 agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java create mode 100644 security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java new file mode 100644 index 00000000000..fc84bcd34e7 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java @@ -0,0 +1,80 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.util; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.commons.lang.StringUtils; + +public class RangerPerfTracer { + private final Log logger; + private final String tag; + private final long startTimeMs; + + public static Log getPerfLogger(String name) { + return LogFactory.getLog("ranger.perf." + name); + } + + public static Log getPerfLogger(Class cls) { + return RangerPerfTracer.getPerfLogger(cls.getName()); + } + + public static boolean isPerfTraceEnabled(Log logger) { + return logger.isInfoEnabled(); + } + + public static RangerPerfTracer getPerfTracer(Log logger, String tag) { + return logger.isInfoEnabled() ? new RangerPerfTracer(logger, tag) : null; + } + + public static RangerPerfTracer getPerfTracer(Log logger, Object... tagParts) { + return logger.isInfoEnabled() ? new RangerPerfTracer(logger, StringUtils.join(tagParts)) : null; + } + + public static void log(RangerPerfTracer tracer) { + if(tracer != null) { + tracer.log(); + } + } + + public RangerPerfTracer(Log logger, String tag) { + this.logger = logger; + this.tag = tag; + startTimeMs = System.currentTimeMillis(); + } + + public final String getTag() { + return tag; + } + + public final long getStartTime() { + return startTimeMs; + } + + public final long getElapsedTime() { + return System.currentTimeMillis() - startTimeMs; + } + + public void log() { + if(logger.isInfoEnabled()) { + logger.info("[PERF] " + tag + ": " + getElapsedTime()); + } + } +} diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java new file mode 100644 index 00000000000..2415df7ae65 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java @@ -0,0 +1,658 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.biz; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.ListIterator; +import java.util.Map; + +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.authorization.utils.StringUtil; +import org.apache.ranger.db.RangerDaoManager; +import org.apache.ranger.entity.XXAccessTypeDef; +import org.apache.ranger.entity.XXGroup; +import org.apache.ranger.entity.XXPolicy; +import org.apache.ranger.entity.XXPolicyConditionDef; +import org.apache.ranger.entity.XXPolicyItem; +import org.apache.ranger.entity.XXPolicyItemAccess; +import org.apache.ranger.entity.XXPolicyItemCondition; +import org.apache.ranger.entity.XXPolicyItemGroupPerm; +import org.apache.ranger.entity.XXPolicyItemUserPerm; +import org.apache.ranger.entity.XXPolicyResource; +import org.apache.ranger.entity.XXPolicyResourceMap; +import org.apache.ranger.entity.XXPortalUser; +import org.apache.ranger.entity.XXResourceDef; +import org.apache.ranger.entity.XXService; +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator; +import org.apache.ranger.plugin.util.RangerPerfTracer; + + +public class RangerPolicyRetriever { + static final Log LOG = LogFactory.getLog(RangerPolicyRetriever.class); + static final Log PERF_LOG = RangerPerfTracer.getPerfLogger("db.RangerPolicyRetriever"); + + final RangerDaoManager daoMgr; + final LookupCache lookupCache; + + public RangerPolicyRetriever(RangerDaoManager daoMgr) { + this.daoMgr = daoMgr; + this.lookupCache = new LookupCache(); + } + + public List getServicePolicies(Long serviceId) { + List ret = null; + + if(serviceId != null) { + XXService xService = getXXService(serviceId); + + if(xService != null) { + ret = getServicePolicies(xService); + } else { + if(LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyRetriever.getServicePolicies(serviceId=" + serviceId + "): service not found"); + } + } + } + + return ret; + } + + public List getServicePolicies(String serviceName) { + List ret = null; + + if(serviceName != null) { + XXService xService = getXXService(serviceName); + + if(xService != null) { + ret = getServicePolicies(xService); + } else { + if(LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyRetriever.getServicePolicies(serviceName=" + serviceName + "): service not found"); + } + } + } + + return ret; + } + + public List getServicePolicies(XXService xService) { + String serviceName = xService == null ? null : xService.getName(); + Long serviceId = xService == null ? null : xService.getId(); + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyRetriever.getServicePolicies(serviceName=" + serviceName + ", serviceId=" + serviceId + ")"); + } + + List ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerPolicyRetriever.getServicePolicies(serviceName=" + serviceName + ", serviceId=" + serviceId + ")"); + } + + if(xService != null) { + RetrieverContext ctx = new RetrieverContext(xService); + + ret = ctx.getAllPolicies(); + } else { + if(LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyRetriever.getServicePolicies(xService=" + xService + "): invalid parameter"); + } + } + + RangerPerfTracer.log(perf); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyRetriever.getServicePolicies(serviceName=" + serviceName + ", serviceId=" + serviceId + "): policyCount=" + (ret == null ? 0 : ret.size())); + } + + return ret; + } + + public RangerPolicy getPolicy(Long policyId) { + RangerPolicy ret = null; + + if(policyId != null) { + XXPolicy xPolicy = getXXPolicy(policyId); + + if(xPolicy != null) { + ret = getPolicy(xPolicy); + } else { + if(LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyRetriever.getPolicy(policyId=" + policyId + "): policy not found"); + } + } + + } + + return ret; + } + + public RangerPolicy getPolicy(XXPolicy xPolicy) { + RangerPolicy ret = null; + + if(xPolicy != null) { + XXService xService = getXXService(xPolicy.getService()); + + if(xService != null) { + ret = getPolicy(xPolicy, xService); + } else { + if(LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyRetriever.getPolicy(policyId=" + xPolicy.getId() + "): service not found (serviceId=" + xPolicy.getService() + ")"); + } + } + } + + return ret; + } + + public RangerPolicy getPolicy(XXPolicy xPolicy, XXService xService) { + Long policyId = xPolicy == null ? null : xPolicy.getId(); + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyRetriever.getPolicy(" + policyId + ")"); + } + + RangerPolicy ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerPolicyRetriever.getPolicy(policyId=" + policyId + ")"); + } + + if(xPolicy != null && xService != null) { + RetrieverContext ctx = new RetrieverContext(xPolicy, xService); + + ret = ctx.getNextPolicy(); + } else { + if(LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyRetriever.getPolicy(xPolicy=" + xPolicy + ", xService=" + xService + "): invalid parameter(s)"); + } + } + + RangerPerfTracer.log(perf); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyRetriever.getPolicy(" + policyId + "): " + ret); + } + + return ret; + } + + private XXService getXXService(Long serviceId) { + XXService ret = null; + + if(serviceId != null) { + ret = daoMgr.getXXService().getById(serviceId); + } + + return ret; + } + + private XXService getXXService(String serviceName) { + XXService ret = null; + + if(serviceName != null) { + ret = daoMgr.getXXService().findByName(serviceName); + } + + return ret; + } + + private XXPolicy getXXPolicy(Long policyId) { + XXPolicy ret = null; + + if(policyId != null) { + ret = daoMgr.getXXPolicy().getById(policyId); + } + + return ret; + } + + class LookupCache { + final Map userNames = new HashMap(); + final Map userScreenNames = new HashMap(); + final Map groupNames = new HashMap(); + final Map accessTypes = new HashMap(); + final Map conditions = new HashMap(); + final Map resourceDefs = new HashMap(); + + String getUserName(Long userId) { + String ret = null; + + if(userId != null) { + ret = userNames.get(userId); + + if(ret == null) { + XXPortalUser user = daoMgr.getXXPortalUser().getById(userId); + + if(user != null) { + ret = user.getLoginId(); + + userNames.put(userId, ret); + } + } + } + + return ret; + } + + String getUserScreenName(Long userId) { + String ret = null; + + if(userId != null) { + ret = userScreenNames.get(userId); + + if(ret == null) { + XXPortalUser user = daoMgr.getXXPortalUser().getById(userId); + + if(user != null) { + ret = user.getPublicScreenName(); + + if (StringUtil.isEmpty(ret)) { + ret = user.getFirstName(); + + if(StringUtil.isEmpty(ret)) { + ret = user.getLoginId(); + } else { + if(!StringUtil.isEmpty(user.getLastName())) { + ret += (" " + user.getLastName()); + } + } + } + + if(ret != null) { + userScreenNames.put(userId, ret); + } + } + } + } + + return ret; + } + + String getGroupName(Long groupId) { + String ret = null; + + if(groupId != null) { + ret = groupNames.get(groupId); + + if(ret == null) { + XXGroup group = daoMgr.getXXGroup().getById(groupId); + + if(group != null) { + ret = group.getName(); + + groupNames.put(groupId, ret); + } + } + } + + return ret; + } + + String getAccessType(Long accessTypeId) { + String ret = null; + + if(accessTypeId != null) { + ret = accessTypes.get(accessTypeId); + + if(ret == null) { + XXAccessTypeDef xAccessType = daoMgr.getXXAccessTypeDef().getById(accessTypeId); + + if(xAccessType != null) { + ret = xAccessType.getName(); + + accessTypes.put(accessTypeId, ret); + } + } + } + + return ret; + } + + String getConditionType(Long conditionDefId) { + String ret = null; + + if(conditionDefId != null) { + ret = conditions.get(conditionDefId); + + if(ret == null) { + XXPolicyConditionDef xPolicyConditionDef = daoMgr.getXXPolicyConditionDef().getById(conditionDefId); + + if(xPolicyConditionDef != null) { + ret = xPolicyConditionDef.getName(); + + conditions.put(conditionDefId, ret); + } + } + } + + return ret; + } + + String getResourceName(Long resourceDefId) { + String ret = null; + + if(resourceDefId != null) { + ret = resourceDefs.get(resourceDefId); + + if(ret == null) { + XXResourceDef xResourceDef = daoMgr.getXXResourceDef().getById(resourceDefId); + + if(xResourceDef != null) { + ret = xResourceDef.getName(); + + resourceDefs.put(resourceDefId, ret); + } + } + } + + return ret; + } + } + + static List asList(XXPolicy policy) { + List ret = new ArrayList(); + + if(policy != null) { + ret.add(policy); + } + + return ret; + } + + class RetrieverContext { + final XXService service; + final ListIterator iterPolicy; + final ListIterator iterResources; + final ListIterator iterResourceMaps; + final ListIterator iterPolicyItems; + final ListIterator iterUserPerms; + final ListIterator iterGroupPerms; + final ListIterator iterAccesses; + final ListIterator iterConditions; + + RetrieverContext(XXService xService) { + Long serviceId = xService == null ? null : xService.getId(); + + List xPolicies = daoMgr.getXXPolicy().findByServiceId(serviceId); + List xResources = daoMgr.getXXPolicyResource().findByServiceId(serviceId); + List xResourceMaps = daoMgr.getXXPolicyResourceMap().findByServiceId(serviceId); + List xPolicyItems = daoMgr.getXXPolicyItem().findByServiceId(serviceId); + List xUserPerms = daoMgr.getXXPolicyItemUserPerm().findByServiceId(serviceId); + List xGroupPerms = daoMgr.getXXPolicyItemGroupPerm().findByServiceId(serviceId); + List xAccesses = daoMgr.getXXPolicyItemAccess().findByServiceId(serviceId); + List xConditions = daoMgr.getXXPolicyItemCondition().findByServiceId(serviceId); + + this.service = xService; + this.iterPolicy = xPolicies.listIterator(); + this.iterResources = xResources.listIterator(); + this.iterResourceMaps = xResourceMaps.listIterator(); + this.iterPolicyItems = xPolicyItems.listIterator(); + this.iterUserPerms = xUserPerms.listIterator(); + this.iterGroupPerms = xGroupPerms.listIterator(); + this.iterAccesses = xAccesses.listIterator(); + this.iterConditions = xConditions.listIterator(); + } + + RetrieverContext(XXPolicy xPolicy) { + this(xPolicy, getXXService(xPolicy.getService())); + } + + RetrieverContext(XXPolicy xPolicy, XXService xService) { + Long policyId = xPolicy == null ? null : xPolicy.getId(); + + List xPolicies = asList(xPolicy); + List xResources = daoMgr.getXXPolicyResource().findByPolicyId(policyId); + List xResourceMaps = daoMgr.getXXPolicyResourceMap().findByPolicyId(policyId); + List xPolicyItems = daoMgr.getXXPolicyItem().findByPolicyId(policyId); + List xUserPerms = daoMgr.getXXPolicyItemUserPerm().findByPolicyId(policyId); + List xGroupPerms = daoMgr.getXXPolicyItemGroupPerm().findByPolicyId(policyId); + List xAccesses = daoMgr.getXXPolicyItemAccess().findByPolicyId(policyId); + List xConditions = daoMgr.getXXPolicyItemCondition().findByPolicyId(policyId); + + this.service = xService; + this.iterPolicy = xPolicies.listIterator(); + this.iterResources = xResources.listIterator(); + this.iterResourceMaps = xResourceMaps.listIterator(); + this.iterPolicyItems = xPolicyItems.listIterator(); + this.iterUserPerms = xUserPerms.listIterator(); + this.iterGroupPerms = xGroupPerms.listIterator(); + this.iterAccesses = xAccesses.listIterator(); + this.iterConditions = xConditions.listIterator(); + } + + RangerPolicy getNextPolicy() { + RangerPolicy ret = null; + + if(iterPolicy.hasNext()) { + XXPolicy xPolicy = iterPolicy.next(); + + if(xPolicy != null) { + ret = new RangerPolicy(); + + ret.setId(xPolicy.getId()); + ret.setGuid(xPolicy.getGuid()); + ret.setIsEnabled(xPolicy.getIsEnabled()); + ret.setCreatedBy(lookupCache.getUserScreenName(xPolicy.getAddedByUserId())); + ret.setUpdatedBy(lookupCache.getUserScreenName(xPolicy.getUpdatedByUserId())); + ret.setCreateTime(xPolicy.getCreateTime()); + ret.setUpdateTime(xPolicy.getUpdateTime()); + ret.setVersion(xPolicy.getVersion()); + ret.setService(service == null ? null : service.getName()); + ret.setName(xPolicy.getName()); + ret.setPolicyType(xPolicy.getPolicyType()); + ret.setDescription(xPolicy.getDescription()); + ret.setResourceSignature(xPolicy.getResourceSignature()); + ret.setIsAuditEnabled(xPolicy.getIsAuditEnabled()); + + getResource(ret); + getPolicyItems(ret); + } + } + + return ret; + } + + List getAllPolicies() { + List ret = new ArrayList(); + + while(iterPolicy.hasNext()) { + RangerPolicy policy = getNextPolicy(); + + if(policy != null) { + ret.add(policy); + } + } + + if(! hasProcessedAll()) { + LOG.warn("getAllPolicies(): perhaps one or more policies got updated during retrieval. Falling back to secondary method"); + + ret = getAllPoliciesBySecondary(); + } + + return ret; + } + + List getAllPoliciesBySecondary() { + List ret = null; + + if(service != null) { + List xPolicies = daoMgr.getXXPolicy().findByServiceId(service.getId()); + + if(CollectionUtils.isNotEmpty(xPolicies)) { + ret = new ArrayList(xPolicies.size()); + + for(XXPolicy xPolicy : xPolicies) { + RetrieverContext ctx = new RetrieverContext(xPolicy, service); + + RangerPolicy policy = ctx.getNextPolicy(); + + if(policy != null) { + ret.add(policy); + } + } + } + } + + return ret; + } + + private boolean hasProcessedAll() { + boolean moreToProcess = iterPolicy.hasNext() + || iterResources.hasNext() + || iterResourceMaps.hasNext() + || iterPolicyItems.hasNext() + || iterUserPerms.hasNext() + || iterGroupPerms.hasNext() + || iterAccesses.hasNext() + || iterConditions.hasNext(); + + return !moreToProcess; + } + + private void getResource(RangerPolicy policy) { + while(iterResources.hasNext()) { + XXPolicyResource xResource = iterResources.next(); + + if(xResource.getPolicyid().equals(policy.getId())) { + RangerPolicyResource resource = new RangerPolicyResource(); + + resource.setIsExcludes(xResource.getIsexcludes()); + resource.setIsRecursive(xResource.getIsrecursive()); + + while(iterResourceMaps.hasNext()) { + XXPolicyResourceMap xResourceMap = iterResourceMaps.next(); + + if(xResourceMap.getResourceid().equals(xResource.getId())) { + resource.getValues().add(xResourceMap.getValue()); + } else { + if(iterResourceMaps.hasPrevious()) { + iterResourceMaps.previous(); + } + break; + } + } + + policy.getResources().put(lookupCache.getResourceName(xResource.getResdefid()), resource); + } else if(xResource.getPolicyid().compareTo(policy.getId()) > 0) { + if(iterResources.hasPrevious()) { + iterResources.previous(); + } + break; + } + } + } + + private void getPolicyItems(RangerPolicy policy) { + while(iterPolicyItems.hasNext()) { + XXPolicyItem xPolicyItem = iterPolicyItems.next(); + + if(xPolicyItem.getPolicyid().equals(policy.getId())) { + RangerPolicyItem policyItem = new RangerPolicyItem(); + + policyItem.setDelegateAdmin(xPolicyItem.getDelegateAdmin()); + + while(iterUserPerms.hasNext()) { + XXPolicyItemUserPerm xUserPerm = iterUserPerms.next(); + + if(xUserPerm.getPolicyitemid().equals(xPolicyItem.getId())) { + policyItem.getUsers().add(lookupCache.getUserName(xUserPerm.getUserid())); + } else { + if(iterUserPerms.hasPrevious()) { + iterUserPerms.previous(); + } + break; + } + } + + while(iterGroupPerms.hasNext()) { + XXPolicyItemGroupPerm xGroupPerm = iterGroupPerms.next(); + + if(xGroupPerm.getPolicyitemid().equals(xPolicyItem.getId())) { + policyItem.getGroups().add(lookupCache.getGroupName(xGroupPerm.getGroupid())); + } else { + if(iterGroupPerms.hasPrevious()) { + iterGroupPerms.previous(); + } + break; + } + } + + while(iterAccesses.hasNext()) { + XXPolicyItemAccess xAccess = iterAccesses.next(); + + if(xAccess.getPolicyitemid().equals(xPolicyItem.getId())) { + policyItem.getAccesses().add(new RangerPolicyItemAccess(lookupCache.getAccessType(xAccess.getType()), xAccess.getIsallowed())); + } else { + if(iterAccesses.hasPrevious()) { + iterAccesses.previous(); + } + break; + } + } + + RangerPolicyItemCondition condition = null; + Long prevConditionType = null; + while(iterConditions.hasNext()) { + XXPolicyItemCondition xCondition = iterConditions.next(); + + if(xCondition.getPolicyitemid().equals(xPolicyItem.getId())) { + if(! xCondition.getType().equals(prevConditionType)) { + condition = new RangerPolicyItemCondition(); + condition.setType(lookupCache.getConditionType(xCondition.getType())); + condition.getValues().add(xCondition.getValue()); + + policyItem.getConditions().add(condition); + + prevConditionType = xCondition.getType(); + } else { + condition.getValues().add(xCondition.getValue()); + } + } else { + if(iterConditions.hasPrevious()) { + iterConditions.previous(); + } + break; + } + } + + policy.getPolicyItems().add(policyItem); + } else if(xPolicyItem.getPolicyid().compareTo(policy.getId()) > 0) { + if(iterPolicyItems.hasPrevious()) { + iterPolicyItems.previous(); + } + break; + } + } + } + } +} + diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index dad652d6050..97b68462aee 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -181,6 +181,7 @@ public class ServiceDBStore implements ServiceStore { @Autowired RangerFactory factory; + private static volatile boolean legacyServiceDefsInitDone = false; private Boolean populateExistingBaseFields = false; @@ -1558,6 +1559,23 @@ public List getServicePolicies(Long serviceId, SearchFilter filter return ret; } + private List getServicePolicies(XXService service) throws Exception { + if(LOG.isDebugEnabled()) { + LOG.debug("==> ServiceDBStore.getServicePolicies(" + service.getName() + ")"); + } + + RangerPolicyRetriever policyRetriever = new RangerPolicyRetriever(daoMgr); + + List ret = policyRetriever.getServicePolicies(service); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== ServiceDBStore.getServicePolicies(" + service.getName() + "): count=" + ((ret == null) ? 0 : ret.size())); + } + + return ret; + } + + public RangerPolicyList getPaginatedServicePolicies(Long serviceId, SearchFilter filter) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceDBStore.getPaginatedServicePolicies(" + serviceId + ")"); @@ -1640,7 +1658,7 @@ public ServicePolicies getServicePoliciesIfUpdated(String serviceName, Long last throw new Exception("service-def does not exist. id=" + serviceDbObj.getType()); } - List policies = getServicePolicies(serviceName, null); + List policies = getServicePolicies(serviceDbObj); ret = new ServicePolicies(); diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemAccessDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemAccessDao.java index d9952e01ea0..de37e10cde5 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemAccessDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemAccessDao.java @@ -44,6 +44,32 @@ public List findByPolicyItemId(Long polItemId) { } } + public List findByPolicyId(Long policyId) { + if(policyId == null) { + return new ArrayList(); + } + try { + return getEntityManager() + .createNamedQuery("XXPolicyItemAccess.findByPolicyId", tClass) + .setParameter("policyId", policyId).getResultList(); + } catch (NoResultException e) { + return new ArrayList(); + } + } + + public List findByServiceId(Long serviceId) { + if(serviceId == null) { + return new ArrayList(); + } + try { + return getEntityManager() + .createNamedQuery("XXPolicyItemAccess.findByServiceId", tClass) + .setParameter("serviceId", serviceId).getResultList(); + } catch (NoResultException e) { + return new ArrayList(); + } + } + public List findByType(Long type) { if (type == null) { return new ArrayList(); diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemConditionDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemConditionDao.java index 4ed59f13921..11596ef4d1c 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemConditionDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemConditionDao.java @@ -44,6 +44,32 @@ public List findByPolicyItemId(Long polItemId) { } } + public List findByPolicyId(Long policyId) { + if(policyId == null) { + return new ArrayList(); + } + try { + return getEntityManager() + .createNamedQuery("XXPolicyItemCondition.findByPolicyId", tClass) + .setParameter("policyId", policyId).getResultList(); + } catch (NoResultException e) { + return new ArrayList(); + } + } + + public List findByServiceId(Long serviceId) { + if(serviceId == null) { + return new ArrayList(); + } + try { + return getEntityManager() + .createNamedQuery("XXPolicyItemCondition.findByServiceId", tClass) + .setParameter("serviceId", serviceId).getResultList(); + } catch (NoResultException e) { + return new ArrayList(); + } + } + public List findByPolicyItemAndDefId(Long polItemId, Long polCondDefId) { if(polItemId == null || polCondDefId == null) { diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemDao.java index 9c3fe2e1264..56771733378 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemDao.java @@ -53,4 +53,20 @@ public List findByPolicyId(Long policyId) { } } + public List findByServiceId(Long serviceId) { + if (serviceId == null) { + return new ArrayList(); + } + try { + List returnList = getEntityManager() + .createNamedQuery("XXPolicyItem.findByServiceId", tClass) + .setParameter("serviceId", serviceId).getResultList(); + if (returnList == null) { + return new ArrayList(); + } + return returnList; + } catch (NoResultException e) { + return new ArrayList(); + } + } } \ No newline at end of file diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemGroupPermDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemGroupPermDao.java index fe0c8060930..8c05699b25e 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemGroupPermDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemGroupPermDao.java @@ -44,4 +44,29 @@ public List findByPolicyItemId(Long polItemId) { } } + public List findByPolicyId(Long policyId) { + if(policyId == null) { + return new ArrayList(); + } + try { + return getEntityManager() + .createNamedQuery("XXPolicyItemGroupPerm.findByPolicyId", tClass) + .setParameter("policyId", policyId).getResultList(); + } catch (NoResultException e) { + return new ArrayList(); + } + } + + public List findByServiceId(Long serviceId) { + if(serviceId == null) { + return new ArrayList(); + } + try { + return getEntityManager() + .createNamedQuery("XXPolicyItemGroupPerm.findByServiceId", tClass) + .setParameter("serviceId", serviceId).getResultList(); + } catch (NoResultException e) { + return new ArrayList(); + } + } } diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemUserPermDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemUserPermDao.java index d8235bc8a23..40a0da13b2e 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemUserPermDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyItemUserPermDao.java @@ -44,4 +44,29 @@ public List findByPolicyItemId(Long polItemId) { } } + public List findByPolicyId(Long policyId) { + if(policyId == null) { + return new ArrayList(); + } + try { + return getEntityManager() + .createNamedQuery("XXPolicyItemUserPerm.findByPolicyId", tClass) + .setParameter("policyId", policyId).getResultList(); + } catch (NoResultException e) { + return new ArrayList(); + } + } + + public List findByServiceId(Long serviceId) { + if(serviceId == null) { + return new ArrayList(); + } + try { + return getEntityManager() + .createNamedQuery("XXPolicyItemUserPerm.findByServiceId", tClass) + .setParameter("serviceId", serviceId).getResultList(); + } catch (NoResultException e) { + return new ArrayList(); + } + } } diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyResourceDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyResourceDao.java index 0cdb75ef7ab..4b04b9664db 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyResourceDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyResourceDao.java @@ -58,6 +58,19 @@ public List findByPolicyId(Long policyId) { } } + public List findByServiceId(Long serviceId) { + if(serviceId == null) { + return new ArrayList(); + } + try { + return getEntityManager() + .createNamedQuery("XXPolicyResource.findByServiceId", tClass) + .setParameter("serviceId", serviceId).getResultList(); + } catch (NoResultException e) { + return new ArrayList(); + } + } + public List findByResDefId(Long resDefId) { if (resDefId == null) { return new ArrayList(); diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyResourceMapDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyResourceMapDao.java index ecf4da06a5c..70657370afc 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyResourceMapDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyResourceMapDao.java @@ -44,4 +44,29 @@ public List findByPolicyResId(Long polResId) { } } + public List findByPolicyId(Long policyId) { + if(policyId == null) { + return new ArrayList(); + } + try { + return getEntityManager() + .createNamedQuery("XXPolicyResourceMap.findByPolicyId", tClass) + .setParameter("policyId", policyId).getResultList(); + } catch (NoResultException e) { + return new ArrayList(); + } + } + + public List findByServiceId(Long serviceId) { + if(serviceId == null) { + return new ArrayList(); + } + try { + return getEntityManager() + .createNamedQuery("XXPolicyResourceMap.findByServiceId", tClass) + .setParameter("serviceId", serviceId).getResultList(); + } catch (NoResultException e) { + return new ArrayList(); + } + } } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 537189706de..7718078b548 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -79,6 +79,7 @@ import org.apache.ranger.plugin.service.ResourceLookupContext; import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.apache.ranger.plugin.util.GrantRevokeRequest; +import org.apache.ranger.plugin.util.RangerPerfTracer; import org.apache.ranger.plugin.util.SearchFilter; import org.apache.ranger.plugin.util.ServicePolicies; import org.apache.ranger.security.context.RangerAPIList; @@ -104,6 +105,7 @@ @Transactional(propagation = Propagation.REQUIRES_NEW) public class ServiceREST { private static final Log LOG = LogFactory.getLog(ServiceREST.class); + private static final Log PERF_LOG = RangerPerfTracer.getPerfLogger("rest.ServiceREST"); @Autowired RESTErrorUtil restErrorUtil; @@ -162,7 +164,12 @@ public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) { LOG.debug("==> ServiceREST.createServiceDef(" + serviceDef + ")"); } - RangerServiceDef ret = null; + RangerServiceDef ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createServiceDef(serviceDefName=" + serviceDef.getName() + ")"); + } try { RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore); @@ -178,6 +185,8 @@ public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) { LOG.error("createServiceDef(" + serviceDef + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(LOG.isDebugEnabled()) { @@ -196,7 +205,12 @@ public RangerServiceDef updateServiceDef(RangerServiceDef serviceDef) { LOG.debug("==> ServiceREST.updateServiceDef(" + serviceDef + ")"); } - RangerServiceDef ret = null; + RangerServiceDef ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updateServiceDef(serviceDefName=" + serviceDef.getName() + ")"); + } try { RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore); @@ -212,6 +226,8 @@ public RangerServiceDef updateServiceDef(RangerServiceDef serviceDef) { LOG.error("updateServiceDef(" + serviceDef + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(LOG.isDebugEnabled()) { @@ -230,6 +246,12 @@ public void deleteServiceDef(@PathParam("id") Long id, @Context HttpServletReque LOG.debug("==> ServiceREST.deleteServiceDef(" + id + ")"); } + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.deleteServiceDef(serviceDefId=" + id + ")"); + } + try { RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore); validator.validate(id, Action.DELETE); @@ -251,6 +273,8 @@ public void deleteServiceDef(@PathParam("id") Long id, @Context HttpServletReque LOG.error("deleteServiceDef(" + id + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(LOG.isDebugEnabled()) { @@ -267,7 +291,12 @@ public RangerServiceDef getServiceDef(@PathParam("id") Long id) { LOG.debug("==> ServiceREST.getServiceDef(" + id + ")"); } - RangerServiceDef ret = null; + RangerServiceDef ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDef(serviceDefId=" + id + ")"); + } try { XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(id); @@ -284,6 +313,8 @@ public RangerServiceDef getServiceDef(@PathParam("id") Long id) { LOG.error("getServiceDef(" + id + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(ret == null) { @@ -306,7 +337,12 @@ public RangerServiceDef getServiceDefByName(@PathParam("name") String name) { LOG.debug("==> ServiceREST.getServiceDefByName(" + name + ")"); } - RangerServiceDef ret = null; + RangerServiceDef ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDefByName(serviceDefName=" + name + ")"); + } try { XXServiceDef xServiceDef = daoManager.getXXServiceDef().findByName(name); @@ -325,6 +361,8 @@ public RangerServiceDef getServiceDefByName(@PathParam("name") String name) { LOG.error("getServiceDefByName(" + name + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(ret == null) { @@ -347,7 +385,12 @@ public RangerServiceDefList getServiceDefs(@Context HttpServletRequest request) LOG.debug("==> ServiceREST.getServiceDefs()"); } - RangerServiceDefList ret = null; + RangerServiceDefList ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDefs()"); + } SearchFilter filter = searchUtil.getSearchFilter(request, serviceDefService.sortFields); @@ -376,7 +419,12 @@ public RangerService createService(RangerService service) { LOG.debug("==> ServiceREST.createService(" + service + ")"); } - RangerService ret = null; + RangerService ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createService(serviceName=" + service.getName() + ")"); + } try { RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore); @@ -397,6 +445,8 @@ public RangerService createService(RangerService service) { LOG.error("createService(" + service + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(LOG.isDebugEnabled()) { @@ -415,7 +465,12 @@ public RangerService updateService(RangerService service) { LOG.debug("==> ServiceREST.updateService(): " + service); } - RangerService ret = null; + RangerService ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updateService(serviceName=" + service.getName() + ")"); + } try { RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore); @@ -436,6 +491,8 @@ public RangerService updateService(RangerService service) { LOG.error("updateService(" + service + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(LOG.isDebugEnabled()) { @@ -454,6 +511,12 @@ public void deleteService(@PathParam("id") Long id) { LOG.debug("==> ServiceREST.deleteService(" + id + ")"); } + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.deleteService(serviceId=" + id + ")"); + } + try { RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore); validator.validate(id, Action.DELETE); @@ -474,6 +537,8 @@ public void deleteService(@PathParam("id") Long id) { LOG.error("deleteService(" + id + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(LOG.isDebugEnabled()) { @@ -490,7 +555,12 @@ public RangerService getService(@PathParam("id") Long id) { LOG.debug("==> ServiceREST.getService(" + id + ")"); } - RangerService ret = null; + RangerService ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getService(serviceId=" + id + ")"); + } try { ret = svcStore.getService(id); @@ -500,6 +570,8 @@ public RangerService getService(@PathParam("id") Long id) { LOG.error("getService(" + id + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(ret == null) { @@ -522,7 +594,12 @@ public RangerService getServiceByName(@PathParam("name") String name) { LOG.debug("==> ServiceREST.getServiceByName(" + name + ")"); } - RangerService ret = null; + RangerService ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getService(serviceName=" + name + ")"); + } try { ret = svcStore.getServiceByName(name); @@ -532,6 +609,8 @@ public RangerService getServiceByName(@PathParam("name") String name) { LOG.error("getServiceByName(" + name + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(ret == null) { @@ -554,7 +633,12 @@ public RangerServiceList getServices(@Context HttpServletRequest request) { LOG.debug("==> ServiceREST.getServices()"); } - RangerServiceList ret = null; + RangerServiceList ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServices()"); + } SearchFilter filter = searchUtil.getSearchFilter(request, svcService.sortFields); @@ -566,6 +650,8 @@ public RangerServiceList getServices(@Context HttpServletRequest request) { LOG.error("getServices() failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if (LOG.isDebugEnabled()) { @@ -579,7 +665,12 @@ public List getServices(SearchFilter filter) { LOG.debug("==> ServiceREST.getServices():"); } - List ret = null; + List ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServices()"); + } try { ret = svcStore.getServices(filter); @@ -589,6 +680,8 @@ public List getServices(SearchFilter filter) { LOG.error("getServices() failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(LOG.isDebugEnabled()) { @@ -608,7 +701,12 @@ public Long countServices(@Context HttpServletRequest request) { LOG.debug("==> ServiceREST.countServices():"); } - Long ret = null; + Long ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.countService()"); + } try { List services = getServices(request).getServices(); @@ -620,6 +718,8 @@ public Long countServices(@Context HttpServletRequest request) { LOG.error("countServices() failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(LOG.isDebugEnabled()) { @@ -638,7 +738,12 @@ public VXResponse validateConfig(RangerService service) { LOG.debug("==> ServiceREST.validateConfig(" + service + ")"); } - VXResponse ret = new VXResponse(); + VXResponse ret = new VXResponse(); + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.validateConfig(serviceName=" + service.getName() + ")"); + } try { ret = serviceMgr.validateConfig(service, svcStore); @@ -648,6 +753,8 @@ public VXResponse validateConfig(RangerService service) { LOG.error("validateConfig(" + service + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(LOG.isDebugEnabled()) { @@ -666,7 +773,12 @@ public List lookupResource(@PathParam("serviceName") String serviceName, LOG.debug("==> ServiceREST.lookupResource(" + serviceName + ")"); } - List ret = new ArrayList(); + List ret = new ArrayList(); + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.lookupResource(serviceName=" + serviceName + ")"); + } try { ret = serviceMgr.lookupResource(serviceName,context, svcStore); @@ -676,6 +788,8 @@ public List lookupResource(@PathParam("serviceName") String serviceName, LOG.error("lookupResource(" + serviceName + ", " + context + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(LOG.isDebugEnabled()) { @@ -693,7 +807,12 @@ public RESTResponse grantAccess(@PathParam("serviceName") String serviceName, Gr LOG.debug("==> ServiceREST.grantAccess(" + serviceName + ", " + grantRequest + ")"); } - RESTResponse ret = new RESTResponse(); + RESTResponse ret = new RESTResponse(); + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.grantAccess(serviceName=" + serviceName + ")"); + } if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) { @@ -825,6 +944,8 @@ public RESTResponse grantAccess(@PathParam("serviceName") String serviceName, Gr LOG.error("grantAccess(" + serviceName + ", " + grantRequest + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } ret.setStatusCode(RESTResponse.STATUS_SUCCESS); @@ -845,7 +966,12 @@ public RESTResponse revokeAccess(@PathParam("serviceName") String serviceName, G LOG.debug("==> ServiceREST.revokeAccess(" + serviceName + ", " + revokeRequest + ")"); } - RESTResponse ret = new RESTResponse(); + RESTResponse ret = new RESTResponse(); + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.revokeAccess(serviceName=" + serviceName + ")"); + } if (serviceUtil.isValidateHttpsAuthentication(serviceName,request)) { @@ -922,6 +1048,8 @@ public RESTResponse revokeAccess(@PathParam("serviceName") String serviceName, G LOG.error("revokeAccess(" + serviceName + ", " + revokeRequest + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } ret.setStatusCode(RESTResponse.STATUS_SUCCESS); @@ -942,7 +1070,12 @@ public RangerPolicy createPolicy(RangerPolicy policy) { LOG.debug("==> ServiceREST.createPolicy(" + policy + ")"); } - RangerPolicy ret = null; + RangerPolicy ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createPolicy(policyName=" + policy.getName() + ")"); + } try { // this needs to happen before validator is called @@ -974,6 +1107,8 @@ public RangerPolicy createPolicy(RangerPolicy policy) { LOG.error("createPolicy(" + policy + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(LOG.isDebugEnabled()) { @@ -991,7 +1126,12 @@ public RangerPolicy updatePolicy(RangerPolicy policy) { LOG.debug("==> ServiceREST.updatePolicy(" + policy + ")"); } - RangerPolicy ret = null; + RangerPolicy ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updatePolicy(policyId=" + policy.getId() + ")"); + } try { RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); @@ -1006,6 +1146,8 @@ public RangerPolicy updatePolicy(RangerPolicy policy) { LOG.error("updatePolicy(" + policy + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(LOG.isDebugEnabled()) { @@ -1023,6 +1165,12 @@ public void deletePolicy(@PathParam("id") Long id) { LOG.debug("==> ServiceREST.deletePolicy(" + id + ")"); } + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.deletePolicy(policyId=" + id + ")"); + } + try { RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); validator.validate(id, Action.DELETE); @@ -1038,6 +1186,8 @@ public void deletePolicy(@PathParam("id") Long id) { LOG.error("deletePolicy(" + id + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(LOG.isDebugEnabled()) { @@ -1053,7 +1203,12 @@ public RangerPolicy getPolicy(@PathParam("id") Long id) { LOG.debug("==> ServiceREST.getPolicy(" + id + ")"); } - RangerPolicy ret = null; + RangerPolicy ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicy(policyId=" + id + ")"); + } try { ret = svcStore.getPolicy(id); @@ -1067,6 +1222,8 @@ public RangerPolicy getPolicy(@PathParam("id") Long id) { LOG.error("getPolicy(" + id + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(ret == null) { @@ -1088,7 +1245,12 @@ public RangerPolicyList getPolicies(@Context HttpServletRequest request) { LOG.debug("==> ServiceREST.getPolicies()"); } - RangerPolicyList ret = null; + RangerPolicyList ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicies()"); + } SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); @@ -1102,6 +1264,8 @@ public RangerPolicyList getPolicies(@Context HttpServletRequest request) { LOG.error("getPolicies() failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if (LOG.isDebugEnabled()) { @@ -1115,7 +1279,12 @@ public List getPolicies(SearchFilter filter) { LOG.debug("==> ServiceREST.getPolicies(filter)"); } - List ret = null; + List ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicies()"); + } try { ret = svcStore.getPolicies(filter); @@ -1127,6 +1296,8 @@ public List getPolicies(SearchFilter filter) { LOG.error("getPolicies() failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(LOG.isDebugEnabled()) { @@ -1144,7 +1315,12 @@ public Long countPolicies( @Context HttpServletRequest request) { LOG.debug("==> ServiceREST.countPolicies():"); } - Long ret = null; + Long ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.countPolicies()"); + } try { List policies = getPolicies(request).getPolicies(); @@ -1158,6 +1334,8 @@ public Long countPolicies( @Context HttpServletRequest request) { LOG.error("countPolicies() failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if(LOG.isDebugEnabled()) { @@ -1176,7 +1354,12 @@ public RangerPolicyList getServicePolicies(@PathParam("id") Long serviceId, LOG.debug("==> ServiceREST.getServicePolicies(" + serviceId + ")"); } - RangerPolicyList ret = null; + RangerPolicyList ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePolicies(serviceId=" + serviceId + ")"); + } SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); @@ -1190,6 +1373,8 @@ public RangerPolicyList getServicePolicies(@PathParam("id") Long serviceId, LOG.error("getServicePolicies(" + serviceId + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if (ret == null) { @@ -1212,7 +1397,12 @@ public RangerPolicyList getServicePoliciesByName(@PathParam("name") String servi LOG.debug("==> ServiceREST.getServicePolicies(" + serviceName + ")"); } - RangerPolicyList ret = null; + RangerPolicyList ret = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePolicies(serviceName=" + serviceName + ")"); + } SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); @@ -1226,6 +1416,8 @@ public RangerPolicyList getServicePoliciesByName(@PathParam("name") String servi LOG.error("getServicePolicies(" + serviceName + ") failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } if (ret == null) { @@ -1251,6 +1443,11 @@ public ServicePolicies getServicePoliciesIfUpdated(@PathParam("serviceName") Str ServicePolicies ret = null; int httpCode = HttpServletResponse.SC_OK; String logMsg = null; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePoliciesIfUpdated(serviceName=" + serviceName + ")"); + } if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) { if(lastKnownVersion == null) { @@ -1274,6 +1471,8 @@ public ServicePolicies getServicePoliciesIfUpdated(@PathParam("serviceName") Str logMsg = excp.getMessage(); } finally { createPolicyDownloadAudit(serviceName, lastKnownVersion, pluginId, ret, httpCode, request); + + RangerPerfTracer.log(perf); } if(httpCode != HttpServletResponse.SC_OK) { diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java index ee1b5895732..1c65436f2e6 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java @@ -41,8 +41,12 @@ import org.apache.ranger.common.db.BaseDao; import org.apache.ranger.common.view.VList; import org.apache.ranger.db.RangerDaoManager; +import org.apache.ranger.entity.XXAccessTypeDef; import org.apache.ranger.entity.XXDBBase; +import org.apache.ranger.entity.XXGroup; +import org.apache.ranger.entity.XXPolicyConditionDef; import org.apache.ranger.entity.XXPortalUser; +import org.apache.ranger.entity.XXResourceDef; import org.apache.ranger.plugin.model.RangerBaseModelObject; import org.apache.ranger.plugin.util.SearchFilter; import org.springframework.beans.factory.annotation.Autowired; @@ -144,53 +148,14 @@ protected BaseDao getDao() { } return entityDao; } - + protected V populateViewBean(T entityObj) { V vObj = createViewObject(); vObj.setId(entityObj.getId()); vObj.setCreateTime(entityObj.getCreateTime()); vObj.setUpdateTime(entityObj.getUpdateTime()); - - if (entityObj.getAddedByUserId() != null) { - XXPortalUser tUser = daoMgr.getXXPortalUser().getById( - entityObj.getUpdatedByUserId()); - if(tUser == null) { - // nothing to do - } else if (!stringUtil.isEmpty(tUser.getPublicScreenName())) { - vObj.setCreatedBy(tUser.getPublicScreenName()); - } else { - if (!stringUtil.isEmpty(tUser.getFirstName())) { - if (!stringUtil.isEmpty(tUser.getLastName())) { - vObj.setCreatedBy(tUser.getFirstName() + " " - + tUser.getLastName()); - } else { - vObj.setCreatedBy(tUser.getFirstName()); - } - } else { - vObj.setCreatedBy(tUser.getLoginId()); - } - } - } - if (entityObj.getUpdatedByUserId() != null) { - XXPortalUser tUser = daoMgr.getXXPortalUser().getById( - entityObj.getUpdatedByUserId()); - if(tUser == null) { - // nothing to do - } else if (!stringUtil.isEmpty(tUser.getPublicScreenName())) { - vObj.setUpdatedBy(tUser.getPublicScreenName()); - } else { - if (!stringUtil.isEmpty(tUser.getFirstName())) { - if (!stringUtil.isEmpty(tUser.getLastName())) { - vObj.setUpdatedBy(tUser.getFirstName() + " " - + tUser.getLastName()); - } else { - vObj.setUpdatedBy(tUser.getFirstName()); - } - } else { - vObj.setUpdatedBy(tUser.getLoginId()); - } - } - } + vObj.setCreatedBy(getUserScreenName(entityObj.getAddedByUserId())); + vObj.setUpdatedBy(getUserScreenName(entityObj.getUpdatedByUserId())); return mapEntityToViewBean(vObj, entityObj); } @@ -426,4 +391,88 @@ protected int getClassType() { return bizUtil.getClassType(tEntityClass); } + + protected String getUserScreenName(Long userId) { + String ret = null; + + XXPortalUser xPortalUser = userId == null ? null : daoMgr.getXXPortalUser().getById(userId); + + if(xPortalUser != null) { + ret = xPortalUser.getPublicScreenName(); + + if (stringUtil.isEmpty(ret)) { + ret = xPortalUser.getFirstName(); + + if(stringUtil.isEmpty(ret)) { + ret = xPortalUser.getLoginId(); + } else { + if(!stringUtil.isEmpty(xPortalUser.getLastName())) { + ret += (" " + xPortalUser.getLastName()); + } + } + } + } + + return ret; + } + + protected String getUserName(Long userId) { + String ret = null; + + XXPortalUser xPortalUser = userId == null ? null : daoMgr.getXXPortalUser().getById(userId); + + if(xPortalUser != null) { + ret = xPortalUser.getLoginId(); + } + + return ret; + } + + protected String getGroupName(Long groupId) { + String ret = null; + + XXGroup xGroup = groupId == null ? null : daoMgr.getXXGroup().getById(groupId); + + if(xGroup != null) { + ret = xGroup.getName(); + } + + return ret; + } + + protected String getAccessTypeName(Long accessTypeDefId) { + String ret = null; + + XXAccessTypeDef accessTypeDef = accessTypeDefId == null ? null : daoMgr.getXXAccessTypeDef().getById(accessTypeDefId); + + if(accessTypeDef != null) { + ret = accessTypeDef.getName(); + } + + return ret; + } + + protected String getConditionName(Long conditionDefId) { + String ret = null; + + XXPolicyConditionDef conditionDef = conditionDefId == null ? null : daoMgr.getXXPolicyConditionDef().getById(conditionDefId); + + if(conditionDef != null) { + ret = conditionDef.getName(); + } + + return ret; + } + + protected String getResourceName(Long resourceDefId) { + String ret = null; + + XXResourceDef resourceDef = resourceDefId == null ? null : daoMgr.getXXResourceDef().getById(resourceDefId); + + if(resourceDef != null) { + ret = resourceDef.getName(); + } + + return ret; + } } diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java index 224f0cd2f75..d853972483b 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java @@ -24,6 +24,7 @@ import java.util.List; import java.util.Map; +import org.apache.ranger.biz.RangerPolicyRetriever; import org.apache.ranger.common.AppConstants; import org.apache.ranger.common.JSONUtil; import org.apache.ranger.common.MessageEnums; @@ -97,13 +98,9 @@ protected void validateForUpdate(RangerPolicy vObj, XXPolicy entityObj) { @Override protected RangerPolicy populateViewBean(XXPolicy xPolicy) { - RangerPolicy vPolicy = super.populateViewBean(xPolicy); - - Map resources = getResourcesForXXPolicy(xPolicy); - vPolicy.setResources(resources); - - List policyItems = getPolicyItemListForXXPolicy(xPolicy); - vPolicy.setPolicyItems(policyItems); + RangerPolicyRetriever retriever = new RangerPolicyRetriever(daoMgr); + + RangerPolicy vPolicy = retriever.getPolicy(xPolicy); return vPolicy; } diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java index 9584c3d7f89..96d512be0b2 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java @@ -18,9 +18,7 @@ package org.apache.ranger.service; import java.util.ArrayList; -import java.util.HashMap; import java.util.List; -import java.util.Map; import org.apache.commons.lang.StringUtils; import org.apache.ranger.common.GUIDUtil; @@ -30,24 +28,10 @@ import org.apache.ranger.common.SearchField.DATA_TYPE; import org.apache.ranger.common.SearchField.SEARCH_TYPE; import org.apache.ranger.common.SortField.SORT_ORDER; -import org.apache.ranger.db.XXAccessTypeDefDao; -import org.apache.ranger.db.XXPolicyResourceDao; -import org.apache.ranger.entity.XXAccessTypeDef; import org.apache.ranger.entity.XXPolicy; import org.apache.ranger.entity.XXPolicyBase; -import org.apache.ranger.entity.XXPolicyConditionDef; -import org.apache.ranger.entity.XXPolicyItem; -import org.apache.ranger.entity.XXPolicyItemAccess; -import org.apache.ranger.entity.XXPolicyItemCondition; -import org.apache.ranger.entity.XXPolicyResource; -import org.apache.ranger.entity.XXPolicyResourceMap; -import org.apache.ranger.entity.XXResourceDef; import org.apache.ranger.entity.XXService; import org.apache.ranger.plugin.model.RangerPolicy; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.util.SearchFilter; import org.apache.ranger.view.RangerPolicyList; import org.springframework.beans.factory.annotation.Autowired; @@ -143,92 +127,4 @@ public RangerPolicyList searchRangerPolicies(SearchFilter searchFilter) { return retList; } - - public List getPolicyItemListForXXPolicy(XXPolicyBase xPolicy) { - - List policyItems = new ArrayList(); - List xPolicyItemList = daoMgr.getXXPolicyItem().findByPolicyId(xPolicy.getId()); - - for (XXPolicyItem xPolItem : xPolicyItemList) { - RangerPolicyItem policyItem = populateXXToRangerPolicyItem(xPolItem); - policyItems.add(policyItem); - } - return policyItems; - } - - public RangerPolicyItem populateXXToRangerPolicyItem(XXPolicyItem xPolItem) { - - RangerPolicyItem rangerPolItem = new RangerPolicyItem(); - - List xPolItemAccList = daoMgr.getXXPolicyItemAccess().findByPolicyItemId(xPolItem.getId()); - List accesses = new ArrayList(); - - XXAccessTypeDefDao xAccDefDao = daoMgr.getXXAccessTypeDef(); - for (XXPolicyItemAccess xPolAccess : xPolItemAccList) { - RangerPolicyItemAccess access = new RangerPolicyItemAccess(); - access.setIsAllowed(xPolAccess.getIsallowed()); - XXAccessTypeDef xAccessType = xAccDefDao.getById(xPolAccess.getType()); - access.setType(xAccessType.getName()); - - accesses.add(access); - } - rangerPolItem.setAccesses(accesses); - - List conditions = new ArrayList(); - List xConditionDefList = daoMgr.getXXPolicyConditionDef().findByPolicyItemId( - xPolItem.getId()); - for (XXPolicyConditionDef xCondDef : xConditionDefList) { - - List xPolCondItemList = daoMgr.getXXPolicyItemCondition().findByPolicyItemAndDefId( - xPolItem.getId(), xCondDef.getId()); - List values = new ArrayList(); - - for (XXPolicyItemCondition polCond : xPolCondItemList) { - values.add(polCond.getValue()); - } - - RangerPolicyItemCondition condition = new RangerPolicyItemCondition(); - condition.setType(xCondDef.getName()); - condition.setValues(values); - - conditions.add(condition); - } - rangerPolItem.setConditions(conditions); - - List userList = daoMgr.getXXUser().findByPolicyItemId(xPolItem.getId()); - List grpList = daoMgr.getXXGroup().findByPolicyItemId(xPolItem.getId()); - - rangerPolItem.setUsers(userList); - rangerPolItem.setGroups(grpList); - - rangerPolItem.setDelegateAdmin(xPolItem.getDelegateAdmin()); - return rangerPolItem; - } - - public Map getResourcesForXXPolicy(XXPolicyBase xPolicy) { - List resDefList = daoMgr.getXXResourceDef().findByPolicyId(xPolicy.getId()); - Map resources = new HashMap(); - - XXPolicyResourceDao xPolResDao = daoMgr.getXXPolicyResource(); - for (XXResourceDef xResDef : resDefList) { - XXPolicyResource xPolRes = xPolResDao.findByResDefIdAndPolicyId(xResDef.getId(), xPolicy.getId()); - if (xPolRes == null) { - continue; - } - List values = new ArrayList<>(); - List xPolResMapList = daoMgr.getXXPolicyResourceMap().findByPolicyResId( - xPolRes.getId()); - for (XXPolicyResourceMap xPolResMap : xPolResMapList) { - values.add(xPolResMap.getValue()); - } - RangerPolicyResource resource = new RangerPolicyResource(); - resource.setValues(values); - resource.setIsExcludes(xPolRes.getIsexcludes()); - resource.setIsRecursive(xPolRes.getIsrecursive()); - - resources.put(xResDef.getName(), resource); - } - return resources; - } - } diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyWithAssignedIdService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyWithAssignedIdService.java index 35e9f98afa4..cf59c91eb34 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyWithAssignedIdService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyWithAssignedIdService.java @@ -17,15 +17,12 @@ package org.apache.ranger.service; -import java.util.List; -import java.util.Map; +import org.apache.ranger.biz.RangerPolicyRetriever; import org.apache.ranger.common.JSONUtil; import org.apache.ranger.entity.XXPolicyBase; import org.apache.ranger.entity.XXPolicyWithAssignedId; import org.apache.ranger.plugin.model.RangerPolicy; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; @@ -60,13 +57,9 @@ protected void validateForUpdate(RangerPolicy vObj, XXPolicyWithAssignedId entit @Override protected RangerPolicy populateViewBean(XXPolicyWithAssignedId xPolicy) { - RangerPolicy vPolicy = super.populateViewBean(xPolicy); + RangerPolicyRetriever retriever = new RangerPolicyRetriever(daoMgr); - Map resources = getResourcesForXXPolicy(xPolicy); - vPolicy.setResources(resources); - - List policyItems = getPolicyItemListForXXPolicy(xPolicy); - vPolicy.setPolicyItems(policyItems); + RangerPolicy vPolicy = retriever.getPolicy(xPolicy.getId()); return vPolicy; } diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml index 12c4c6ddba4..65dd17f7d73 100644 --- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml +++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml @@ -205,7 +205,17 @@ - select obj from XXPolicyItem obj where obj.policyId = :policyId order by obj.order + select obj from XXPolicyItem obj + where obj.policyId = :policyId + order by obj.id + + + + + select obj from XXPolicyItem obj + where obj.policyId in (select policy.id from XXPolicy policy where policy.service = :serviceId) + order by obj.policyId, obj.id + @@ -378,7 +388,17 @@ - select obj from XXPolicyResource obj where obj.policyId = :policyId + select obj from XXPolicyResource obj + where obj.policyId = :policyId + order by obj.id + + + + + select obj from XXPolicyResource obj + where obj.policyId in (select policy.id from XXPolicy policy where policy.service = :serviceId) + order by obj.policyId, obj.id + @@ -390,6 +410,22 @@ select obj from XXPolicyResourceMap obj where obj.resourceId = :polResId order by obj.order + + select obj from XXPolicyResourceMap obj, XXPolicyResource res + where obj.resourceId = res.id + and res.policyId = :policyId + order by obj.resourceId, obj.order + + + + + select obj from XXPolicyResourceMap obj, XXPolicyResource res + where obj.resourceId = res.id + and res.policyId in (select policy.id from XXPolicy policy where policy.service = :serviceId) + order by res.policyId, obj.resourceId, obj.order + + + select obj from XXPolicyItemAccess obj where obj.policyItemId = :polItemId order by obj.order @@ -398,6 +434,22 @@ select obj from XXPolicyItemAccess obj where obj.type = :type + + + select obj from XXPolicyItemAccess obj, XXPolicyItem item + where obj.policyItemId = item.id + and item.policyId = :policyId + order by obj.policyItemId, obj.order + + + + + select obj from XXPolicyItemAccess obj, XXPolicyItem item + where obj.policyItemId = item.id + and item.policyId in (select policy.id from XXPolicy policy where policy.service = :serviceId) + order by item.policyId, obj.policyItemId, obj.order + + @@ -412,17 +464,65 @@ select obj from XXPolicyItemCondition obj where obj.type = :polCondDefId + + + select obj from XXPolicyItemCondition obj, XXPolicyItem item + where obj.policyItemId = item.id + and item.policyId = :policyId + order by obj.policyItemId, obj.type, obj.order + + + + + select obj from XXPolicyItemCondition obj, XXPolicyItem item + where obj.policyItemId = item.id + and item.policyId in (select policy.id from XXPolicy policy where policy.service = :serviceId) + order by item.policyId, obj.policyItemId, obj.type, obj.order + + select obj from XXPolicyItemGroupPerm obj where obj.policyItemId = :polItemId order by obj.order + + select obj from XXPolicyItemGroupPerm obj, XXPolicyItem item + where obj.policyItemId = item.id + and item.policyId = :policyId + order by obj.policyItemId, obj.order + + + + + select obj from XXPolicyItemGroupPerm obj, XXPolicyItem item + where obj.policyItemId = item.id + and item.policyId in (select policy.id from XXPolicy policy where policy.service = :serviceId) + order by item.policyId, obj.policyItemId, obj.order + + + select obj from XXPolicyItemUserPerm obj where obj.policyItemId = :polItemId order by obj.order + + select obj from XXPolicyItemUserPerm obj, XXPolicyItem item + where obj.policyItemId = item.id + and item.policyId = :policyId + order by obj.policyItemId, obj.order + + + + + select obj from XXPolicyItemUserPerm obj, XXPolicyItem item + where obj.policyItemId = item.id + and item.policyId in (select policy.id from XXPolicy policy where policy.service = :serviceId) + order by item.policyId, obj.policyItemId, obj.order + + + select obj from XXDataHist obj where obj.objectId = :objectId diff --git a/security-admin/src/main/webapp/WEB-INF/log4j.xml b/security-admin/src/main/webapp/WEB-INF/log4j.xml index 22ec74e2301..3510d028f63 100644 --- a/security-admin/src/main/webapp/WEB-INF/log4j.xml +++ b/security-admin/src/main/webapp/WEB-INF/log4j.xml @@ -28,6 +28,15 @@ + + + + + + + + + @@ -74,6 +83,13 @@ + + diff --git a/security-admin/src/test/java/org/apache/ranger/service/TestRangerPolicyService.java b/security-admin/src/test/java/org/apache/ranger/service/TestRangerPolicyService.java index 513746baac4..b10d2fda3df 100644 --- a/security-admin/src/test/java/org/apache/ranger/service/TestRangerPolicyService.java +++ b/security-admin/src/test/java/org/apache/ranger/service/TestRangerPolicyService.java @@ -27,33 +27,9 @@ import org.apache.ranger.common.StringUtil; import org.apache.ranger.common.UserSessionBase; import org.apache.ranger.db.RangerDaoManager; -import org.apache.ranger.db.XXAccessTypeDefDao; -import org.apache.ranger.db.XXGroupDao; -import org.apache.ranger.db.XXPolicyConditionDefDao; -import org.apache.ranger.db.XXPolicyItemAccessDao; -import org.apache.ranger.db.XXPolicyItemConditionDao; -import org.apache.ranger.db.XXPolicyItemDao; -import org.apache.ranger.db.XXPolicyResourceDao; -import org.apache.ranger.db.XXPolicyResourceMapDao; -import org.apache.ranger.db.XXPortalUserDao; -import org.apache.ranger.db.XXResourceDefDao; -import org.apache.ranger.db.XXServiceConfigMapDao; import org.apache.ranger.db.XXServiceDao; -import org.apache.ranger.db.XXServiceDefDao; -import org.apache.ranger.db.XXUserDao; -import org.apache.ranger.entity.XXAccessTypeDef; import org.apache.ranger.entity.XXPolicy; -import org.apache.ranger.entity.XXPolicyConditionDef; -import org.apache.ranger.entity.XXPolicyItem; -import org.apache.ranger.entity.XXPolicyItemAccess; -import org.apache.ranger.entity.XXPolicyItemCondition; -import org.apache.ranger.entity.XXPolicyResource; -import org.apache.ranger.entity.XXPolicyResourceMap; -import org.apache.ranger.entity.XXPortalUser; -import org.apache.ranger.entity.XXResourceDef; import org.apache.ranger.entity.XXService; -import org.apache.ranger.entity.XXServiceConfigMap; -import org.apache.ranger.entity.XXServiceDef; import org.apache.ranger.entity.XXTrxLog; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; @@ -200,794 +176,6 @@ public void test2ValidateForUpdate() { Assert.assertNotNull(rangerPolicy); } - @Test - public void test3PopulateViewBean() { - XXServiceConfigMapDao xServiceConfigMapDao = Mockito - .mock(XXServiceConfigMapDao.class); - XXPortalUserDao xPortalUserDao = Mockito.mock(XXPortalUserDao.class); - XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class); - XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class); - XXResourceDefDao xResourceDefDao = Mockito.mock(XXResourceDefDao.class); - XXPolicyResourceDao xPolicyResourceDao = Mockito - .mock(XXPolicyResourceDao.class); - XXPolicyResourceMapDao xPolicyResourceMapDao = Mockito - .mock(XXPolicyResourceMapDao.class); - XXPolicyItemDao xPolicyItemDao = Mockito.mock(XXPolicyItemDao.class); - XXPolicyItemAccessDao xPolicyItemAccessDao = Mockito - .mock(XXPolicyItemAccessDao.class); - XXAccessTypeDefDao xAccessTypeDefDao = Mockito - .mock(XXAccessTypeDefDao.class); - XXAccessTypeDef xAccessTypeDef = Mockito.mock(XXAccessTypeDef.class); - XXPolicyConditionDefDao xPolicyConditionDefDao = Mockito - .mock(XXPolicyConditionDefDao.class); - XXPolicyItemConditionDao xPolicyItemConditionDao = Mockito - .mock(XXPolicyItemConditionDao.class); - - XXUserDao xUserDao = Mockito.mock(XXUserDao.class); - XXGroupDao xGroupDao = Mockito.mock(XXGroupDao.class); - - XXPolicy policy = policy(); - - XXService xService = xService(); - String name = "fdfdfds"; - - List svcConfigMapList = new ArrayList(); - XXServiceConfigMap xConfMap = new XXServiceConfigMap(); - xConfMap.setAddedByUserId(null); - xConfMap.setConfigkey(name); - xConfMap.setConfigvalue(name); - xConfMap.setCreateTime(new Date()); - xConfMap.setServiceId(null); - - xConfMap.setUpdatedByUserId(null); - xConfMap.setUpdateTime(new Date()); - svcConfigMapList.add(xConfMap); - - XXPortalUser tUser = new XXPortalUser(); - tUser.setAddedByUserId(Id); - tUser.setCreateTime(new Date()); - tUser.setEmailAddress("test@gmail.com"); - tUser.setFirstName(name); - tUser.setId(Id); - tUser.setLastName(name); - - XXServiceDef xServiceDef = new XXServiceDef(); - xServiceDef.setAddedByUserId(Id); - xServiceDef.setCreateTime(new Date()); - xServiceDef.setDescription("test"); - xServiceDef.setGuid("1427365526516_835_0"); - xServiceDef.setId(Id); - - List resDefList = new ArrayList(); - XXResourceDef resourceDef = new XXResourceDef(); - resourceDef.setAddedByUserId(Id); - resourceDef.setCreateTime(new Date()); - resourceDef.setDefid(Id); - resourceDef.setDescription("test"); - resourceDef.setId(Id); - resDefList.add(resourceDef); - - XXPolicyResource policyResource = new XXPolicyResource(); - policyResource.setId(Id); - policyResource.setCreateTime(new Date()); - policyResource.setAddedByUserId(Id); - policyResource.setIsExcludes(false); - policyResource.setIsRecursive(false); - policyResource.setPolicyId(Id); - policyResource.setResDefId(Id); - policyResource.setUpdatedByUserId(Id); - policyResource.setUpdateTime(new Date()); - - List policyResourceMapList = new ArrayList(); - XXPolicyResourceMap policyResourceMap = new XXPolicyResourceMap(); - policyResourceMap.setAddedByUserId(Id); - policyResourceMap.setCreateTime(new Date()); - policyResourceMap.setId(Id); - policyResourceMap.setOrder(1); - policyResourceMap.setResourceId(Id); - policyResourceMap.setUpdatedByUserId(Id); - policyResourceMap.setUpdateTime(new Date()); - policyResourceMap.setValue("1L"); - policyResourceMapList.add(policyResourceMap); - - List xPolicyItemList = new ArrayList(); - XXPolicyItem xPolicyItem = new XXPolicyItem(); - xPolicyItem.setDelegateAdmin(false); - xPolicyItem.setAddedByUserId(null); - xPolicyItem.setCreateTime(new Date()); - xPolicyItem.setGUID(null); - xPolicyItem.setId(Id); - xPolicyItem.setOrder(null); - xPolicyItem.setPolicyId(Id); - xPolicyItem.setUpdatedByUserId(null); - xPolicyItem.setUpdateTime(new Date()); - xPolicyItemList.add(xPolicyItem); - - List policyItemAccessList = new ArrayList(); - XXPolicyItemAccess policyItemAccess = new XXPolicyItemAccess(); - policyItemAccess.setAddedByUserId(Id); - policyItemAccess.setCreateTime(new Date()); - policyItemAccess.setPolicyitemid(Id); - policyItemAccess.setId(Id); - policyItemAccess.setOrder(1); - policyItemAccess.setUpdatedByUserId(Id); - policyItemAccess.setUpdateTime(new Date()); - policyItemAccessList.add(policyItemAccess); - - List xConditionDefList = new ArrayList(); - XXPolicyConditionDef policyConditionDefObj = new XXPolicyConditionDef(); - policyConditionDefObj.setAddedByUserId(Id); - policyConditionDefObj.setCreateTime(new Date()); - policyConditionDefObj.setDefid(Id); - policyConditionDefObj.setDescription("policy conditio"); - policyConditionDefObj.setId(Id); - policyConditionDefObj.setName(name); - policyConditionDefObj.setOrder(1); - policyConditionDefObj.setLabel("label"); - xConditionDefList.add(policyConditionDefObj); - - List policyItemConditionList = new ArrayList(); - XXPolicyItemCondition policyItemCondition = new XXPolicyItemCondition(); - policyItemCondition.setAddedByUserId(Id); - policyItemCondition.setCreateTime(new Date()); - policyItemCondition.setType(1L); - policyItemCondition.setId(Id); - policyItemCondition.setOrder(1); - policyItemCondition.setPolicyItemId(Id); - policyItemCondition.setUpdatedByUserId(Id); - policyItemCondition.setUpdateTime(new Date()); - policyItemConditionList.add(policyItemCondition); - - List usersList = new ArrayList(); - List groupsList = new ArrayList(); - Mockito.when(daoManager.getXXPortalUser()).thenReturn(xPortalUserDao); - Mockito.when(xPortalUserDao.getById(Id)).thenReturn(tUser); - - Mockito.when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao); - Mockito.when(xServiceDefDao.getById(xService.getType())).thenReturn( - xServiceDef); - - Mockito.when(daoManager.getXXServiceConfigMap()).thenReturn( - xServiceConfigMapDao); - Mockito.when(xServiceConfigMapDao.findByServiceId(xService.getId())) - .thenReturn(svcConfigMapList); - - Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao); - Mockito.when(xServiceDao.getById(policy.getService())).thenReturn( - xService); - - Mockito.when(daoManager.getXXResourceDef()).thenReturn(xResourceDefDao); - Mockito.when(xResourceDefDao.findByPolicyId(policy.getId())) - .thenReturn(resDefList); - - Mockito.when(daoManager.getXXPolicyResource()).thenReturn( - xPolicyResourceDao); - Mockito.when( - xPolicyResourceDao.findByResDefIdAndPolicyId( - resourceDef.getId(), policy.getId())).thenReturn( - policyResource); - - Mockito.when(daoManager.getXXPolicyResourceMap()).thenReturn( - xPolicyResourceMapDao); - Mockito.when( - xPolicyResourceMapDao.findByPolicyResId(policyResource.getId())) - .thenReturn(policyResourceMapList); - - Mockito.when(daoManager.getXXPolicyItem()).thenReturn(xPolicyItemDao); - Mockito.when(xPolicyItemDao.findByPolicyId(policy.getId())).thenReturn( - xPolicyItemList); - - Mockito.when(daoManager.getXXPolicyItemAccess()).thenReturn( - xPolicyItemAccessDao); - Mockito.when( - xPolicyItemAccessDao.findByPolicyItemId(policyItemAccess - .getId())).thenReturn(policyItemAccessList); - - Mockito.when(daoManager.getXXAccessTypeDef()).thenReturn( - xAccessTypeDefDao); - Mockito.when(xAccessTypeDefDao.getById(policyItemAccess.getType())) - .thenReturn(xAccessTypeDef); - - Mockito.when(daoManager.getXXPolicyConditionDef()).thenReturn( - xPolicyConditionDefDao); - Mockito.when( - xPolicyConditionDefDao.findByPolicyItemId(xPolicyItem.getId())) - .thenReturn(xConditionDefList); - - Mockito.when(daoManager.getXXPolicyItemCondition()).thenReturn( - xPolicyItemConditionDao); - Mockito.when( - xPolicyItemConditionDao.findByPolicyItemAndDefId( - xPolicyItem.getId(), policyConditionDefObj.getId())) - .thenReturn(policyItemConditionList); - - Mockito.when(daoManager.getXXUser()).thenReturn(xUserDao); - Mockito.when(xUserDao.findByPolicyItemId(xPolicyItem.getId())) - .thenReturn(usersList); - - Mockito.when(daoManager.getXXGroup()).thenReturn(xGroupDao); - Mockito.when(xGroupDao.findByPolicyItemId(xPolicyItem.getId())) - .thenReturn(groupsList); - - RangerPolicy dbRangerPolicy = policyService.populateViewBean(policy); - Assert.assertNotNull(dbRangerPolicy); - Assert.assertEquals(dbRangerPolicy.getId(), policy.getId()); - Assert.assertEquals(dbRangerPolicy.getName(), policy.getName()); - - Assert.assertEquals(dbRangerPolicy.getDescription(), - policy.getDescription()); - Assert.assertEquals(dbRangerPolicy.getGuid(), policy.getGuid()); - - Assert.assertEquals(dbRangerPolicy.getVersion(), policy.getVersion()); - Assert.assertEquals(dbRangerPolicy.getIsAuditEnabled(), - policy.getIsAuditEnabled()); - - Mockito.verify(daoManager).getXXService(); - Mockito.verify(daoManager).getXXResourceDef(); - Mockito.verify(daoManager).getXXPolicyResource(); - Mockito.verify(daoManager).getXXPolicyResourceMap(); - Mockito.verify(daoManager).getXXPolicyItem(); - Mockito.verify(daoManager).getXXPolicyItemAccess(); - Mockito.verify(daoManager).getXXAccessTypeDef(); - Mockito.verify(daoManager).getXXPolicyConditionDef(); - Mockito.verify(daoManager).getXXPolicyItemCondition(); - Mockito.verify(daoManager).getXXUser(); - Mockito.verify(daoManager).getXXGroup(); - } - - @Test - public void test4GetPolicyItemListForXXPolicy() { - - XXPolicyItemDao xPolicyItemDao = Mockito.mock(XXPolicyItemDao.class); - XXPolicyItemAccessDao xPolicyItemAccessDao = Mockito - .mock(XXPolicyItemAccessDao.class); - XXUserDao xUserDao = Mockito.mock(XXUserDao.class); - XXGroupDao xGroupDao = Mockito.mock(XXGroupDao.class); - XXAccessTypeDefDao xAccessTypeDefDao = Mockito - .mock(XXAccessTypeDefDao.class); - XXAccessTypeDef xAccessTypeDef = Mockito.mock(XXAccessTypeDef.class); - XXPolicyConditionDefDao xPolicyConditionDefDao = Mockito - .mock(XXPolicyConditionDefDao.class); - XXPolicyItemConditionDao xPolicyItemConditionDao = Mockito - .mock(XXPolicyItemConditionDao.class); - - XXPolicy policy = policy(); - String name = "fdfdfds"; - - List xPolicyItemList = new ArrayList(); - XXPolicyItem xPolicyItem = new XXPolicyItem(); - xPolicyItem.setDelegateAdmin(false); - xPolicyItem.setAddedByUserId(null); - xPolicyItem.setCreateTime(new Date()); - xPolicyItem.setGUID(null); - xPolicyItem.setId(Id); - xPolicyItem.setOrder(null); - xPolicyItem.setPolicyId(Id); - xPolicyItem.setUpdatedByUserId(null); - xPolicyItem.setUpdateTime(new Date()); - xPolicyItemList.add(xPolicyItem); - - List policyItemAccessList = new ArrayList(); - XXPolicyItemAccess policyItemAccess = new XXPolicyItemAccess(); - policyItemAccess.setAddedByUserId(Id); - policyItemAccess.setCreateTime(new Date()); - policyItemAccess.setPolicyitemid(Id); - policyItemAccess.setId(Id); - policyItemAccess.setOrder(1); - policyItemAccess.setUpdatedByUserId(Id); - policyItemAccess.setUpdateTime(new Date()); - policyItemAccessList.add(policyItemAccess); - - List resDefList = new ArrayList(); - XXResourceDef resourceDef = new XXResourceDef(); - resourceDef.setAddedByUserId(Id); - resourceDef.setCreateTime(new Date()); - resourceDef.setDefid(Id); - resourceDef.setDescription("test"); - resourceDef.setId(Id); - resDefList.add(resourceDef); - - XXPolicyResource policyResource = new XXPolicyResource(); - policyResource.setId(Id); - policyResource.setCreateTime(new Date()); - policyResource.setAddedByUserId(Id); - policyResource.setIsExcludes(false); - policyResource.setIsRecursive(false); - policyResource.setPolicyId(Id); - policyResource.setResDefId(Id); - policyResource.setUpdatedByUserId(Id); - policyResource.setUpdateTime(new Date()); - - List policyResourceMapList = new ArrayList(); - XXPolicyResourceMap policyResourceMap = new XXPolicyResourceMap(); - policyResourceMap.setAddedByUserId(Id); - policyResourceMap.setCreateTime(new Date()); - policyResourceMap.setId(Id); - policyResourceMap.setOrder(1); - policyResourceMap.setResourceId(Id); - policyResourceMap.setUpdatedByUserId(Id); - policyResourceMap.setUpdateTime(new Date()); - policyResourceMap.setValue("1L"); - policyResourceMapList.add(policyResourceMap); - - List xConditionDefList = new ArrayList(); - XXPolicyConditionDef policyConditionDefObj = new XXPolicyConditionDef(); - policyConditionDefObj.setAddedByUserId(Id); - policyConditionDefObj.setCreateTime(new Date()); - policyConditionDefObj.setDefid(Id); - policyConditionDefObj.setDescription("policy conditio"); - policyConditionDefObj.setId(Id); - policyConditionDefObj.setName(name); - policyConditionDefObj.setOrder(1); - policyConditionDefObj.setLabel("label"); - xConditionDefList.add(policyConditionDefObj); - - List policyItemConditionList = new ArrayList(); - XXPolicyItemCondition policyItemCondition = new XXPolicyItemCondition(); - policyItemCondition.setAddedByUserId(Id); - policyItemCondition.setCreateTime(new Date()); - policyItemCondition.setType(1L); - policyItemCondition.setId(Id); - policyItemCondition.setOrder(1); - policyItemCondition.setPolicyItemId(Id); - policyItemCondition.setUpdatedByUserId(Id); - policyItemCondition.setUpdateTime(new Date()); - policyItemConditionList.add(policyItemCondition); - - List usersList = new ArrayList(); - List groupsList = new ArrayList(); - - Mockito.when(daoManager.getXXPolicyItem()).thenReturn(xPolicyItemDao); - Mockito.when(xPolicyItemDao.findByPolicyId(policy.getId())).thenReturn( - xPolicyItemList); - - Mockito.when(daoManager.getXXPolicyItemAccess()).thenReturn( - xPolicyItemAccessDao); - Mockito.when(xPolicyItemAccessDao.findByPolicyItemId(policy.getId())) - .thenReturn(policyItemAccessList); - - Mockito.when(daoManager.getXXAccessTypeDef()).thenReturn( - xAccessTypeDefDao); - Mockito.when(xAccessTypeDefDao.getById(policyItemAccess.getType())) - .thenReturn(xAccessTypeDef); - - Mockito.when(daoManager.getXXPolicyConditionDef()).thenReturn( - xPolicyConditionDefDao); - Mockito.when( - xPolicyConditionDefDao.findByPolicyItemId(xPolicyItem.getId())) - .thenReturn(xConditionDefList); - - Mockito.when(daoManager.getXXPolicyItemCondition()).thenReturn( - xPolicyItemConditionDao); - Mockito.when( - xPolicyItemConditionDao.findByPolicyItemAndDefId( - xPolicyItem.getId(), policyConditionDefObj.getId())) - .thenReturn(policyItemConditionList); - - Mockito.when(daoManager.getXXUser()).thenReturn(xUserDao); - Mockito.when(xUserDao.findByPolicyItemId(xPolicyItem.getId())) - .thenReturn(usersList); - - Mockito.when(daoManager.getXXGroup()).thenReturn(xGroupDao); - Mockito.when(xGroupDao.findByPolicyItemId(xPolicyItem.getId())) - .thenReturn(groupsList); - - List dbRangerPolicyItem = policyService - .getPolicyItemListForXXPolicy(policy); - Assert.assertNotNull(dbRangerPolicyItem); - - Mockito.verify(daoManager).getXXPolicyItemAccess(); - Mockito.verify(daoManager).getXXAccessTypeDef(); - Mockito.verify(daoManager).getXXPolicyConditionDef(); - Mockito.verify(daoManager).getXXPolicyItemCondition(); - Mockito.verify(daoManager).getXXUser(); - Mockito.verify(daoManager).getXXGroup(); - } - - @Test - public void test5PopulateXXToRangerPolicyItem() { - String name = "fdfdfds"; - - XXPolicyItemAccessDao xPolicyItemAccessDao = Mockito - .mock(XXPolicyItemAccessDao.class); - XXUserDao xUserDao = Mockito.mock(XXUserDao.class); - XXGroupDao xGroupDao = Mockito.mock(XXGroupDao.class); - XXAccessTypeDefDao xAccessTypeDefDao = Mockito - .mock(XXAccessTypeDefDao.class); - XXAccessTypeDef xAccessTypeDef = Mockito.mock(XXAccessTypeDef.class); - XXPolicyConditionDefDao xPolicyConditionDefDao = Mockito - .mock(XXPolicyConditionDefDao.class); - XXPolicyItemConditionDao xPolicyItemConditionDao = Mockito - .mock(XXPolicyItemConditionDao.class); - - List xPolicyItemList = new ArrayList(); - XXPolicyItem xPolicyItem = new XXPolicyItem(); - xPolicyItem.setDelegateAdmin(false); - xPolicyItem.setAddedByUserId(null); - xPolicyItem.setCreateTime(new Date()); - xPolicyItem.setGUID(null); - xPolicyItem.setId(Id); - xPolicyItem.setOrder(null); - xPolicyItem.setPolicyId(Id); - xPolicyItem.setUpdatedByUserId(null); - xPolicyItem.setUpdateTime(new Date()); - xPolicyItemList.add(xPolicyItem); - - List policyItemAccessList = new ArrayList(); - XXPolicyItemAccess policyItemAccess = new XXPolicyItemAccess(); - policyItemAccess.setAddedByUserId(Id); - policyItemAccess.setCreateTime(new Date()); - policyItemAccess.setPolicyitemid(Id); - policyItemAccess.setId(Id); - policyItemAccess.setOrder(1); - policyItemAccess.setUpdatedByUserId(Id); - policyItemAccess.setUpdateTime(new Date()); - policyItemAccessList.add(policyItemAccess); - - List xConditionDefList = new ArrayList(); - XXPolicyConditionDef policyConditionDefObj = new XXPolicyConditionDef(); - policyConditionDefObj.setAddedByUserId(Id); - policyConditionDefObj.setCreateTime(new Date()); - policyConditionDefObj.setDefid(Id); - policyConditionDefObj.setDescription("policy conditio"); - policyConditionDefObj.setId(Id); - policyConditionDefObj.setName(name); - policyConditionDefObj.setOrder(1); - policyConditionDefObj.setLabel("label"); - xConditionDefList.add(policyConditionDefObj); - - List policyItemConditionList = new ArrayList(); - XXPolicyItemCondition policyItemCondition = new XXPolicyItemCondition(); - policyItemCondition.setAddedByUserId(Id); - policyItemCondition.setCreateTime(new Date()); - policyItemCondition.setType(1L); - policyItemCondition.setId(Id); - policyItemCondition.setOrder(1); - policyItemCondition.setPolicyItemId(Id); - policyItemCondition.setUpdatedByUserId(Id); - policyItemCondition.setUpdateTime(new Date()); - policyItemConditionList.add(policyItemCondition); - - List usersList = new ArrayList(); - List groupsList = new ArrayList(); - - Mockito.when(daoManager.getXXPolicyItemAccess()).thenReturn( - xPolicyItemAccessDao); - Mockito.when(xPolicyItemAccessDao.findByPolicyItemId(Id)).thenReturn( - policyItemAccessList); - - Mockito.when(daoManager.getXXAccessTypeDef()).thenReturn( - xAccessTypeDefDao); - Mockito.when(xAccessTypeDefDao.getById(policyItemAccess.getType())) - .thenReturn(xAccessTypeDef); - - Mockito.when(daoManager.getXXPolicyConditionDef()).thenReturn( - xPolicyConditionDefDao); - Mockito.when( - xPolicyConditionDefDao.findByPolicyItemId(xPolicyItem.getId())) - .thenReturn(xConditionDefList); - - Mockito.when(daoManager.getXXPolicyItemCondition()).thenReturn( - xPolicyItemConditionDao); - Mockito.when( - xPolicyItemConditionDao.findByPolicyItemAndDefId( - xPolicyItem.getId(), policyConditionDefObj.getId())) - .thenReturn(policyItemConditionList); - - Mockito.when(daoManager.getXXUser()).thenReturn(xUserDao); - Mockito.when(xUserDao.findByPolicyItemId(xPolicyItem.getId())) - .thenReturn(usersList); - - Mockito.when(daoManager.getXXGroup()).thenReturn(xGroupDao); - Mockito.when(xGroupDao.findByPolicyItemId(xPolicyItem.getId())) - .thenReturn(groupsList); - - RangerPolicyItem dbRangerPolicyItem = policyService - .populateXXToRangerPolicyItem(xPolicyItem); - Assert.assertNotNull(dbRangerPolicyItem); - - Mockito.verify(daoManager).getXXPolicyItemAccess(); - Mockito.verify(daoManager).getXXAccessTypeDef(); - Mockito.verify(daoManager).getXXPolicyConditionDef(); - Mockito.verify(daoManager).getXXPolicyItemCondition(); - Mockito.verify(daoManager).getXXUser(); - Mockito.verify(daoManager).getXXGroup(); - } - - @Test - public void test6GetResourcesForXXPolicy() { - - XXResourceDefDao xResourceDefDao = Mockito.mock(XXResourceDefDao.class); - XXPolicyResourceDao xPolicyResourceDao = Mockito - .mock(XXPolicyResourceDao.class); - XXPolicyResourceMapDao xPolicyResourceMapDao = Mockito - .mock(XXPolicyResourceMapDao.class); - - XXPolicy policy = policy(); - - List resDefList = new ArrayList(); - XXResourceDef resourceDef = new XXResourceDef(); - resourceDef.setAddedByUserId(Id); - resourceDef.setCreateTime(new Date()); - resourceDef.setDefid(Id); - resourceDef.setDescription("test"); - resourceDef.setId(Id); - resDefList.add(resourceDef); - - XXPolicyResource policyResource = new XXPolicyResource(); - policyResource.setId(Id); - policyResource.setCreateTime(new Date()); - policyResource.setAddedByUserId(Id); - policyResource.setIsExcludes(false); - policyResource.setIsRecursive(false); - policyResource.setPolicyId(Id); - policyResource.setResDefId(Id); - policyResource.setUpdatedByUserId(Id); - policyResource.setUpdateTime(new Date()); - - List policyResourceMapList = new ArrayList(); - XXPolicyResourceMap policyResourceMap = new XXPolicyResourceMap(); - policyResourceMap.setAddedByUserId(Id); - policyResourceMap.setCreateTime(new Date()); - policyResourceMap.setId(Id); - policyResourceMap.setOrder(1); - policyResourceMap.setResourceId(Id); - policyResourceMap.setUpdatedByUserId(Id); - policyResourceMap.setUpdateTime(new Date()); - policyResourceMap.setValue("1L"); - policyResourceMapList.add(policyResourceMap); - - Mockito.when(daoManager.getXXResourceDef()).thenReturn(xResourceDefDao); - Mockito.when(xResourceDefDao.findByPolicyId(policy.getId())) - .thenReturn(resDefList); - - Mockito.when(daoManager.getXXPolicyResource()).thenReturn( - xPolicyResourceDao); - Mockito.when( - xPolicyResourceDao.findByResDefIdAndPolicyId( - resourceDef.getId(), policy.getId())).thenReturn( - policyResource); - - Mockito.when(daoManager.getXXPolicyResourceMap()).thenReturn( - xPolicyResourceMapDao); - Mockito.when( - xPolicyResourceMapDao.findByPolicyResId(policyResource.getId())) - .thenReturn(policyResourceMapList); - - Map dbListMap = policyService - .getResourcesForXXPolicy(policy); - Assert.assertNotNull(dbListMap); - - Mockito.verify(daoManager).getXXResourceDef(); - Mockito.verify(daoManager).getXXPolicyResource(); - Mockito.verify(daoManager).getXXPolicyResourceMap(); - } - - @Test - public void test7GetPopulatedViewObject() { - XXPortalUserDao xPortalUserDao = Mockito.mock(XXPortalUserDao.class); - XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class); - XXServiceConfigMapDao xServiceConfigMapDao = Mockito - .mock(XXServiceConfigMapDao.class); - XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class); - XXResourceDefDao xResourceDefDao = Mockito.mock(XXResourceDefDao.class); - XXPolicyResourceDao xPolicyResourceDao = Mockito - .mock(XXPolicyResourceDao.class); - XXPolicyResourceMapDao xPolicyResourceMapDao = Mockito - .mock(XXPolicyResourceMapDao.class); - XXPolicyItemDao xPolicyItemDao = Mockito.mock(XXPolicyItemDao.class); - XXPolicyItemAccessDao xPolicyItemAccessDao = Mockito - .mock(XXPolicyItemAccessDao.class); - XXAccessTypeDefDao xAccessTypeDefDao = Mockito - .mock(XXAccessTypeDefDao.class); - XXAccessTypeDef xAccessTypeDef = Mockito.mock(XXAccessTypeDef.class); - XXPolicyConditionDefDao xPolicyConditionDefDao = Mockito - .mock(XXPolicyConditionDefDao.class); - XXPolicyItemConditionDao xPolicyItemConditionDao = Mockito - .mock(XXPolicyItemConditionDao.class); - XXUserDao xUserDao = Mockito.mock(XXUserDao.class); - XXGroupDao xGroupDao = Mockito.mock(XXGroupDao.class); - - XXPolicy policy = policy(); - XXService xService = xService(); - String name = "fdfdfds"; - - XXPortalUser tUser = new XXPortalUser(); - tUser.setAddedByUserId(Id); - tUser.setCreateTime(new Date()); - tUser.setEmailAddress("test@gmail.com"); - tUser.setFirstName(name); - tUser.setId(Id); - tUser.setLastName(name); - - XXServiceDef xServiceDef = new XXServiceDef(); - xServiceDef.setAddedByUserId(Id); - xServiceDef.setCreateTime(new Date()); - xServiceDef.setDescription("test"); - xServiceDef.setGuid("1427365526516_835_0"); - xServiceDef.setId(Id); - - List srcConfigMapList = new ArrayList(); - XXServiceConfigMap xConfMap = new XXServiceConfigMap(); - xConfMap.setAddedByUserId(null); - xConfMap.setConfigkey(name); - xConfMap.setConfigvalue(name); - xConfMap.setCreateTime(new Date()); - xConfMap.setServiceId(null); - xConfMap.setUpdatedByUserId(null); - xConfMap.setUpdateTime(new Date()); - srcConfigMapList.add(xConfMap); - - List resDefList = new ArrayList(); - XXResourceDef resourceDef = new XXResourceDef(); - resourceDef.setAddedByUserId(Id); - resourceDef.setCreateTime(new Date()); - resourceDef.setDefid(Id); - resourceDef.setDescription("test"); - resourceDef.setId(Id); - resDefList.add(resourceDef); - - XXPolicyResource policyResource = new XXPolicyResource(); - policyResource.setId(Id); - policyResource.setCreateTime(new Date()); - policyResource.setAddedByUserId(Id); - policyResource.setIsExcludes(false); - policyResource.setIsRecursive(false); - policyResource.setPolicyId(Id); - policyResource.setResDefId(Id); - policyResource.setUpdatedByUserId(Id); - policyResource.setUpdateTime(new Date()); - - List policyResourceMapList = new ArrayList(); - XXPolicyResourceMap policyResourceMap = new XXPolicyResourceMap(); - policyResourceMap.setAddedByUserId(Id); - policyResourceMap.setCreateTime(new Date()); - policyResourceMap.setId(Id); - policyResourceMap.setOrder(1); - policyResourceMap.setResourceId(Id); - policyResourceMap.setUpdatedByUserId(Id); - policyResourceMap.setUpdateTime(new Date()); - policyResourceMap.setValue("1L"); - policyResourceMapList.add(policyResourceMap); - - List xPolicyItemList = new ArrayList(); - XXPolicyItem xPolicyItem = new XXPolicyItem(); - xPolicyItem.setDelegateAdmin(false); - xPolicyItem.setAddedByUserId(null); - xPolicyItem.setCreateTime(new Date()); - xPolicyItem.setGUID(null); - xPolicyItem.setId(Id); - xPolicyItem.setOrder(null); - xPolicyItem.setPolicyId(Id); - xPolicyItem.setUpdatedByUserId(null); - xPolicyItem.setUpdateTime(new Date()); - xPolicyItemList.add(xPolicyItem); - - List policyItemAccessList = new ArrayList(); - XXPolicyItemAccess policyItemAccess = new XXPolicyItemAccess(); - policyItemAccess.setAddedByUserId(Id); - policyItemAccess.setCreateTime(new Date()); - policyItemAccess.setPolicyitemid(Id); - policyItemAccess.setId(Id); - policyItemAccess.setOrder(1); - policyItemAccess.setUpdatedByUserId(Id); - policyItemAccess.setUpdateTime(new Date()); - policyItemAccessList.add(policyItemAccess); - - List xConditionDefList = new ArrayList(); - XXPolicyConditionDef policyConditionDefObj = new XXPolicyConditionDef(); - policyConditionDefObj.setAddedByUserId(Id); - policyConditionDefObj.setCreateTime(new Date()); - policyConditionDefObj.setDefid(Id); - policyConditionDefObj.setDescription("policy conditio"); - policyConditionDefObj.setId(Id); - policyConditionDefObj.setName(name); - policyConditionDefObj.setOrder(1); - policyConditionDefObj.setLabel("label"); - xConditionDefList.add(policyConditionDefObj); - - List policyItemConditionList = new ArrayList(); - XXPolicyItemCondition policyItemCondition = new XXPolicyItemCondition(); - policyItemCondition.setAddedByUserId(Id); - policyItemCondition.setCreateTime(new Date()); - policyItemCondition.setType(1L); - policyItemCondition.setId(Id); - policyItemCondition.setOrder(1); - policyItemCondition.setPolicyItemId(Id); - policyItemCondition.setUpdatedByUserId(Id); - policyItemCondition.setUpdateTime(new Date()); - policyItemConditionList.add(policyItemCondition); - - List usersList = new ArrayList(); - List groupsList = new ArrayList(); - - Mockito.when(daoManager.getXXPortalUser()).thenReturn(xPortalUserDao); - Mockito.when(xPortalUserDao.getById(Id)).thenReturn(tUser); - - Mockito.when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao); - Mockito.when(xServiceDefDao.getById(xService.getType())).thenReturn( - xServiceDef); - - Mockito.when(daoManager.getXXServiceConfigMap()).thenReturn( - xServiceConfigMapDao); - Mockito.when(xServiceConfigMapDao.findByServiceId(xService.getId())) - .thenReturn(srcConfigMapList); - - Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao); - Mockito.when(xServiceDao.getById(policy.getService())).thenReturn( - xService); - - Mockito.when(daoManager.getXXResourceDef()).thenReturn(xResourceDefDao); - Mockito.when(xResourceDefDao.findByPolicyId(policy.getId())) - .thenReturn(resDefList); - - Mockito.when(daoManager.getXXPolicyResource()).thenReturn( - xPolicyResourceDao); - Mockito.when( - xPolicyResourceDao.findByResDefIdAndPolicyId( - resourceDef.getId(), policy.getId())).thenReturn( - policyResource); - - Mockito.when(daoManager.getXXPolicyResourceMap()).thenReturn( - xPolicyResourceMapDao); - Mockito.when( - xPolicyResourceMapDao.findByPolicyResId(policyResource.getId())) - .thenReturn(policyResourceMapList); - - Mockito.when(daoManager.getXXPolicyItem()).thenReturn(xPolicyItemDao); - Mockito.when(xPolicyItemDao.findByPolicyId(policy.getId())).thenReturn( - xPolicyItemList); - - Mockito.when(daoManager.getXXPolicyItemAccess()).thenReturn( - xPolicyItemAccessDao); - Mockito.when(xPolicyItemAccessDao.findByPolicyItemId(policy.getId())) - .thenReturn(policyItemAccessList); - - Mockito.when(daoManager.getXXAccessTypeDef()).thenReturn( - xAccessTypeDefDao); - Mockito.when(xAccessTypeDefDao.getById(policyItemAccess.getType())) - .thenReturn(xAccessTypeDef); - - Mockito.when(daoManager.getXXPolicyConditionDef()).thenReturn( - xPolicyConditionDefDao); - Mockito.when( - xPolicyConditionDefDao.findByPolicyItemId(xPolicyItem.getId())) - .thenReturn(xConditionDefList); - - Mockito.when(daoManager.getXXPolicyItemCondition()).thenReturn( - xPolicyItemConditionDao); - Mockito.when( - xPolicyItemConditionDao.findByPolicyItemAndDefId( - xPolicyItem.getId(), policyConditionDefObj.getId())) - .thenReturn(policyItemConditionList); - - Mockito.when(daoManager.getXXUser()).thenReturn(xUserDao); - Mockito.when(xUserDao.findByPolicyItemId(xPolicyItem.getId())) - .thenReturn(usersList); - - Mockito.when(daoManager.getXXGroup()).thenReturn(xGroupDao); - Mockito.when(xGroupDao.findByPolicyItemId(xPolicyItem.getId())) - .thenReturn(groupsList); - - RangerPolicy dbRangerPolicy = policyService - .getPopulatedViewObject(policy); - Assert.assertNotNull(dbRangerPolicy); - Assert.assertEquals(dbRangerPolicy.getId(), policy.getId()); - Assert.assertEquals(dbRangerPolicy.getName(), policy.getName()); - Assert.assertEquals(dbRangerPolicy.getDescription(), - policy.getDescription()); - Assert.assertEquals(dbRangerPolicy.getGuid(), policy.getGuid()); - Assert.assertEquals(dbRangerPolicy.getVersion(), policy.getVersion()); - Assert.assertEquals(dbRangerPolicy.getIsAuditEnabled(), - policy.getIsAuditEnabled()); - Mockito.verify(daoManager).getXXPolicyItemAccess(); - Mockito.verify(daoManager).getXXAccessTypeDef(); - Mockito.verify(daoManager).getXXPolicyConditionDef(); - Mockito.verify(daoManager).getXXPolicyItemCondition(); - Mockito.verify(daoManager).getXXUser(); - Mockito.verify(daoManager).getXXGroup(); - } - @Test public void test8getTransactionLog() { XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class); @@ -1002,5 +190,4 @@ public void test8getTransactionLog() { rangerPolicy, 1); Assert.assertNotNull(dbXXTrxLogList); } - } From 3c20302ccd9d387ce5f637ec517050cdb013cfb5 Mon Sep 17 00:00:00 2001 From: rmani Date: Thu, 12 Nov 2015 23:22:13 -0800 Subject: [PATCH 099/202] RANGER-727:Knox Plugin failed to AuditToSpool file when Audit Destination is down --- src/main/assembly/knox-agent.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main/assembly/knox-agent.xml b/src/main/assembly/knox-agent.xml index dc73f69aaf2..8975c1deb85 100644 --- a/src/main/assembly/knox-agent.xml +++ b/src/main/assembly/knox-agent.xml @@ -55,6 +55,7 @@ org.noggit:noggit:jar:${noggit.version} com.google.protobuf:protobuf-java:jar:${protobuf-java.version} org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version} + org.apache.hadoop:hadoop-common:jar:${hadoop-common.version} org.apache.htrace:htrace-core:jar:${htrace-core.version} false From 80dcf52dc671e52b97d181bb7635f1abe81252a0 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Tue, 6 Oct 2015 13:06:46 +0530 Subject: [PATCH 100/202] RANGER-680 : Default policies for KMS repo Signed-off-by: Velmurugan Periasamy --- .../main/java/org/apache/ranger/biz/ServiceDBStore.java | 8 -------- 1 file changed, 8 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 97b68462aee..278ebc004c9 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -1709,14 +1709,6 @@ private void createDefaultPolicy(XXService createdService, VXUser vXUser, List groups = new ArrayList(); - groups.add(RangerConstants.GROUP_PUBLIC); - policyItem.setGroups(groups); - } - List accessTypeDefs = daoMgr.getXXAccessTypeDef().findByServiceDefId(createdService.getType()); List accesses = new ArrayList(); for(XXAccessTypeDef accessTypeDef : accessTypeDefs) { From b11673164d7ff4dd32aa3fc46b4d20def04dc0aa Mon Sep 17 00:00:00 2001 From: rmani Date: Mon, 16 Nov 2015 13:30:55 -0800 Subject: [PATCH 101/202] RANGER-731: Ranger plugin for YARN doesn't seem to be able to write audit to Kerberized HDFS --- src/main/assembly/plugin-yarn.xml | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/main/assembly/plugin-yarn.xml b/src/main/assembly/plugin-yarn.xml index 6f8e33bb642..35508818ba4 100644 --- a/src/main/assembly/plugin-yarn.xml +++ b/src/main/assembly/plugin-yarn.xml @@ -49,8 +49,6 @@ /lib/ranger-yarn-plugin-impl false - org.apache.hadoop:hadoop-common:jar:${hadoop-common.version} - org.apache.hadoop:hadoop-common-plus:jar:${hadoop-common.version} org.eclipse.persistence:eclipselink org.eclipse.persistence:javax.persistence org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version} From 836aa92bdbc19e17408662eb64f424281e582c26 Mon Sep 17 00:00:00 2001 From: Don Bosco Durai Date: Thu, 10 Sep 2015 15:23:07 -0700 Subject: [PATCH 102/202] RANGER-602: Solr client in SolrCloud mode should work with zookeeper settings also (cherry picked from commit 68a406e052550e52bf01aad75cfcf192ce276432) --- .../destination/SolrAuditDestination.java | 44 ++++++++++++++----- 1 file changed, 33 insertions(+), 11 deletions(-) diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java b/agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java index 213e4b24da0..f875842e979 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java @@ -43,7 +43,9 @@ public class SolrAuditDestination extends AuditDestination { public static final String PROP_SOLR_URLS = "urls"; public static final String PROP_SOLR_ZK = "zookeepers"; + public static final String PROP_SOLR_COLLECTION = "collection"; + public static final String DEFAULT_COLLECTION_NAME = "ranger_audits"; SolrClient solrClient = null; public SolrAuditDestination() { @@ -55,7 +57,7 @@ public void init(Properties props, String propPrefix) { super.init(props, propPrefix); connect(); } - + @Override public void stop() { super.stop(); @@ -67,13 +69,12 @@ synchronized void connect() { if (solrClient == null) { String urls = MiscUtil.getStringProperty(props, propPrefix + "." + PROP_SOLR_URLS); - if( urls != null) { + if (urls != null) { urls = urls.trim(); } if (urls != null && urls.equalsIgnoreCase("NONE")) { urls = null; } - List solrURLs = new ArrayList(); String zkHosts = null; @@ -84,11 +85,32 @@ synchronized void connect() { zkHosts = null; } - try { - if (zkHosts != null && !zkHosts.isEmpty()) { + String collectionName = MiscUtil.getStringProperty(props, + propPrefix + "." + PROP_SOLR_COLLECTION); + if (collectionName == null + || collectionName.equalsIgnoreCase("none")) { + collectionName = DEFAULT_COLLECTION_NAME; + } + + LOG.info("Solr zkHosts=" + zkHosts + ", solrURLs=" + urls + + ", collectionName=" + collectionName); + + if (zkHosts != null && !zkHosts.isEmpty()) { + LOG.info("Connecting to solr cloud using zkHosts=" + + zkHosts); + try { // Instantiate - solrClient = new CloudSolrClient(zkHosts); - } else if (solrURLs != null && !solrURLs.isEmpty()) { + CloudSolrClient solrCloudClient = new CloudSolrClient( + zkHosts); + solrCloudClient.setDefaultCollection(collectionName); + solrClient = solrCloudClient; + } catch (Throwable t) { + LOG.fatal("Can't connect to Solr server. ZooKeepers=" + + zkHosts, t); + } + } else if (solrURLs != null && !solrURLs.isEmpty()) { + try { + LOG.info("Connecting to Solr using URLs=" + solrURLs); LBHttpSolrClient lbSolrClient = new LBHttpSolrClient( solrURLs.get(0)); lbSolrClient.setConnectionTimeout(1000); @@ -97,10 +119,10 @@ synchronized void connect() { lbSolrClient.addSolrServer(solrURLs.get(i)); } solrClient = lbSolrClient; + } catch (Throwable t) { + LOG.fatal("Can't connect to Solr server. URL=" + + solrURLs, t); } - } catch (Throwable t) { - LOG.fatal("Can't connect to Solr server. URL=" + solrURLs, - t); } } } @@ -111,7 +133,7 @@ public boolean log(Collection events) { try { logStatusIfRequired(); addTotalCount(events.size()); - + if (solrClient == null) { connect(); if (solrClient == null) { From d557e97d6ddf424997649a17131e0e2e829b388e Mon Sep 17 00:00:00 2001 From: Don Bosco Durai Date: Sun, 11 Oct 2015 20:51:37 -0700 Subject: [PATCH 103/202] RANGER-657: Solr plugin doesn't support for user principals with /$HOST in it (cherry picked from commit f1135ea2ea6cd48209b73a25be77613c9d355abf) --- .../ranger/audit/provider/MiscUtil.java | 79 +++++- .../ranger/audit/queue/AuditFileSpool.java | 2 +- .../solr/authorizer/RangerSolrAuthorizer.java | 257 +++++++++++------- 3 files changed, 236 insertions(+), 102 deletions(-) diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java index a3a3a844ecf..9586f732947 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java @@ -37,6 +37,8 @@ import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.Configuration; import javax.security.auth.login.LoginContext; + +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.security.UserGroupInformation; @@ -481,6 +483,33 @@ public static Subject getSubjectLoginUser() { return subjectLoginUser; } + public static String getKerberosNamesRules() { + return KerberosName.getRules(); + } + /** + * + * @param principal + * This could be in the format abc/host@domain.com + * @return + */ + static public String getShortNameFromPrincipalName(String principal) { + if (principal == null) { + return null; + } + try { + // Assuming it is kerberos name for now + KerberosName kerbrosName = new KerberosName(principal); + String userName = kerbrosName.getShortName(); + userName = StringUtils.substringBefore(userName, "/"); + userName = StringUtils.substringBefore(userName, "@"); + return userName; + } catch (Throwable t) { + logger.error("Error converting kerberos name. principal=" + + principal + ", KerberosName.rules=" + KerberosName.getRules()); + } + return principal; + } + /** * @param userName * @return @@ -492,7 +521,6 @@ static public Set getGroupsForRequestUser(String userName) { try { UserGroupInformation ugi = UserGroupInformation .createRemoteUser(userName); - // UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); String groups[] = ugi.getGroupNames(); if (groups != null && groups.length > 0) { java.util.Set groupsSet = new java.util.HashSet(); @@ -545,6 +573,55 @@ static public boolean logErrorMessageByInterval(Log useLogger, } + public static void authWithConfig(String appName, Configuration config) { + try { + if (config != null) { + logger.info("Getting AppConfigrationEntry[] for appName=" + + appName + ", config=" + config.toString()); + AppConfigurationEntry[] entries = config + .getAppConfigurationEntry(appName); + if (entries != null) { + logger.info("Got " + entries.length + + " AppConfigrationEntry elements for appName=" + + appName); + for (AppConfigurationEntry appEntry : entries) { + logger.info("APP_ENTRY:getLoginModuleName()=" + + appEntry.getLoginModuleName()); + logger.info("APP_ENTRY:getControlFlag()=" + + appEntry.getControlFlag()); + logger.info("APP_ENTRY.getOptions()=" + + appEntry.getOptions()); + } + } + + LoginContext loginContext = new LoginContext(appName, + new Subject(), null, config); + logger.info("Login in for appName=" + appName); + loginContext.login(); + logger.info("Principals after login=" + + loginContext.getSubject().getPrincipals()); + logger.info("UserGroupInformation.loginUserFromSubject(): appName=" + + appName + + ", principals=" + + loginContext.getSubject().getPrincipals()); + + UserGroupInformation ugi = MiscUtil + .createUGIFromSubject(loginContext.getSubject()); + if (ugi != null) { + MiscUtil.setUGILoginUser(ugi, loginContext.getSubject()); + } + + // UserGroupInformation.loginUserFromSubject(loginContext + // .getSubject()); + logger.info("POST UserGroupInformation.loginUserFromSubject UGI=" + + UserGroupInformation.getLoginUser()); + } + } catch (Throwable t) { + logger.fatal("Error logging as appName=" + appName + ", config=" + + config.toString()); + } + } + public static void authWithKerberos(String keytab, String principal, String nameRules) { diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileSpool.java b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileSpool.java index bab496ce51d..17ddab9e7b8 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileSpool.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileSpool.java @@ -107,7 +107,7 @@ public enum SPOOL_FILE_STATUS { boolean isWriting = true; boolean isDrain = false; - boolean isDestDown = true; + boolean isDestDown = false; private Gson gson = null; diff --git a/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java b/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java index 8e0ada8ae65..a8ecf15bf13 100644 --- a/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java +++ b/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java @@ -28,9 +28,12 @@ import java.util.Map; import java.util.Set; +import javax.security.auth.login.Configuration; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.ranger.audit.provider.MiscUtil; import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.plugin.audit.RangerMultiResourceAuditHandler; @@ -50,26 +53,25 @@ public class RangerSolrAuthorizer implements AuthorizationPlugin { public static final String PROP_USE_PROXY_IP = "xasecure.solr.use_proxy_ip"; public static final String PROP_PROXY_IP_HEADER = "xasecure.solr.proxy_ip_header"; + public static final String PROP_SOLR_APP_NAME = "xasecure.solr.app.name"; public static final String KEY_COLLECTION = "collection"; public static final String ACCESS_TYPE_CREATE = "create"; public static final String ACCESS_TYPE_UPDATE = "update"; public static final String ACCESS_TYPE_QUERY = "query"; - public static final String ACCESS_TYPE_OTHER = "other"; + public static final String ACCESS_TYPE_OTHERS = "others"; public static final String ACCESS_TYPE_ADMIN = "solr_admin"; private static volatile RangerBasePlugin solrPlugin = null; boolean useProxyIP = false; String proxyIPHeader = "HTTP_X_FORWARDED_FOR"; + String solrAppName = "Client"; public RangerSolrAuthorizer() { logger.info("RangerSolrAuthorizer()"); - if (solrPlugin == null) { - logger.info("RangerSolrAuthorizer(): init called"); - solrPlugin = new RangerBasePlugin("solr", "solr"); - } + } /* @@ -82,16 +84,51 @@ public void init(Map initInfo) { logger.info("init()"); try { - solrPlugin.init(); - useProxyIP = RangerConfiguration.getInstance().getBoolean( PROP_USE_PROXY_IP, useProxyIP); proxyIPHeader = RangerConfiguration.getInstance().get( PROP_PROXY_IP_HEADER, proxyIPHeader); + // First get from the -D property + solrAppName = System.getProperty("solr.kerberos.jaas.appname", + solrAppName); + // Override if required from Ranger properties + solrAppName = RangerConfiguration.getInstance().get( + PROP_SOLR_APP_NAME, solrAppName); + + logger.info("init(): useProxyIP=" + useProxyIP); + logger.info("init(): proxyIPHeader=" + proxyIPHeader); + logger.info("init(): solrAppName=" + solrAppName); + logger.info("init(): KerberosName.rules=" + + MiscUtil.getKerberosNamesRules()); + authToJAASFile(); } catch (Throwable t) { logger.fatal("Error init", t); } + + try { + if (solrPlugin == null) { + logger.info("RangerSolrAuthorizer(): init called"); + solrPlugin = new RangerBasePlugin("solr", "solr"); + solrPlugin.init(); + } + } catch (Throwable t) { + logger.fatal("Error creating and initializing RangerBasePlugin()"); + } + } + + private void authToJAASFile() { + try { + // logger.info("DEFAULT UGI=" + + // UserGroupInformation.getLoginUser()); + + Configuration config = javax.security.auth.login.Configuration + .getConfiguration(); + MiscUtil.authWithConfig(solrAppName, config); + logger.info("POST AUTH UGI=" + UserGroupInformation.getLoginUser()); + } catch (Throwable t) { + logger.error("Error authenticating for appName=" + solrAppName, t); + } } /* @@ -118,69 +155,75 @@ public void close() throws IOException { */ @Override public AuthorizationResponse authorize(AuthorizationContext context) { - // TODO: Change this to Debug only - if (logger.isInfoEnabled()) { - logAuthorizationConext(context); - } + boolean isDenied = false; - RangerMultiResourceAuditHandler auditHandler = new RangerMultiResourceAuditHandler(); + try { + if (logger.isDebugEnabled()) { + logAuthorizationConext(context); + } - String userName = null; - Set userGroups = null; - String ip = null; - Date eventTime = StringUtil.getUTCDate(); + RangerMultiResourceAuditHandler auditHandler = new RangerMultiResourceAuditHandler(); - // Set the User and Groups - Principal principal = context.getUserPrincipal(); - if (principal != null) { - userName = StringUtils.substringBefore(principal.getName(), "@"); - userGroups = getGroupsForUser(userName); - } + String userName = getUserName(context); + Set userGroups = getGroupsForUser(userName); + String ip = null; + Date eventTime = StringUtil.getUTCDate(); - // // Set the IP - if (useProxyIP) { - ip = context.getHttpHeader(proxyIPHeader); - } - if (ip == null) { - ip = context.getHttpHeader("REMOTE_ADDR"); - } - - String requestData = context.getResource() + ":" + context.getParams(); + // // Set the IP + if (useProxyIP) { + ip = context.getHttpHeader(proxyIPHeader); + } + if (ip == null) { + ip = context.getHttpHeader("REMOTE_ADDR"); + } - // Create the list of requests for access check. Each field is broken - // into a request - List rangerRequests = new ArrayList(); - for (CollectionRequest collectionRequest : context - .getCollectionRequests()) { + String requestData = context.getResource() + ":" + + context.getParams(); - List requestsForCollection = createRequests( - userName, userGroups, ip, eventTime, context, - collectionRequest, requestData); - rangerRequests.addAll(requestsForCollection); - } + // Create the list of requests for access check. Each field is + // broken + // into a request + List rangerRequests = new ArrayList(); + for (CollectionRequest collectionRequest : context + .getCollectionRequests()) { - boolean isDenied = false; - try { - // Let's check the access for each request/resource - for (RangerAccessRequestImpl rangerRequest : rangerRequests) { - RangerAccessResult result = solrPlugin.isAccessAllowed( - rangerRequest, auditHandler); - if (result == null || !result.getIsAllowed()) { - isDenied = true; - // rejecting on first failure - break; + List requestsForCollection = createRequests( + userName, userGroups, ip, eventTime, context, + collectionRequest, requestData); + rangerRequests.addAll(requestsForCollection); + } + if (logger.isDebugEnabled()) { + logger.debug("rangerRequests.size()=" + rangerRequests.size()); + } + try { + // Let's check the access for each request/resource + for (RangerAccessRequestImpl rangerRequest : rangerRequests) { + RangerAccessResult result = solrPlugin.isAccessAllowed( + rangerRequest, auditHandler); + if (logger.isDebugEnabled()) { + logger.debug("rangerRequest=" + result); + } + if (result == null || !result.getIsAllowed()) { + isDenied = true; + // rejecting on first failure + break; + } } + } finally { + auditHandler.flushAudit(); } - } finally { - auditHandler.flushAudit(); + } catch (Throwable t) { + MiscUtil.logErrorMessageByInterval(logger, t.getMessage(), t); } - AuthorizationResponse response = null; if (isDenied) { response = new AuthorizationResponse(403); } else { response = new AuthorizationResponse(200); } + if (logger.isDebugEnabled()) { + logger.debug("context=" + context + ": returning: " + isDenied); + } return response; } @@ -188,53 +231,59 @@ public AuthorizationResponse authorize(AuthorizationContext context) { * @param context */ private void logAuthorizationConext(AuthorizationContext context) { - String collections = ""; - int i = -1; - for (CollectionRequest collectionRequest : context - .getCollectionRequests()) { - i++; - if (i > 0) { - collections += ","; + try { + // Note: This method should be called with isDebugEnabled() or + // isInfoEnabled() scope + + String collections = ""; + int i = -1; + for (CollectionRequest collectionRequest : context + .getCollectionRequests()) { + i++; + if (i > 0) { + collections += ","; + } + collections += collectionRequest.collectionName; } - collections += collectionRequest.collectionName; - } - String headers = ""; - i = -1; - @SuppressWarnings("unchecked") - Enumeration eList = context.getHeaderNames(); - while (eList.hasMoreElements()) { - i++; - if (i > 0) { - headers += ","; + String headers = ""; + i = -1; + @SuppressWarnings("unchecked") + Enumeration eList = context.getHeaderNames(); + while (eList.hasMoreElements()) { + i++; + if (i > 0) { + headers += ","; + } + String header = eList.nextElement(); + String value = context.getHttpHeader(header); + headers += header + "=" + value; } - String header = eList.nextElement(); - String value = context.getHttpHeader(header); - headers += header + "=" + value; - } - String ipAddress = context.getHttpHeader("HTTP_X_FORWARDED_FOR"); + String ipAddress = context.getHttpHeader("HTTP_X_FORWARDED_FOR"); - if (ipAddress == null) { - ipAddress = context.getHttpHeader("REMOTE_ADDR"); - } + if (ipAddress == null) { + ipAddress = context.getHttpHeader("REMOTE_HOST"); + } + if (ipAddress == null) { + ipAddress = context.getHttpHeader("REMOTE_ADDR"); + } - Principal principal = context.getUserPrincipal(); - String userName = null; - if (principal != null) { - userName = principal.getName(); - userName = StringUtils.substringBefore(userName, "/"); - userName = StringUtils.substringBefore(userName, "@"); + String userName = getUserName(context); + Set groups = getGroupsForUser(userName); + + logger.info("AuthorizationContext: context.getResource()=" + + context.getResource() + ", solarParams=" + + context.getParams() + ", requestType=" + + context.getRequestType() + ", ranger.requestType=" + + mapToRangerAccessType(context) + ", userPrincipal=" + + context.getUserPrincipal() + ", userName=" + userName + + ", groups=" + groups + ", ipAddress=" + ipAddress + + ", collections=" + collections + ", headers=" + headers); + } catch (Throwable t) { + logger.error("Error getting request context!!!", t); } - logger.info("AuthorizationContext: context.getResource()=" - + context.getResource() + ", solarParams=" - + context.getParams() + ", requestType=" - + context.getRequestType() + ", userPrincipal=" - + context.getUserPrincipal() + ", userName=" + userName - + ", ipAddress=" + ipAddress + ", collections=" + collections - + ", headers=" + headers); - } /** @@ -292,18 +341,24 @@ private RangerAccessRequestImpl createBaseRequest(String userName, return rangerRequest; } + private String getUserName(AuthorizationContext context) { + Principal principal = context.getUserPrincipal(); + if (principal != null) { + return MiscUtil.getShortNameFromPrincipalName(principal.getName()); + } + return null; + } + /** * @param name * @return */ private Set getGroupsForUser(String name) { - // TODO: Need to implement this method - - return null; + return MiscUtil.getGroupsForRequestUser(name); } String mapToRangerAccessType(AuthorizationContext context) { - String accessType = ACCESS_TYPE_OTHER; + String accessType = ACCESS_TYPE_OTHERS; RequestType requestType = context.getRequestType(); if (requestType.equals(RequestType.ADMIN)) { @@ -313,11 +368,13 @@ String mapToRangerAccessType(AuthorizationContext context) { } else if (requestType.equals(RequestType.WRITE)) { accessType = ACCESS_TYPE_UPDATE; } else if (requestType.equals(RequestType.UNKNOWN)) { - logger.info("UNKNOWN request type. Mapping it to " + accessType); - accessType = ACCESS_TYPE_OTHER; + logger.info("UNKNOWN request type. Mapping it to " + accessType + + ". Resource=" + context.getResource()); + accessType = ACCESS_TYPE_OTHERS; } else { logger.info("Request type is not supported. requestType=" - + requestType + ". Mapping it to " + accessType); + + requestType + ". Mapping it to " + accessType + + ". Resource=" + context.getResource()); } return accessType; } From 04f3fa4af2fde5507c81f765f7d744d4f16eccbd Mon Sep 17 00:00:00 2001 From: Madhan Neethiraj Date: Thu, 19 Nov 2015 11:16:35 -0800 Subject: [PATCH 104/202] RANGER-737: updated Ranger Kakfa plugin for recent changes in Kafka authorizer (cherry picked from commit e47756ced5b9307e4e0c29543847d9ba0f6fad2b) --- .../authorizer/RangerKafkaAuthorizer.java | 68 ++++++++++++------- .../services/kafka/RangerServiceKafka.java | 37 ++++++---- .../kafka/client/ServiceKafkaClient.java | 42 ++++++++---- pom.xml | 5 +- ranger-kafka-plugin-shim/.gitignore | 1 + .../authorizer/RangerKafkaAuthorizer.java | 65 ++++++++++++------ 6 files changed, 146 insertions(+), 72 deletions(-) create mode 100644 ranger-kafka-plugin-shim/.gitignore diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java index c5e955d30b0..08ff92824de 100644 --- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java +++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java @@ -20,14 +20,14 @@ package org.apache.ranger.authorization.kafka.authorizer; import java.util.Date; +import java.util.Map; + import javax.security.auth.Subject; import kafka.security.auth.Acl; import kafka.security.auth.Authorizer; -import kafka.security.auth.KafkaPrincipal; -import kafka.security.auth.Operation; -import kafka.security.auth.Resource; -import kafka.security.auth.ResourceType; +import org.apache.kafka.common.security.auth.KafkaPrincipal; +import kafka.security.auth.*; import kafka.server.KafkaConfig; import kafka.common.security.LoginManager; import kafka.network.RequestChannel.Session; @@ -73,11 +73,10 @@ public RangerKafkaAuthorizer() { /* * (non-Javadoc) * - * @see kafka.security.auth.Authorizer#initialize(kafka.server.KafkaConfig) + * @see kafka.security.auth.Authorizer#configure(Map) */ @Override - public void initialize(KafkaConfig kafkaConfig) { - + public void configure(Map configs) { if (rangerPlugin == null) { try { Subject subject = LoginManager.subject(); @@ -110,7 +109,7 @@ public boolean authorize(Session session, Operation operation, Resource resource } // TODO: If resource type if consumer group, then allow it by default - if (resource.resourceType().equals(ResourceType.CONSUMER_GROUP)) { + if (resource.resourceType().equals(Group$.MODULE$)) { return true; } @@ -124,6 +123,11 @@ public boolean authorize(Session session, Operation operation, Resource resource .getGroupsForRequestUser(userName); String ip = session.host(); + // skip leading slash + if(StringUtils.isNotEmpty(ip) && ip.charAt(0) == '/') { + ip = ip.substring(1); + } + Date eventTime = StringUtil.getUTCDate(); String accessType = mapToRangerAccessType(operation); boolean validationFailed = false; @@ -152,12 +156,12 @@ public boolean authorize(Session session, Operation operation, Resource resource rangerRequest.setAction(action); rangerRequest.setRequestData(resource.name()); - if (resource.resourceType().equals(ResourceType.TOPIC)) { + if (resource.resourceType().equals(Topic$.MODULE$)) { rangerResource.setValue(KEY_TOPIC, resource.name()); - } else if (resource.resourceType().equals(ResourceType.CLUSTER)) { + } else if (resource.resourceType().equals(Cluster$.MODULE$)) { // CLUSTER should go as null // rangerResource.setValue(KEY_CLUSTER, resource.name()); - } else if (resource.resourceType().equals(ResourceType.CONSUMER_GROUP)) { + } else if (resource.resourceType().equals(Group$.MODULE$)) { rangerResource.setValue(KEY_CONSUMER_GROUP, resource.name()); } else { logger.fatal("Unsupported resourceType=" + resource.resourceType()); @@ -201,7 +205,7 @@ public boolean authorize(Session session, Operation operation, Resource resource */ @Override public void addAcls(Set acls, Resource resource) { - logger.error("addAcls() is not supported by Ranger for Kafka"); + logger.error("addAcls(Set, Resource) is not supported by Ranger for Kafka"); } /* @@ -213,7 +217,7 @@ public void addAcls(Set acls, Resource resource) { */ @Override public boolean removeAcls(Set acls, Resource resource) { - logger.error("removeAcls() is not supported by Ranger for Kafka"); + logger.error("removeAcls(Set, Resource) is not supported by Ranger for Kafka"); return false; } @@ -225,7 +229,7 @@ public boolean removeAcls(Set acls, Resource resource) { */ @Override public boolean removeAcls(Resource resource) { - logger.error("removeAcls() is not supported by Ranger for Kafka"); + logger.error("removeAcls(Resource) is not supported by Ranger for Kafka"); return false; } @@ -237,7 +241,7 @@ public boolean removeAcls(Resource resource) { @Override public Set getAcls(Resource resource) { Set aclList = new HashSet(); - logger.error("getAcls() is not supported by Ranger for Kafka"); + logger.error("getAcls(Resource) is not supported by Ranger for Kafka"); return aclList; } @@ -246,12 +250,24 @@ public Set getAcls(Resource resource) { * (non-Javadoc) * * @see - * kafka.security.auth.Authorizer#getAcls(kafka.security.auth.KafkaPrincipal - * ) + * kafka.security.auth.Authorizer#getAcls(kafka.security.auth.KafkaPrincipal) */ @Override - public Set getAcls(KafkaPrincipal principal) { - Set aclList = new HashSet(); + public scala.collection.immutable.Map> getAcls(KafkaPrincipal principal) { + scala.collection.immutable.Map> aclList = new scala.collection.immutable.HashMap>(); + logger.error("getAcls(KafkaPrincipal) is not supported by Ranger for Kafka"); + return aclList; + } + + /* + * (non-Javadoc) + * + * @see + * kafka.security.auth.Authorizer#getAcls() + */ + @Override + public scala.collection.immutable.Map> getAcls() { + scala.collection.immutable.Map> aclList = new scala.collection.immutable.HashMap>(); logger.error("getAcls() is not supported by Ranger for Kafka"); return aclList; } @@ -261,16 +277,20 @@ public Set getAcls(KafkaPrincipal principal) { * @return */ private String mapToRangerAccessType(Operation operation) { - if (operation.equals(Operation.READ)) { + if (operation.equals(Read$.MODULE$)) { return ACCESS_TYPE_READ; - } else if (operation.equals(Operation.WRITE)) { + } else if (operation.equals(Write$.MODULE$)) { return ACCESS_TYPE_WRITE; - } else if (operation.equals(Operation.ALTER)) { + } else if (operation.equals(Alter$.MODULE$)) { return ACCESS_TYPE_CONFIGURE; - } else if (operation.equals(Operation.DESCRIBE)) { + } else if (operation.equals(Describe$.MODULE$)) { return ACCESS_TYPE_DESCRIBE; - } else if (operation.equals(Operation.CLUSTER_ACTION)) { + } else if (operation.equals(ClusterAction$.MODULE$)) { return ACCESS_TYPE_KAFKA_ADMIN; + } else if (operation.equals(Create$.MODULE$)) { + return ACCESS_TYPE_CREATE; + } else if (operation.equals(Delete$.MODULE$)) { + return ACCESS_TYPE_DELETE; } return null; } diff --git a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java index ea6d31697fa..8a82b2f7624 100644 --- a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java +++ b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java @@ -31,7 +31,6 @@ import org.apache.commons.logging.LogFactory; public class RangerServiceKafka extends RangerBaseService { - private static final Log LOG = LogFactory.getLog(RangerServiceKafka.class); public RangerServiceKafka() { @@ -46,33 +45,45 @@ public void init(RangerServiceDef serviceDef, RangerService service) { @Override public HashMap validateConfig() throws Exception { HashMap ret = new HashMap(); - String serviceName = getServiceName(); + if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerServiceKafka.validateConfig Service: (" - + serviceName + " )"); + LOG.debug("==> RangerServiceKafka.validateConfig(" + serviceName + ")"); } + if (configs != null) { try { - ret = ServiceKafkaConnectionMgr.testConnection(serviceName, - configs); + ret = ServiceKafkaConnectionMgr.testConnection(serviceName, configs); } catch (Exception e) { LOG.error("<== RangerServiceKafka.validateConfig Error:" + e); throw e; } } + if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerServiceKafka.validateConfig Response : (" + ret - + " )"); + LOG.debug("<== RangerServiceKafka.validateConfig(" + serviceName + "): ret=" + ret); } + return ret; } @Override - public List lookupResource(ResourceLookupContext context) - throws Exception { + public List lookupResource(ResourceLookupContext context) throws Exception { + List ret = null; + + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerServiceKafka.lookupResource(" + serviceName + ")"); + } - ServiceKafkaClient serviceKafkaClient = ServiceKafkaConnectionMgr - .getKafkaClient(serviceName, configs); - return serviceKafkaClient.getResources(context); + if(configs != null) { + ServiceKafkaClient serviceKafkaClient = ServiceKafkaConnectionMgr.getKafkaClient(serviceName, configs); + + ret = serviceKafkaClient.getResources(context); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerServiceKafka.lookupResource(" + serviceName + "): ret=" + ret); + } + + return ret; } } diff --git a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java index 0698bf62b75..f5c04fe9f37 100644 --- a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java +++ b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java @@ -28,8 +28,9 @@ import java.util.concurrent.TimeUnit; import kafka.utils.ZkUtils; - -import org.I0Itec.zkclient.ZkClient; +import kafka.utils.ZkUtils$; +import org.apache.kafka.common.security.JaasUtils; +import org.I0Itec.zkclient.*; import org.apache.log4j.Logger; import org.apache.ranger.plugin.client.BaseClient; import org.apache.ranger.plugin.service.ResourceLookupContext; @@ -79,31 +80,48 @@ public HashMap testConnection() throws Exception { return responseData; } - public List getTopicList(List ignoreTopicList) - throws Exception { + private List getTopicList(List ignoreTopicList) throws Exception { + List ret = new ArrayList(); - List list = new ArrayList(); + int sessionTimeout = 5000; + int connectionTimeout = 10000; + ZkClient zkClient = null; + ZkConnection zkConnection = null; - ZkClient zkClient = new ZkClient(zookeeperConnect); try { - Seq topicList = ZkUtils.getChildrenParentMayNotExist( - zkClient, ZkUtils.BrokerTopicsPath()); + zkClient = ZkUtils$.MODULE$.createZkClient(zookeeperConnect, sessionTimeout, connectionTimeout); + zkConnection = new ZkConnection(zookeeperConnect, sessionTimeout); + + boolean zkSecurityEnabled = JaasUtils.isZkSecurityEnabled(); + ZkUtils zkUtils = new ZkUtils(zkClient, zkConnection, true); + Seq topicList = zkUtils.getChildrenParentMayNotExist(ZkUtils.BrokerTopicsPath()); Iterator iter = topicList.iterator(); while (iter.hasNext()) { String topic = iter.next(); if (ignoreTopicList == null || !ignoreTopicList.contains(topic)) { - list.add(topic); + ret.add(topic); } } } finally { try { - zkClient.close(); + if(zkClient != null) { + zkClient.close(); + } } catch (Exception ex) { - LOG.error("Error closing zookeeper", ex); + LOG.error("Error closing zkClient", ex); + } + + try { + if(zkConnection != null) { + zkConnection.close(); + } + + } catch(Exception ex) { + LOG.error("Error closing zkConnection", ex); } } - return list; + return ret; } /** diff --git a/pom.xml b/pom.xml index 91e81c71498..95b3b0f7d3c 100644 --- a/pom.xml +++ b/pom.xml @@ -158,7 +158,7 @@ 2.6 4.11 0.8.2.0 - + 1.8.4 1.3 0.6.0 @@ -231,7 +231,8 @@ kafka-security - plugin-kafka + plugin-kafka + ranger-kafka-plugin-shim diff --git a/ranger-kafka-plugin-shim/.gitignore b/ranger-kafka-plugin-shim/.gitignore new file mode 100644 index 00000000000..b83d22266ac --- /dev/null +++ b/ranger-kafka-plugin-shim/.gitignore @@ -0,0 +1 @@ +/target/ diff --git a/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java index d39cac2841c..093783597d5 100644 --- a/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java +++ b/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java @@ -19,6 +19,8 @@ package org.apache.ranger.authorization.kafka.authorizer; +import java.util.Map; + import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.classloader.RangerPluginClassLoader; @@ -27,10 +29,9 @@ import kafka.network.RequestChannel.Session; import kafka.security.auth.Acl; import kafka.security.auth.Authorizer; -import kafka.security.auth.KafkaPrincipal; +import org.apache.kafka.common.security.auth.KafkaPrincipal; import kafka.security.auth.Operation; import kafka.security.auth.Resource; -import kafka.server.KafkaConfig; //public class RangerKafkaAuthorizer extends Authorizer { @@ -82,31 +83,30 @@ private void init(){ LOG.debug("<== RangerKafkaAuthorizer.init()"); } } - - + @Override - public void initialize(KafkaConfig kafkaConfig) { + public void configure(Map configs) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerKafkaAuthorizer.initialize()"); + LOG.debug("==> RangerKafkaAuthorizer.configure(Map)"); } try { activatePluginClassLoader(); - rangerKakfaAuthorizerImpl.initialize(kafkaConfig); + rangerKakfaAuthorizerImpl.configure(configs); } finally { deactivatePluginClassLoader(); } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerKafkaAuthorizer.initialize()"); + LOG.debug("<== RangerKafkaAuthorizer.configure(Map)"); } } @Override public boolean authorize(Session session, Operation operation,Resource resource) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerKafkaAuthorizer.authorize()"); + LOG.debug("==> RangerKafkaAuthorizer.authorize(Session, Operation, Resource)"); } boolean ret = false; @@ -120,7 +120,7 @@ public boolean authorize(Session session, Operation operation,Resource resource) } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerKafkaAuthorizer.authorize()"); + LOG.debug("<== RangerKafkaAuthorizer.authorize(Session, Operation, Resource)"); } return ret; @@ -129,7 +129,7 @@ public boolean authorize(Session session, Operation operation,Resource resource) @Override public void addAcls(Set acls, Resource resource) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerKafkaAuthorizer.addAcls()"); + LOG.debug("==> RangerKafkaAuthorizer.addAcls(Set, Resource)"); } try { @@ -141,14 +141,14 @@ public void addAcls(Set acls, Resource resource) { } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerKafkaAuthorizer.addAcls()"); + LOG.debug("<== RangerKafkaAuthorizer.addAcls(Set, Resource)"); } } @Override public boolean removeAcls(Set acls, Resource resource) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerKafkaAuthorizer.removeAcls()"); + LOG.debug("==> RangerKafkaAuthorizer.removeAcls(Set, Resource)"); } boolean ret = false; try { @@ -160,7 +160,7 @@ public boolean removeAcls(Set acls, Resource resource) { } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerKafkaAuthorizer.removeAcls()"); + LOG.debug("<== RangerKafkaAuthorizer.removeAcls(Set, Resource)"); } return ret; @@ -169,7 +169,7 @@ public boolean removeAcls(Set acls, Resource resource) { @Override public boolean removeAcls(Resource resource) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerKafkaAuthorizer.removeAcls()"); + LOG.debug("==> RangerKafkaAuthorizer.removeAcls(Resource)"); } boolean ret = false; try { @@ -181,7 +181,7 @@ public boolean removeAcls(Resource resource) { } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerKafkaAuthorizer.removeAcls()"); + LOG.debug("<== RangerKafkaAuthorizer.removeAcls(Resource)"); } return ret; @@ -190,7 +190,7 @@ public boolean removeAcls(Resource resource) { @Override public Set getAcls(Resource resource) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerKafkaAuthorizer.getAcls()"); + LOG.debug("==> RangerKafkaAuthorizer.getAcls(Resource)"); } Set ret = null; @@ -204,19 +204,19 @@ public Set getAcls(Resource resource) { } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerKafkaAuthorizer.getAcls()"); + LOG.debug("<== RangerKafkaAuthorizer.getAcls(Resource)"); } return ret; } @Override - public Set getAcls(KafkaPrincipal principal) { + public scala.collection.immutable.Map> getAcls(KafkaPrincipal principal) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerKafkaAuthorizer.getAcls()"); + LOG.debug("==> RangerKafkaAuthorizer.getAcls(KafkaPrincipal)"); } - Set ret = null; + scala.collection.immutable.Map> ret = null; try { activatePluginClassLoader(); @@ -226,6 +226,29 @@ public Set getAcls(KafkaPrincipal principal) { deactivatePluginClassLoader(); } + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKafkaAuthorizer.getAcls(KafkaPrincipal)"); + } + + return ret; + } + + @Override + public scala.collection.immutable.Map> getAcls() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKafkaAuthorizer.getAcls()"); + } + + scala.collection.immutable.Map> ret = null; + + try { + activatePluginClassLoader(); + + ret = rangerKakfaAuthorizerImpl.getAcls(); + } finally { + deactivatePluginClassLoader(); + } + if(LOG.isDebugEnabled()) { LOG.debug("<== RangerKafkaAuthorizer.getAcls()"); } From 41166a5372b3790f36f77c824defdb08d9e049dd Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Wed, 18 Nov 2015 10:08:17 +0530 Subject: [PATCH 105/202] RANGER-733 : Implement best coding practices to resolve issues found during code scan --- .../ranger/plugin/client/BaseClient.java | 10 ++++++- .../services/knox/client/KnoxClient.java | 6 ++-- .../ranger/services/kms/client/KMSClient.java | 4 +-- .../org/apache/ranger/biz/RangerBizUtil.java | 29 +++++++++++++++---- .../java/org/apache/ranger/biz/UserMgr.java | 8 ++--- .../java/org/apache/ranger/biz/XUserMgr.java | 11 +++++-- .../ranger/json/JsonDateSerializer.java | 5 ++-- .../service/AbstractBaseResourceService.java | 4 +-- .../service/RangerBaseModelService.java | 2 +- .../ranger/service/XAccessAuditService.java | 11 ------- .../apache/ranger/service/XPolicyService.java | 2 +- .../apache/ranger/view/VXGroupPermission.java | 2 +- .../org/apache/ranger/view/VXModuleDef.java | 2 +- .../apache/ranger/view/VXUserPermission.java | 2 +- .../org/apache/ranger/biz/TestXUserMgr.java | 1 - .../TestRangerServiceDefServiceBase.java | 2 -- .../services/storm/client/StormClient.java | 6 ++-- .../unix/jaas/RemoteUnixLoginModule.java | 4 +-- .../scripts/ranger-usersync-services.sh | 2 +- 19 files changed, 65 insertions(+), 48 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java b/agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java index 4ef3b48dc58..0242caa8c31 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java @@ -159,5 +159,13 @@ public static String getMessage(Throwable excp) { } return StringUtils.join(errList, ""); } - + + public static Map getMaskedConfigMap(Map configMap){ + Map maskedMap=new HashMap(); + maskedMap.putAll(configMap); + if(maskedMap!=null && maskedMap.containsKey("password")){ + maskedMap.put("password", "*****"); + } + return maskedMap; + } } diff --git a/knox-agent/src/main/java/org/apache/ranger/services/knox/client/KnoxClient.java b/knox-agent/src/main/java/org/apache/ranger/services/knox/client/KnoxClient.java index f4d585864ab..68594923789 100644 --- a/knox-agent/src/main/java/org/apache/ranger/services/knox/client/KnoxClient.java +++ b/knox-agent/src/main/java/org/apache/ranger/services/knox/client/KnoxClient.java @@ -314,8 +314,10 @@ public static HashMap testConnection(String serviceName, public static KnoxClient getKnoxClient(String serviceName, Map configs) { KnoxClient knoxClient = null; - LOG.debug("Getting knoxClient for ServiceName: " + serviceName - + "configMap: " + configs); + if(LOG.isDebugEnabled()){ + LOG.debug("Getting knoxClient for ServiceName: " + serviceName); + LOG.debug("configMap: " + BaseClient.getMaskedConfigMap(configs)); + } String errMsg = " You can still save the repository and start creating " + "policies, but you would not be able to use autocomplete for " + "resource names. Check xa_portal.log for more info."; diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java index c67584e79ef..061f95cab6a 100755 --- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java +++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java @@ -309,8 +309,8 @@ public static KMSClient getKmsClient(String serviceName, Map configs) { KMSClient kmsClient = null; if (LOG.isDebugEnabled()) { - LOG.debug("Getting KmsClient for datasource: " + serviceName - + "configMap: " + configs); + LOG.debug("Getting KmsClient for datasource: " + serviceName); + LOG.debug("configMap: " + BaseClient.getMaskedConfigMap(configs)); } String errMsg = errMessage; if (configs == null || configs.isEmpty()) { diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java index 689e16596be..872f61e3e58 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java @@ -1334,13 +1334,30 @@ public void createTrxLog(List trxLogList) { Long trxId = guidUtil.genLong(); for (XXTrxLog xTrxLog : trxLogList) { - xTrxLog.setTransactionId(trxId.toString()); - if (authSessionId != null) { - xTrxLog.setSessionId("" + authSessionId); + if (xTrxLog != null) { + if ("Password".equalsIgnoreCase(xTrxLog.getAttributeName() + .trim())) { + if (xTrxLog.getPreviousValue() != null + && !xTrxLog.getPreviousValue().trim().isEmpty() + && !"null".equalsIgnoreCase(xTrxLog + .getPreviousValue().trim())) { + xTrxLog.setPreviousValue(AppConstants.Masked_String); + } + if (xTrxLog.getNewValue() != null + && !xTrxLog.getNewValue().trim().isEmpty() + && !"null".equalsIgnoreCase(xTrxLog.getNewValue() + .trim())) { + xTrxLog.setNewValue(AppConstants.Masked_String); + } + } + xTrxLog.setTransactionId(trxId.toString()); + if (authSessionId != null) { + xTrxLog.setSessionId("" + authSessionId); + } + xTrxLog.setSessionType("Spring Authenticated Session"); + xTrxLog.setRequestId(trxId.toString()); + daoManager.getXXTrxLog().create(xTrxLog); } - xTrxLog.setSessionType("Spring Authenticated Session"); - xTrxLog.setRequestId(trxId.toString()); - daoManager.getXXTrxLog().create(xTrxLog); } } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java index 8fbad1f0903..ee9d14b0e61 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java @@ -294,7 +294,7 @@ public XXPortalUser updateUser(VXPortalUser userProfile) { userProfile, gjUser, "update"); userProfile.setPassword(gjUser.getPassword()); - userProfile = xPortalUserService.updateResource(userProfile); + xPortalUserService.updateResource(userProfile); sessionMgr.resetUserSessionForProfiles(ContextUtil .getCurrentUserSession()); @@ -1231,10 +1231,8 @@ public XXPortalUser updatePasswordInSHA256(String userName,String userPassword) public void checkAdminAccess() { UserSessionBase sess = ContextUtil.getCurrentUserSession(); - if (sess != null) { - if (sess != null && sess.isUserAdmin()) { - return; - } + if (sess != null && sess.isUserAdmin()) { + return; } throw restErrorUtil.create403RESTException("Operation not allowed." + " loggedInUser=" + (sess != null ? sess.getXXPortalUser().getId() : "Not Logged In")); } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index 2d4337922c0..3f2c041b6b2 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -396,6 +396,7 @@ public VXUser updateXUser(VXUser vXUser) { roleList = userMgr.getRolesForUser(xXPortalUser); } if (roleList == null || roleList.size() == 0) { + roleList = new ArrayList(); roleList.add(RangerConstants.ROLE_USER); } @@ -501,7 +502,11 @@ public VXUserGroupInfo createXUserGroupFromMap( vXGroupUser = xGroupUserService .createXGroupUserWithOutLogin(vXGroupUser); } - + VXPortalUser vXPortalUser = userMgr.getUserProfileByLoginId(vXUser + .getName()); + if(vXPortalUser!=null){ + assignPermissionToUser(vXPortalUser, true); + } vxUGInfo.setXgroupInfo(vxg); return vxUGInfo; @@ -838,7 +843,7 @@ public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { for (VXGroupPermission oldVXGroupPerm : groupPermListOld) { if (newVXGroupPerm.getModuleId().equals(oldVXGroupPerm.getModuleId()) && newVXGroupPerm.getGroupId().equals(oldVXGroupPerm.getGroupId())) { - if (newVXGroupPerm.getIsAllowed() != oldVXGroupPerm.getIsAllowed()) { + if (!newVXGroupPerm.getIsAllowed().equals(oldVXGroupPerm.getIsAllowed())) { oldVXGroupPerm.setIsAllowed(newVXGroupPerm.getIsAllowed()); oldVXGroupPerm = this.updateXGroupPermission(oldVXGroupPerm); } @@ -857,7 +862,7 @@ public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { boolean isExist = false; for (VXUserPermission oldVXUserPerm : userPermListOld) { if (newVXUserPerm.getModuleId().equals(oldVXUserPerm.getModuleId()) && newVXUserPerm.getUserId().equals(oldVXUserPerm.getUserId())) { - if (newVXUserPerm.getIsAllowed() != oldVXUserPerm.getIsAllowed()) { + if (!newVXUserPerm.getIsAllowed().equals(oldVXUserPerm.getIsAllowed())) { oldVXUserPerm.setIsAllowed(newVXUserPerm.getIsAllowed()); oldVXUserPerm = this.updateXUserPermission(oldVXUserPerm); } diff --git a/security-admin/src/main/java/org/apache/ranger/json/JsonDateSerializer.java b/security-admin/src/main/java/org/apache/ranger/json/JsonDateSerializer.java index 7493226d9e1..1d7cfcf32f7 100644 --- a/security-admin/src/main/java/org/apache/ranger/json/JsonDateSerializer.java +++ b/security-admin/src/main/java/org/apache/ranger/json/JsonDateSerializer.java @@ -37,14 +37,13 @@ @Component public class JsonDateSerializer extends JsonSerializer { - private static final SimpleDateFormat dateFormat = new SimpleDateFormat - ("yyyy-MM-dd'T'HH:mm:ss'Z'"); + private static final String DATE_FORMAT = "yyyy-MM-dd'T'HH:mm:ss'Z'"; @Override public void serialize(Date date, JsonGenerator gen, SerializerProvider provider) throws IOException, JsonProcessingException { - String formattedDate = dateFormat.format(date); + String formattedDate = new SimpleDateFormat(DATE_FORMAT).format(date); gen.writeString(formattedDate); } diff --git a/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java b/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java index 49f5ddeffc8..fb515340134 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java @@ -234,12 +234,12 @@ public AbstractBaseResourceService() { } // Get total count of the rows which meet the search criteria - countQueryStr = "SELECT COUNT(obj) FROM " + tEntityClass.getName() + countQueryStr = "SELECT COUNT(obj) FROM " + className + " obj "; queryStr = "SELECT obj FROM " + className + " obj "; distinctCountQueryStr = "SELECT COUNT(distinct obj.id) FROM " - + tEntityClass.getName() + " obj "; + + className + " obj "; distinctQueryStr = "SELECT distinct obj FROM " + className + " obj "; sortFields.add(new SortField("id", "obj.id",true,SORT_ORDER.ASC)); registerService(this); diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java index 1c65436f2e6..4a1f27cbe25 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java @@ -110,7 +110,7 @@ public RangerBaseModelService() { populateExistingBaseFields = false; - countQueryStr = "SELECT COUNT(obj) FROM " + tEntityClass.getName() + " obj "; + countQueryStr = "SELECT COUNT(obj) FROM " + tClassName + " obj "; queryStr = "SELECT obj FROM " + tClassName + " obj "; } diff --git a/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java b/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java index 98c987e06c6..3bf52dc99f5 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java @@ -28,7 +28,6 @@ import org.apache.ranger.common.SearchField; import org.apache.ranger.common.SearchField.DATA_TYPE; import org.apache.ranger.common.SearchField.SEARCH_TYPE; -import org.apache.ranger.common.SearchUtil; import org.apache.ranger.common.SortField; import org.apache.ranger.common.SortField.SORT_ORDER; import org.apache.ranger.db.RangerDaoManager; @@ -45,20 +44,10 @@ @Scope("singleton") public class XAccessAuditService extends XAccessAuditServiceBase{ public static final String NAME = "XAccessAudit"; - public List sortFields = new ArrayList(); - public List searchFields = new ArrayList(); - - @Autowired - protected SearchUtil searchUtil; - @Autowired RangerDaoManager appDaoMgr; - - protected String queryStr; protected final String distinctCountQueryStr; protected final String distinctQueryStr; - protected String countQueryStr; - public XAccessAuditService() { countQueryStr = "SELECT COUNT(obj) FROM XXAccessAudit obj "; diff --git a/security-admin/src/main/java/org/apache/ranger/service/XPolicyService.java b/security-admin/src/main/java/org/apache/ranger/service/XPolicyService.java index 42de40833ff..5e8ed567f9f 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XPolicyService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XPolicyService.java @@ -236,7 +236,7 @@ public VXResource mapPublicToXAObject(VXPolicy vXPolicy, int assetType = AppConstants.getEnumFor_AssetType(vXPolicy .getRepositoryType()); - if (assetType == 0 || assetType == AppConstants.ASSET_UNKNOWN) { + if (assetType == AppConstants.ASSET_UNKNOWN) { assetType = xAsset.getAssetType(); vXPolicy.setRepositoryType(AppConstants.getLabelFor_AssetType(assetType)); } diff --git a/security-admin/src/main/java/org/apache/ranger/view/VXGroupPermission.java b/security-admin/src/main/java/org/apache/ranger/view/VXGroupPermission.java index 445b5f081d3..2e02eb5b5bf 100644 --- a/security-admin/src/main/java/org/apache/ranger/view/VXGroupPermission.java +++ b/security-admin/src/main/java/org/apache/ranger/view/VXGroupPermission.java @@ -34,7 +34,7 @@ public class VXGroupPermission extends VXDataObject implements java.io.Serializa private static final long serialVersionUID = 1L; - protected Long id; + protected Long groupId; protected Long moduleId; protected Integer isAllowed; diff --git a/security-admin/src/main/java/org/apache/ranger/view/VXModuleDef.java b/security-admin/src/main/java/org/apache/ranger/view/VXModuleDef.java index 3923d074efc..0c9ee5eb0d2 100644 --- a/security-admin/src/main/java/org/apache/ranger/view/VXModuleDef.java +++ b/security-admin/src/main/java/org/apache/ranger/view/VXModuleDef.java @@ -37,7 +37,7 @@ public class VXModuleDef extends VXDataObject implements java.io.Serializable { private static final long serialVersionUID = 1L; - protected Long id; + protected Date createTime; protected Date updateTime; protected Long addedById; diff --git a/security-admin/src/main/java/org/apache/ranger/view/VXUserPermission.java b/security-admin/src/main/java/org/apache/ranger/view/VXUserPermission.java index cdbddc5d05c..82b5995a105 100644 --- a/security-admin/src/main/java/org/apache/ranger/view/VXUserPermission.java +++ b/security-admin/src/main/java/org/apache/ranger/view/VXUserPermission.java @@ -34,7 +34,7 @@ public class VXUserPermission extends VXDataObject implements private static final long serialVersionUID = 1L; - protected Long id; + protected Long userId; protected Long moduleId; protected Integer isAllowed; diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java index e9921909e86..8ace44b4d1c 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java @@ -242,7 +242,6 @@ public void test11CreateXUser() { Mockito.when(xUserService.createResource(vxUser)).thenReturn(vxUser); XXModuleDefDao value = Mockito.mock(XXModuleDefDao.class); Mockito.when(daoManager.getXXModuleDef()).thenReturn(value); - List lsvalue = new ArrayList(); Mockito.when( userMgr.createDefaultAccountUser((VXPortalUser) Mockito diff --git a/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefServiceBase.java b/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefServiceBase.java index e01e23ca93e..67d1feb9ac5 100644 --- a/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefServiceBase.java +++ b/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefServiceBase.java @@ -292,8 +292,6 @@ public void test6populateXXToRangerResourceDef() { resourceDefObj.getDescription()); Assert.assertEquals(dbRangerResourceDef.getType(), resourceDefObj.getType()); - Assert.assertEquals(dbRangerResourceDef.getParent(), - resourceDefObj.getParent()); Assert.assertEquals(dbRangerResourceDef.getRbKeyDescription(), resourceDefObj.getRbkeydescription()); Mockito.verify(daoManager).getXXResourceDef(); diff --git a/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java b/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java index 2b62c4f499a..c7c746db2a6 100644 --- a/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java +++ b/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java @@ -329,8 +329,10 @@ public static HashMap testConnection(String serviceName, public static StormClient getStormClient(String serviceName, Map configs) { StormClient stormClient = null; - LOG.debug("Getting StormClient for datasource: " + serviceName - + "configMap: " + configs); + if(LOG.isDebugEnabled()){ + LOG.debug("Getting StormClient for datasource: " + serviceName); + LOG.debug("configMap: " + BaseClient.getMaskedConfigMap(configs)); + } String errMsg = errMessage; if (configs == null || configs.isEmpty()) { String msgDesc = "Could not connect as Connection ConfigMap is empty."; diff --git a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java index 0dd549a5b37..51367c04853 100644 --- a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java +++ b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java @@ -277,7 +277,7 @@ public void initParams(Properties options) { if (trustStorePathPassword == null) { trustStorePathPassword = ""; } - log("trustStorePathPassword:" + trustStorePathPassword); + log("trustStorePathPassword:*****"); } keyStorePath = (String) options.get(SSL_KEYSTORE_PATH_PARAM); @@ -287,7 +287,7 @@ public void initParams(Properties options) { if (keyStorePathPassword == null) { keyStorePathPassword = ""; } - log("keyStorePathPassword:" + keyStorePathPassword); + log("keyStorePathPassword:*****"); } String certValidationFlag = (String) options.get(SERVER_CERT_VALIDATION_PARAM) ; diff --git a/unixauthservice/scripts/ranger-usersync-services.sh b/unixauthservice/scripts/ranger-usersync-services.sh index ea5c7e8455b..4b3d4d483bc 100644 --- a/unixauthservice/scripts/ranger-usersync-services.sh +++ b/unixauthservice/scripts/ranger-usersync-services.sh @@ -64,7 +64,7 @@ if [ "${action}" == "START" ]; then cd ${cdir} umask 0077 - nohup java -Dproc_rangerusersync ${JAVA_OPTS} -Dlogdir="${logdir}" -cp "${cp}" org.apache.ranger.authentication.UnixAuthenticationService -enableUnixAuth > ${logdir}/auth.log 2>&1 & + nohup java -Dproc_rangerusersync -Dlog4j.configuration=file:/etc/ranger/usersync/conf/log4j.xml ${JAVA_OPTS} -Dlogdir="${logdir}" -cp "${cp}" org.apache.ranger.authentication.UnixAuthenticationService -enableUnixAuth > ${logdir}/auth.log 2>&1 & echo $! > ${pidf} chown ranger ${pidf} sleep 5 From a2075c3b38c4cc7856b63dcbd6eb02feec30113c Mon Sep 17 00:00:00 2001 From: Sailaja Polavarapu Date: Fri, 20 Nov 2015 10:50:01 -0800 Subject: [PATCH 106/202] Ranger-652: excluded org.apache.hadoop dependecy with ranger-util as well as removed credential builder dependency as it is not used Signed-off-by: Velmurugan Periasamy --- .../ldapconfigchecktool/ldapconfigcheck/pom.xml | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml b/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml index 8d7a15013bc..bc541a21b55 100644 --- a/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml @@ -89,22 +89,15 @@ spring-security-ldap ${springframework.security.version} - - org.apache.ranger - credentialbuilder - ${project.version} - - - com.microsoft.windowsazure - * - - - org.apache.ranger ranger-util ${project.version} + + org.apache.hadoop + * + com.microsoft.windowsazure * From bca2c40fc1b7fa594cbee517dc841eb3bfc4934e Mon Sep 17 00:00:00 2001 From: rmani Date: Fri, 20 Nov 2015 14:39:56 -0800 Subject: [PATCH 107/202] RANGER 739 :Ranger HBase Plugin returning null for RegionObserver.preCompact calls causing hbase:acl issue --- .../hbase/RangerAuthorizationCoprocessor.java | 80 +++++++++---------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java index a9b3cad20bb..7c45fd061c0 100644 --- a/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java +++ b/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java @@ -168,7 +168,7 @@ public Service getService() { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.getService()"); } - Service ret = null; + final Service ret; try { activatePluginClassLoader(); ret = implCoprocessorService.getService(); @@ -204,7 +204,7 @@ public void postScannerClose(ObserverContext c, In @Override public RegionScanner postScannerOpen(ObserverContext c, Scan scan, RegionScanner s) throws IOException { - RegionScanner ret = null; + final RegionScanner ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.postScannerOpen()"); @@ -264,7 +264,7 @@ public void preAddColumn(ObserverContext c,TableNa @Override public Result preAppend(ObserverContext c, Append append) throws IOException { - Result ret = null; + final Result ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preAppend()"); @@ -322,7 +322,7 @@ public void preBalance(ObserverContext c) throws I @Override public boolean preBalanceSwitch(ObserverContext c, boolean newValue) throws IOException { - boolean ret = false; + final boolean ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preBalanceSwitch()"); @@ -363,7 +363,7 @@ public void preBulkLoadHFile(ObserverContext ctx, @Override public boolean preCheckAndDelete(ObserverContext c, byte[] row, byte[] family, byte[] qualifier, CompareOp compareOp, ByteArrayComparable comparator, Delete delete, boolean result) throws IOException { - boolean ret = false; + final boolean ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preCheckAndDelete()"); @@ -385,7 +385,7 @@ public boolean preCheckAndDelete(ObserverContext c @Override public boolean preCheckAndPut(ObserverContext c, byte[] row, byte[] family, byte[] qualifier, CompareOp compareOp, ByteArrayComparable comparator, Put put, boolean result) throws IOException { - boolean ret = false; + final boolean ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preCheckAndPut()"); @@ -444,7 +444,7 @@ public void preClose(ObserverContext e,boolean abo @Override public InternalScanner preCompact(ObserverContext e, Store store, InternalScanner scanner, ScanType scanType) throws IOException { - InternalScanner ret = null; + final InternalScanner ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preCompact()"); @@ -452,7 +452,7 @@ public InternalScanner preCompact(ObserverContext try { activatePluginClassLoader(); - ret = implRegionObserver.preCompact(e, store, scanner, scanType); + ret = implRegionObserver.preCompact(e, store, scanner, scanType); } finally { deactivatePluginClassLoader(); } @@ -610,7 +610,7 @@ public void preEnableTable(ObserverContext c, Tabl @Override public boolean preExists(ObserverContext c, Get get, boolean exists) throws IOException { - boolean ret = false; + final boolean ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preExists()"); @@ -668,7 +668,7 @@ public void preGetClosestRowBefore( ObserverContext c, Increment increment) throws IOException { - Result ret = null; + final Result ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preIncrement()"); @@ -690,7 +690,7 @@ public Result preIncrement(ObserverContext c, Incr @Override public long preIncrementColumnValue(ObserverContext c, byte[] row,byte[] family, byte[] qualifier, long amount, boolean writeToWAL) throws IOException { - long ret; + final long ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preIncrementColumnValue()"); @@ -820,7 +820,7 @@ public void preScannerClose(ObserverContext c, Int @Override public boolean preScannerNext(ObserverContext c, InternalScanner s, List result, int limit, boolean hasNext) throws IOException { - boolean ret = false; + final boolean ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preScannerNext()"); @@ -842,7 +842,7 @@ public boolean preScannerNext(ObserverContext c, I @Override public RegionScanner preScannerOpen(ObserverContext c, Scan scan, RegionScanner s) throws IOException { - RegionScanner ret = null; + final RegionScanner ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preScannerOpen()"); @@ -1479,7 +1479,7 @@ public void postRollWALWriterRequest(ObserverContext ctx, ReplicationEndpoint endpoint) { - ReplicationEndpoint ret = null; + final ReplicationEndpoint ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.postCreateReplicationEndPoint()"); @@ -1574,7 +1574,7 @@ public void postLogReplay(ObserverContext c) { @Override public InternalScanner preFlushScannerOpen( ObserverContext c, Store store, KeyValueScanner memstoreScanner, InternalScanner s) throws IOException { - InternalScanner ret = null; + final InternalScanner ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preFlushScannerOpen()"); @@ -1597,7 +1597,7 @@ public InternalScanner preFlushScannerOpen( ObserverContext c, Store store, InternalScanner scanner) throws IOException { - InternalScanner ret = null; + final InternalScanner ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preFlush()"); @@ -1710,7 +1710,7 @@ public void postCompactSelection( ObserverContext @Override public InternalScanner preCompact(ObserverContext c, Store store, InternalScanner scanner, ScanType scanType, CompactionRequest request) throws IOException { - InternalScanner ret = null; + final InternalScanner ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preCompact()"); @@ -1718,7 +1718,7 @@ public InternalScanner preCompact(ObserverContext try { activatePluginClassLoader(); - implRegionObserver.preCompact(c, store, scanner, scanType, request); + ret = implRegionObserver.preCompact(c, store, scanner, scanType, request); } finally { deactivatePluginClassLoader(); } @@ -1733,7 +1733,7 @@ public InternalScanner preCompact(ObserverContext @Override public InternalScanner preCompactScannerOpen(ObserverContext c, Store store, List scanners, ScanType scanType, long earliestPutTs, InternalScanner s, CompactionRequest request) throws IOException { - InternalScanner ret = null; + final InternalScanner ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preCompactScannerOpen()"); @@ -1741,7 +1741,7 @@ public InternalScanner preCompactScannerOpen(ObserverContext c, Store store, List scanners, ScanType scanType, long earliestPutTs, InternalScanner s) throws IOException { - InternalScanner ret = null; + final InternalScanner ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preCompactScannerOpen()"); @@ -1764,7 +1764,7 @@ public InternalScanner preCompactScannerOpen(ObserverContext c, Get get, @Override public boolean postExists(ObserverContext c, Get get, boolean exists) throws IOException { - boolean ret = false; + final boolean ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.postExists()"); @@ -2162,7 +2162,7 @@ public void postBatchMutateIndispensably(ObserverContext c, byte[] row, byte[] family, byte[] qualifier, CompareOp compareOp, ByteArrayComparable comparator, Put put, boolean result) throws IOException { - boolean ret = false; + final boolean ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preCheckAndPutAfterRowLock()"); @@ -2184,7 +2184,7 @@ public boolean preCheckAndPutAfterRowLock(ObserverContext c, byte[] row, byte[] family, byte[] qualifier, CompareOp compareOp, ByteArrayComparable comparator, Put put, boolean result) throws IOException { - boolean ret = false; + final boolean ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.postCheckAndPut()"); @@ -2206,7 +2206,7 @@ public boolean postCheckAndPut(ObserverContext c, @Override public boolean preCheckAndDeleteAfterRowLock(ObserverContext c, byte[] row, byte[] family, byte[] qualifier, CompareOp compareOp, ByteArrayComparable comparator, Delete delete, boolean result) throws IOException { - boolean ret = false; + final boolean ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preCheckAndDeleteAfterRowLock()"); @@ -2228,7 +2228,7 @@ public boolean preCheckAndDeleteAfterRowLock(ObserverContext c, byte[] row,byte[] family, byte[] qualifier, CompareOp compareOp, ByteArrayComparable comparator, Delete delete, boolean result) throws IOException { - boolean ret = false; + final boolean ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.postCheckAndDelete()"); @@ -2249,7 +2249,7 @@ public boolean postCheckAndDelete(ObserverContext @Override public long postIncrementColumnValue(ObserverContext c, byte[] row, byte[] family, byte[] qualifier, long amount, boolean writeToWAL, long result) throws IOException { - long ret = 0; + final long ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.postIncrementColumnValue()"); @@ -2270,7 +2270,7 @@ public long postIncrementColumnValue(ObserverContext c, Append append) throws IOException { - Result ret = null; + final Result ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preAppendAfterRowLock()"); @@ -2291,7 +2291,7 @@ public Result preAppendAfterRowLock(ObserverContext c, Append append, Result result) throws IOException { - Result ret = null; + final Result ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.postAppend()"); @@ -2313,7 +2313,7 @@ public Result postAppend(ObserverContext c, Append @Override public Result preIncrementAfterRowLock(ObserverContext c, Increment increment) throws IOException { - Result ret = null; + final Result ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preIncrementAfterRowLock()"); @@ -2335,7 +2335,7 @@ public Result preIncrementAfterRowLock(ObserverContext c, Increment increment, Result result) throws IOException { - Result ret = null; + final Result ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.postIncrement()"); @@ -2357,7 +2357,7 @@ public Result postIncrement(ObserverContext c, Inc @Override public KeyValueScanner preStoreScannerOpen(ObserverContext c, Store store, Scan scan, NavigableSet targetCols, KeyValueScanner s) throws IOException { - KeyValueScanner ret = null; + final KeyValueScanner ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preStoreScannerOpen()"); @@ -2379,7 +2379,7 @@ public KeyValueScanner preStoreScannerOpen(ObserverContext c, InternalScanner s, List result, int limit, boolean hasNext) throws IOException { - boolean ret = false; + final boolean ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.postScannerNext()"); @@ -2402,7 +2402,7 @@ public boolean postScannerNext( ObserverContext c, @Override public boolean postScannerFilterRow( ObserverContext c, InternalScanner s, byte[] currentRow, int offset, short length, boolean hasMore) throws IOException { - boolean ret = false; + final boolean ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.postScannerFilterRow()"); @@ -2461,7 +2461,7 @@ public void postWALRestore( ObserverContext ctx, List> familyPaths, boolean hasLoaded) throws IOException { - boolean ret = false; + final boolean ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.postBulkLoadHFile()"); @@ -2484,7 +2484,7 @@ public boolean postBulkLoadHFile(ObserverContext c @Override public Reader preStoreFileReaderOpen(ObserverContext ctx, FileSystem fs, Path p, FSDataInputStreamWrapper in, long size, CacheConfig cacheConf, Reference r, Reader reader) throws IOException { - Reader ret = null; + final Reader ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.preStoreFileReaderOpen()"); @@ -2507,7 +2507,7 @@ public Reader preStoreFileReaderOpen(ObserverContext ctx, FileSystem fs, Path p, FSDataInputStreamWrapper in, long size, CacheConfig cacheConf, Reference r, Reader reader) throws IOException { - Reader ret = null; + final Reader ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.postStoreFileReaderOpen()"); @@ -2529,7 +2529,7 @@ public Reader postStoreFileReaderOpen(ObserverContext ctx, MutationType opType, Mutation mutation, Cell oldCell, Cell newCell) throws IOException { - Cell ret = null; + final Cell ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.postMutationBeforeWAL()"); @@ -2551,7 +2551,7 @@ public Cell postMutationBeforeWAL(ObserverContext @Override public DeleteTracker postInstantiateDeleteTracker( ObserverContext ctx, DeleteTracker delTracker) throws IOException { - DeleteTracker ret = null; + final DeleteTracker ret; if(LOG.isDebugEnabled()) { LOG.debug("==> RangerAuthorizationCoprocessor.postInstantiateDeleteTracker()"); From 9cbff669b2b436b835e159f2ecac5acc753dc471 Mon Sep 17 00:00:00 2001 From: Sailaja Polavarapu Date: Mon, 16 Nov 2015 13:01:23 -0800 Subject: [PATCH 108/202] RANGER-720: Handling some error cases and fixing the issues that were reported in the Jira Signed-off-by: Velmurugan Periasamy --- .../ldapconfigcheck/LdapConfigCheckMain.java | 6 +----- .../apache/ranger/ldapconfigcheck/UserSync.java | 17 ++++++++++------- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java index ad56b2e38a1..073df27ee55 100644 --- a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java @@ -200,10 +200,6 @@ private static void retrieveUsers(LdapContext ldapContext, UserSync userSyncObj) msg = "ranger.usersync.ldap.user.objectclass "; throw new NullArgumentException(msg); } - if (userSyncObj.getUserGroupMemberName() == null || userSyncObj.getUserGroupMemberName().isEmpty()) { - msg = "ranger.usersync.ldap.user.groupnameattribute "; - throw new NullArgumentException(msg); - } if ((userSyncObj.getUserSearchBase() == null || userSyncObj.getUserSearchBase().isEmpty()) && (userSyncObj.getSearchBase() == null || userSyncObj.getSearchBase().isEmpty())) { msg = "ranger.usersync.ldap.user.searchbase and " + @@ -223,7 +219,7 @@ private static void retrieveGroups(LdapContext ldapContext, UserSync userSyncObj msg = "ranger.usersync.group.objectclass "; throw new NullArgumentException(msg); } - if (userSyncObj.getUserGroupMemberName() == null || userSyncObj.getUserGroupMemberName().isEmpty()) { + if (userSyncObj.getGroupMemberName() == null || userSyncObj.getGroupMemberName().isEmpty()) { msg = "ranger.usersync.group.memberattributename "; throw new NullArgumentException(msg); } diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java index 53da9f2374c..f8b9aea6d56 100644 --- a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java @@ -258,7 +258,7 @@ private void findBasicUserProperties(LdapContext ldapContext, boolean isOutputNe groupMemberAttr = attributes.get(userGroupMemAttrValues[i]); if (groupMemberAttr != null) { userGroupMemberName = userGroupMemAttrValues[i]; - groupName = groupMemberAttr.get(1).toString(); + groupName = groupMemberAttr.get(0).toString(); break; } } @@ -421,7 +421,7 @@ private void findAdvUserProperties(LdapContext ldapContext, boolean isOutputNeed public void getAllUsers(LdapContext ldapContext) throws Throwable { int noOfUsers = 0; Attribute userNameAttr = null; - String groupName = null; + //String groupName = null; Attribute groupMemberAttr; NamingEnumeration userSearchResultEnum = null; SearchControls userSearchControls = new SearchControls(); @@ -598,12 +598,15 @@ private void findBasicGroupProperties(LdapContext ldapContext) throws Throwable groupSearchControls.setSearchScope(config.getGroupSearchScope()); try { - int baseIndex = groupName.indexOf(","); - groupBase = groupName.substring(baseIndex + 1); - groupFilter = groupName.substring(0, baseIndex); - groupSearchResultEnum = ldapContext.search(groupBase, groupFilter, + if (groupName == null || groupName.isEmpty()) { + groupSearchResultEnum = ldapContext.search(searchBase, null); + } else { + int baseIndex = groupName.indexOf(","); + groupBase = groupName.substring(baseIndex + 1); + groupFilter = groupName.substring(0, baseIndex); + groupSearchResultEnum = ldapContext.search(groupBase, groupFilter, groupSearchControls); - + } noOfGroups = 0; while (groupSearchResultEnum.hasMore()) { if (noOfGroups >= 1) { From 4993b50a58396d9422421bda4c1e11d1706afa33 Mon Sep 17 00:00:00 2001 From: Don Bosco Durai Date: Tue, 24 Nov 2015 12:52:19 -0800 Subject: [PATCH 109/202] RANGER-740: Kafka Authorizer interface has added close() method. Ranger should also implement it --- .../authorizer/RangerKafkaAuthorizer.java | 33 +++++++++++++++---- 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java index 08ff92824de..29c2cebeb33 100644 --- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java +++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java @@ -26,7 +26,9 @@ import kafka.security.auth.Acl; import kafka.security.auth.Authorizer; + import org.apache.kafka.common.security.auth.KafkaPrincipal; + import kafka.security.auth.*; import kafka.server.KafkaConfig; import kafka.common.security.LoginManager; @@ -99,8 +101,26 @@ public void configure(Map configs) { } } + /* + * (non-Javadoc) + * + * @see kafka.security.auth.Authorizer#configure(Map) + */ @Override - public boolean authorize(Session session, Operation operation, Resource resource) { + public void close() { + logger.info("close() called on authorizer."); + try { + if (rangerPlugin != null) { + rangerPlugin.cleanup(); + } + } catch (Throwable t) { + logger.error("Error closing RangerPlugin.", t); + } + } + + @Override + public boolean authorize(Session session, Operation operation, + Resource resource) { if (rangerPlugin == null) { MiscUtil.logErrorMessageByInterval(logger, @@ -124,7 +144,7 @@ public boolean authorize(Session session, Operation operation, Resource resource String ip = session.host(); // skip leading slash - if(StringUtils.isNotEmpty(ip) && ip.charAt(0) == '/') { + if (StringUtils.isNotEmpty(ip) && ip.charAt(0) == '/') { ip = ip.substring(1); } @@ -250,10 +270,12 @@ public Set getAcls(Resource resource) { * (non-Javadoc) * * @see - * kafka.security.auth.Authorizer#getAcls(kafka.security.auth.KafkaPrincipal) + * kafka.security.auth.Authorizer#getAcls(kafka.security.auth.KafkaPrincipal + * ) */ @Override - public scala.collection.immutable.Map> getAcls(KafkaPrincipal principal) { + public scala.collection.immutable.Map> getAcls( + KafkaPrincipal principal) { scala.collection.immutable.Map> aclList = new scala.collection.immutable.HashMap>(); logger.error("getAcls(KafkaPrincipal) is not supported by Ranger for Kafka"); return aclList; @@ -262,8 +284,7 @@ public scala.collection.immutable.Map> getAcls(KafkaPrincipal /* * (non-Javadoc) * - * @see - * kafka.security.auth.Authorizer#getAcls() + * @see kafka.security.auth.Authorizer#getAcls() */ @Override public scala.collection.immutable.Map> getAcls() { From e4a286e77fb9db20680e9ca151e76a8980782694 Mon Sep 17 00:00:00 2001 From: Don Bosco Durai Date: Tue, 24 Nov 2015 05:20:14 -0800 Subject: [PATCH 110/202] RANGER-602: Solr client in SolrCloud mode should work with zookeeper settings also --- .../java/org/apache/ranger/solr/SolrMgr.java | 100 +++++++++++++----- 1 file changed, 74 insertions(+), 26 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java b/security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java index 2a57fa1607c..603e46ac656 100644 --- a/security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java @@ -26,6 +26,7 @@ import org.apache.ranger.common.PropertiesUtil; import org.apache.solr.client.solrj.SolrClient; import org.apache.solr.client.solrj.impl.BinaryRequestWriter; +import org.apache.solr.client.solrj.impl.CloudSolrClient; import org.apache.solr.client.solrj.impl.HttpSolrClient; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @@ -49,6 +50,9 @@ public class SolrMgr { volatile boolean initDone = false; final static String SOLR_URLS_PROP = "ranger.audit.solr.urls"; + final static String SOLR_ZK_HOSTS = "ranger.audit.solr.zookeepers"; + final static String SOLR_COLLECTION_NAME = "ranger.audit.solr.collection.name"; + public static final String DEFAULT_COLLECTION_NAME = "ranger_audits"; public SolrMgr() { @@ -59,6 +63,17 @@ void connect() { synchronized (lock) { if (!initDone) { if (rangerBizUtil.getAuditDBType().equalsIgnoreCase("solr")) { + String zkHosts = PropertiesUtil + .getProperty(SOLR_ZK_HOSTS); + if (zkHosts == null) { + zkHosts = PropertiesUtil + .getProperty("ranger.audit.solr.zookeeper"); + } + if (zkHosts == null) { + zkHosts = PropertiesUtil + .getProperty("ranger.solr.zookeeper"); + } + String solrURL = PropertiesUtil .getProperty(SOLR_URLS_PROP); @@ -72,38 +87,71 @@ void connect() { solrURL = PropertiesUtil .getProperty("ranger.solr.url"); } - if (solrURL == null || solrURL.isEmpty() - || solrURL.equalsIgnoreCase("none")) { - logger.fatal("Solr URL for Audit is empty. Please set property " - + SOLR_URLS_PROP); - } else { - try { - solrClient = new HttpSolrClient(solrURL); - if (solrClient == null) { - logger.fatal("Can't connect to Solr. URL=" - + solrURL); - } else { - if (solrClient instanceof HttpSolrClient) { - HttpSolrClient httpSolrClient = (HttpSolrClient) solrClient; - httpSolrClient - .setAllowCompression(true); - httpSolrClient - .setConnectionTimeout(1000); - // httpSolrClient.setSoTimeout(10000); - httpSolrClient.setMaxRetries(1); - httpSolrClient - .setRequestWriter(new BinaryRequestWriter()); - } - initDone = true; - } + if (zkHosts != null && !zkHosts.trim().equals("") + && !zkHosts.trim().equals("none")) { + zkHosts = zkHosts.trim(); + String collectionName = PropertiesUtil + .getProperty(SOLR_COLLECTION_NAME); + if (collectionName == null + || collectionName.equalsIgnoreCase("none")) { + collectionName = DEFAULT_COLLECTION_NAME; + } + + logger.info("Solr zkHosts=" + zkHosts + + ", collectionName=" + collectionName); + + try { + // Instantiate + CloudSolrClient solrCloudClient = new CloudSolrClient( + zkHosts); + solrCloudClient + .setDefaultCollection(collectionName); + solrClient = solrCloudClient; } catch (Throwable t) { logger.fatal( - "Can't connect to Solr server. URL=" - + solrURL, t); + "Can't connect to Solr server. ZooKeepers=" + + zkHosts + ", collection=" + + collectionName, t); + } + + } else { + if (solrURL == null || solrURL.isEmpty() + || solrURL.equalsIgnoreCase("none")) { + logger.fatal("Solr ZKHosts and URL for Audit are empty. Please set property " + + SOLR_ZK_HOSTS + + " or " + + SOLR_URLS_PROP); + } else { + try { + solrClient = new HttpSolrClient(solrURL); + if (solrClient == null) { + logger.fatal("Can't connect to Solr. URL=" + + solrURL); + } else { + if (solrClient instanceof HttpSolrClient) { + HttpSolrClient httpSolrClient = (HttpSolrClient) solrClient; + httpSolrClient + .setAllowCompression(true); + httpSolrClient + .setConnectionTimeout(1000); + // httpSolrClient.setSoTimeout(10000); + httpSolrClient.setMaxRetries(1); + httpSolrClient + .setRequestWriter(new BinaryRequestWriter()); + } + initDone = true; + } + + } catch (Throwable t) { + logger.fatal( + "Can't connect to Solr server. URL=" + + solrURL, t); + } } } } + } } } From dbe192ca18dfce6299020f68f8a0b3b19395b412 Mon Sep 17 00:00:00 2001 From: Don Bosco Durai Date: Tue, 24 Nov 2015 23:24:53 -0800 Subject: [PATCH 111/202] RANGER-744: Kafka Authorizer has updated how IP/Host is passed --- .../authorizer/RangerKafkaAuthorizer.java | 7 +----- .../authorizer/RangerKafkaAuthorizer.java | 22 ++++++++++++++++++- 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java index 29c2cebeb33..7ca12ce0966 100644 --- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java +++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java @@ -101,11 +101,6 @@ public void configure(Map configs) { } } - /* - * (non-Javadoc) - * - * @see kafka.security.auth.Authorizer#configure(Map) - */ @Override public void close() { logger.info("close() called on authorizer."); @@ -141,7 +136,7 @@ public boolean authorize(Session session, Operation operation, } java.util.Set userGroups = MiscUtil .getGroupsForRequestUser(userName); - String ip = session.host(); + String ip = session.clientAddress().getHostAddress(); // skip leading slash if (StringUtils.isNotEmpty(ip) && ip.charAt(0) == '/') { diff --git a/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java index 093783597d5..90b1ab006c9 100644 --- a/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java +++ b/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java @@ -103,6 +103,26 @@ public void configure(Map configs) { } } + @Override + public void close() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerKafkaAuthorizer.close()"); + } + + try { + activatePluginClassLoader(); + + rangerKakfaAuthorizerImpl.close(); + } finally { + deactivatePluginClassLoader(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerKafkaAuthorizer.close()"); + } + + } + @Override public boolean authorize(Session session, Operation operation,Resource resource) { if(LOG.isDebugEnabled()) { @@ -268,4 +288,4 @@ private void deactivatePluginClassLoader() { } } -} \ No newline at end of file +} From a5ea6e3c694a0218cad87d4e6b3f094e4b5d9cab Mon Sep 17 00:00:00 2001 From: Don Bosco Durai Date: Wed, 25 Nov 2015 18:11:02 -0800 Subject: [PATCH 112/202] RANGER-747:RangerAdmin is considering "none" as valid ZK Host Name for Solr --- .../src/main/java/org/apache/ranger/solr/SolrMgr.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java b/security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java index 603e46ac656..913b9f0319b 100644 --- a/security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java @@ -89,7 +89,7 @@ void connect() { } if (zkHosts != null && !zkHosts.trim().equals("") - && !zkHosts.trim().equals("none")) { + && !zkHosts.trim().equalsIgnoreCase("none")) { zkHosts = zkHosts.trim(); String collectionName = PropertiesUtil .getProperty(SOLR_COLLECTION_NAME); From 5a626203b93db7bfeb76ad1d0c96aafab624868c Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Wed, 25 Nov 2015 09:29:04 +0530 Subject: [PATCH 113/202] RANGER-741 : Fix installation script to skip Audit DB password check if audit source is SOLR --- kms/scripts/dba_script.py | 8 ++--- security-admin/scripts/dba_script.py | 26 +++++++------- security-admin/scripts/setup.sh | 54 ++++++++++++++++++---------- 3 files changed, 53 insertions(+), 35 deletions(-) diff --git a/kms/scripts/dba_script.py b/kms/scripts/dba_script.py index 06a6a8c886e..1e039e5356c 100755 --- a/kms/scripts/dba_script.py +++ b/kms/scripts/dba_script.py @@ -492,11 +492,11 @@ def assign_tablespace(self, root_user, db_root_password, db_user, db_password, d # Assign default tablespace db_name get_cmd = self.get_jisql_cmd(root_user , db_root_password) if os_name == "LINUX": - query = get_cmd +" -c \; -query 'alter user %s identified by \"%s\" DEFAULT Tablespace %s;'" %(db_user, db_password, db_name) + query = get_cmd +" -c \; -query 'alter user %s DEFAULT Tablespace %s;'" %(db_user, db_name) jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": - query = get_cmd +" -query \"alter user %s identified by \"%s\" DEFAULT Tablespace %s;\" -c ;" %(db_user, db_password, db_name) + query = get_cmd +" -query \"alter user %s DEFAULT Tablespace %s;\" -c ;" %(db_user, db_name) jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: @@ -519,7 +519,7 @@ def assign_tablespace(self, root_user, db_root_password, db_user, db_password, d log("[E] Assigning default tablespace to user '" + db_user + "' failed..", "error") sys.exit(1) else: - logFile("alter user %s identified by \"%s\" DEFAULT Tablespace %s;" %(db_user, db_password, db_name)) + logFile("alter user %s DEFAULT Tablespace %s;" %(db_user, db_name)) logFile("GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;" % (db_user)) @@ -548,7 +548,7 @@ def writeDrymodeCmd(self, xa_db_root_user, xa_db_root_password, db_user, db_pass logFile('create user %s identified by "%s";'%(db_user, db_password)) logFile('GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'%(db_user)) logFile("create tablespace %s datafile '%s.dat' size 10M autoextend on;" %(db_name, db_name)) - logFile('alter user %s identified by "%s" DEFAULT Tablespace %s;'%(db_user, db_password, db_name)) + logFile('alter user %s DEFAULT Tablespace %s;'%(db_user, db_name)) logFile('GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'%(db_user)) class PostgresConf(BaseDB): diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py index 5564737b12c..66b28482aea 100644 --- a/security-admin/scripts/dba_script.py +++ b/security-admin/scripts/dba_script.py @@ -519,11 +519,11 @@ def assign_tablespace(self, root_user, db_root_password, db_user, db_password, d # Assign default tablespace db_name get_cmd = self.get_jisql_cmd(root_user , db_root_password) if os_name == "LINUX": - query = get_cmd +" -c \; -query 'alter user %s identified by \"%s\" DEFAULT Tablespace %s;'" %(db_user, db_password, db_name) + query = get_cmd +" -c \; -query 'alter user %s DEFAULT Tablespace %s;'" %(db_user, db_name) jisql_log(query, db_root_password) ret = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": - query = get_cmd +" -query \"alter user %s identified by \"%s\" DEFAULT Tablespace %s;\" -c ;" %(db_user, db_password, db_name) + query = get_cmd +" -query \"alter user %s DEFAULT Tablespace %s;\" -c ;" %(db_user, db_name) jisql_log(query, db_root_password) ret = subprocess.call(query) if ret == 0: @@ -546,7 +546,7 @@ def assign_tablespace(self, root_user, db_root_password, db_user, db_password, d log("[E] Assigning default tablespace to user '" + db_user + "' failed..", "error") sys.exit(1) else: - logFile("alter user %s identified by \"%s\" DEFAULT Tablespace %s;" %(db_user, db_password, db_name)) + logFile("alter user %s DEFAULT Tablespace %s;" %(db_user, db_name)) logFile("GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;" % (db_user)) @@ -609,11 +609,11 @@ def create_auditdb(self, audit_db_root_user, db_name ,audit_db_name, db_user, au # Assign default tablespace db_name get_cmd = self.get_jisql_cmd(audit_db_root_user , audit_db_root_password) if os_name == "LINUX": - query = get_cmd +" -c \; -query 'alter user %s identified by \"%s\" DEFAULT Tablespace %s;'" %(audit_db_user, audit_db_password, db_name) + query = get_cmd +" -c \; -query 'alter user %s DEFAULT Tablespace %s;'" %(audit_db_user, db_name) jisql_log(query, audit_db_root_password) ret1 = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": - query = get_cmd +" -query \"alter user %s identified by \"%s\" DEFAULT Tablespace %s;\" -c ;" %(audit_db_user, audit_db_password, db_name) + query = get_cmd +" -query \"alter user %s DEFAULT Tablespace %s;\" -c ;" %(audit_db_user, db_name) jisql_log(query, audit_db_root_password) ret1 = subprocess.call(query) @@ -621,11 +621,11 @@ def create_auditdb(self, audit_db_root_user, db_name ,audit_db_name, db_user, au # Assign default tablespace audit_db_name get_cmd = self.get_jisql_cmd(audit_db_root_user , audit_db_root_password) if os_name == "LINUX": - query = get_cmd +" -c \; -query 'alter user %s identified by \"%s\" DEFAULT Tablespace %s;'" %(audit_db_user, audit_db_password, audit_db_name) + query = get_cmd +" -c \; -query 'alter user %s DEFAULT Tablespace %s;'" %(audit_db_user, audit_db_name) jisql_log(query, audit_db_root_password) ret2 = subprocess.call(shlex.split(query)) elif os_name == "WINDOWS": - query = get_cmd +" -query \"alter user %s identified by \"%s\" DEFAULT Tablespace %s;\" -c ;" %(audit_db_user, audit_db_password, audit_db_name) + query = get_cmd +" -query \"alter user %s DEFAULT Tablespace %s;\" -c ;" %(audit_db_user, audit_db_name) jisql_log(query, audit_db_root_password) ret2 = subprocess.call(query) @@ -647,8 +647,8 @@ def create_auditdb(self, audit_db_root_user, db_name ,audit_db_name, db_user, au else: return False else: - logFile("alter user %s identified by \"%s\" DEFAULT Tablespace %s;" %(audit_db_user, audit_db_password, db_name)) - logFile("alter user %s identified by \"%s\" DEFAULT Tablespace %s;" %(audit_db_user, audit_db_password, audit_db_name)) + logFile("alter user %s DEFAULT Tablespace %s;" %(audit_db_user, db_name)) + logFile("alter user %s DEFAULT Tablespace %s;" %(audit_db_user, audit_db_name)) logFile("GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;" % (db_user)) def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_password, invoke,dryMode): @@ -762,12 +762,12 @@ def writeDrymodeCmd(self, xa_db_host, audit_db_host, xa_db_root_user, xa_db_root logFile('create user %s identified by "%s";'%(db_user, db_password)) logFile('GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED TABLESPACE TO %s WITH ADMIN OPTION;'%(db_user)) logFile("create tablespace %s datafile '%s.dat' size 10M autoextend on;" %(db_name, db_name)) - logFile('alter user %s identified by "%s" DEFAULT tablespace %s;'%(db_user, db_password, db_name)) + logFile('alter user %s DEFAULT tablespace %s;'%(db_user, db_name)) if not db_user == audit_db_user: logFile('create user %s identified by "%s";'%(audit_db_user, audit_db_password)) logFile('GRANT CREATE SESSION TO %s;' %(audit_db_user)) logFile("create tablespace %s datafile '%s.dat' size 10M autoextend on;" %(audit_db_name, audit_db_name)) - logFile('alter user %s identified by "%s" DEFAULT tablespace %s;' %(audit_db_user, audit_db_password, audit_db_name)) + logFile('alter user %s DEFAULT tablespace %s;' %(audit_db_user, audit_db_name)) logFile('GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED TABLESPACE TO %s WITH ADMIN OPTION;'%(db_user)) class PostgresConf(BaseDB): @@ -1781,8 +1781,6 @@ def main(argv): password_validation(xa_db_root_password,"DBA root"); log("[I] ---------- Verifing Ranger Admin db user password ---------- ","info") password_validation(db_password,"admin"); - log("[I] ---------- Verifing Ranger Audit db user password ---------- ","info") - password_validation(audit_db_password,"audit"); # Methods Begin if DBA_MODE == "TRUE" : if (dryMode==True): @@ -1800,6 +1798,8 @@ def main(argv): xa_sqlObj.grant_xa_db_user(xa_db_root_user, db_name, db_user, db_password, xa_db_root_password, is_revoke,dryMode) # Ranger Admin DB Host AND Ranger Audit DB Host are Different OR Same if audit_store == "db": + log("[I] ---------- Verifing Ranger Audit db user password ---------- ","info") + password_validation(audit_db_password,"audit"); log("[I] ---------- Verifying/Creating audit user --------- ","info") audit_sqlObj.create_auditdb_user(xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode) log("[I] ---------- Ranger Policy Manager DB and User Creation Process Completed.. ---------- ","info") diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index 36696a036cf..a213b3368d8 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -345,9 +345,12 @@ update_properties() { newPropertyValue="jdbc:log4jdbc:mysql://${DB_HOST}/${db_name}" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger - propertyName=ranger.jpa.audit.jdbc.url - newPropertyValue="jdbc:log4jdbc:mysql://${DB_HOST}/${audit_db_name}" - updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + if [ "${audit_store}" == "db" ] + then + propertyName=ranger.jpa.audit.jdbc.url + newPropertyValue="jdbc:log4jdbc:mysql://${DB_HOST}/${audit_db_name}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + fi propertyName=ranger.jpa.jdbc.dialect newPropertyValue="org.eclipse.persistence.platform.database.MySQLPlatform" @@ -379,8 +382,11 @@ update_properties() { fi updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger - propertyName=ranger.jpa.audit.jdbc.url - updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + if [ "${audit_store}" == "db" ] + then + propertyName=ranger.jpa.audit.jdbc.url + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + fi propertyName=ranger.jpa.jdbc.dialect newPropertyValue="org.eclipse.persistence.platform.database.OraclePlatform" @@ -409,9 +415,12 @@ update_properties() { newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger - propertyName=ranger.jpa.audit.jdbc.url - newPropertyValue="jdbc:postgresql://${DB_HOST}/${audit_db_name}" - updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + if [ "${audit_store}" == "db" ] + then + propertyName=ranger.jpa.audit.jdbc.url + newPropertyValue="jdbc:postgresql://${DB_HOST}/${audit_db_name}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + fi propertyName=ranger.jpa.jdbc.dialect newPropertyValue="org.eclipse.persistence.platform.database.PostgreSQLPlatform" @@ -436,9 +445,12 @@ update_properties() { newPropertyValue="jdbc:sqlserver://${DB_HOST};databaseName=${db_name}" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger - propertyName=ranger.jpa.audit.jdbc.url - newPropertyValue="jdbc:sqlserver://${DB_HOST};databaseName=${audit_db_name}" - updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + if [ "${audit_store}" == "db" ] + then + propertyName=ranger.jpa.audit.jdbc.url + newPropertyValue="jdbc:sqlserver://${DB_HOST};databaseName=${audit_db_name}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + fi propertyName=ranger.jpa.jdbc.dialect newPropertyValue="org.eclipse.persistence.platform.database.SQLServerPlatform" @@ -463,9 +475,12 @@ update_properties() { newPropertyValue="jdbc:sqlanywhere:database=${db_name};host=${DB_HOST}" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger - propertyName=ranger.jpa.audit.jdbc.url - newPropertyValue="jdbc:sqlanywhere:database=${audit_db_name};host=${DB_HOST}" - updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + if [ "${audit_store}" == "db" ] + then + propertyName=ranger.jpa.audit.jdbc.url + newPropertyValue="jdbc:sqlanywhere:database=${audit_db_name};host=${DB_HOST}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + fi propertyName=ranger.jpa.jdbc.dialect newPropertyValue="org.eclipse.persistence.platform.database.SQLAnywherePlatform" @@ -507,9 +522,12 @@ update_properties() { newPropertyValue="${db_user}" updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger - propertyName=ranger.jpa.audit.jdbc.user - newPropertyValue="${audit_db_user}" - updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + if [ "${audit_store}" == "db" ] + then + propertyName=ranger.jpa.audit.jdbc.user + newPropertyValue="${audit_db_user}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + fi ########## keystore="${cred_keystore_filename}" @@ -555,7 +573,7 @@ update_properties() { fi ########### - if [ "${audit_store}" != "solr" ] + if [ "${audit_store}" == "db" ] then audit_db_password_alias=ranger.auditdb.password From 2073c0a9d52ad5b002afa9b713419591d5f9e889 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Wed, 25 Nov 2015 17:35:17 +0530 Subject: [PATCH 114/202] RANGER-743 : External users with Admin Role should be allowed to create/update users --- .../java/org/apache/ranger/biz/UserMgr.java | 67 +++++++++++++++++-- .../java/org/apache/ranger/biz/XUserMgr.java | 51 +++++++++++--- .../handler/RangerAuthenticationProvider.java | 28 +++++++- 3 files changed, 130 insertions(+), 16 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java index ee9d14b0e61..571265cb9eb 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java @@ -254,6 +254,9 @@ public XXPortalUser updateUser(VXPortalUser userProfile) { // } // firstName + if("null".equalsIgnoreCase(userProfile.getFirstName())){ + userProfile.setFirstName(""); + } if (!stringUtil.isEmpty(userProfile.getFirstName()) && !userProfile.getFirstName().equals(gjUser.getFirstName())) { userProfile.setFirstName(stringUtil.toCamelCaseAllWords(userProfile @@ -261,8 +264,10 @@ public XXPortalUser updateUser(VXPortalUser userProfile) { updateUser = true; } - // lastName allowed to be empty - if (userProfile.getLastName() != null + if("null".equalsIgnoreCase(userProfile.getLastName())){ + userProfile.setLastName(""); + } + if (!stringUtil.isEmpty(userProfile.getLastName()) && !userProfile.getLastName().equals(gjUser.getLastName())) { userProfile.setLastName(stringUtil.toCamelCaseAllWords(userProfile .getLastName())); @@ -270,12 +275,16 @@ public XXPortalUser updateUser(VXPortalUser userProfile) { } // publicScreenName - if (!stringUtil.isEmpty(userProfile.getPublicScreenName()) - && !userProfile.getPublicScreenName().equals( - gjUser.getPublicScreenName())) { + if (userProfile.getFirstName() != null + && userProfile.getLastName() != null + && !userProfile.getFirstName().trim().isEmpty() + && !userProfile.getLastName().trim().isEmpty()) { userProfile.setPublicScreenName(userProfile.getFirstName() + " " + userProfile.getLastName()); updateUser = true; + } else { + userProfile.setPublicScreenName(gjUser.getLoginId()); + updateUser = true; } // notes @@ -554,12 +563,34 @@ public VXPortalUser getUserProfileByLoginId(String loginId) { public XXPortalUser mapVXPortalUserToXXPortalUser(VXPortalUser userProfile) { XXPortalUser gjUser = new XXPortalUser(); gjUser.setEmailAddress(userProfile.getEmailAddress()); + if("null".equalsIgnoreCase(userProfile.getFirstName())){ + userProfile.setFirstName(""); + } gjUser.setFirstName(userProfile.getFirstName()); + if("null".equalsIgnoreCase(userProfile.getLastName())){ + userProfile.setLastName(""); + } gjUser.setLastName(userProfile.getLastName()); + if (userProfile.getLoginId() == null + || userProfile.getLoginId().trim().isEmpty() + || "null".equalsIgnoreCase(userProfile.getLoginId())) { + throw restErrorUtil.createRESTException( + "LoginId should not be null or blank, It is", + MessageEnums.INVALID_INPUT_DATA); + } gjUser.setLoginId(userProfile.getLoginId()); gjUser.setPassword(userProfile.getPassword()); gjUser.setUserSource(userProfile.getUserSource()); gjUser.setPublicScreenName(userProfile.getPublicScreenName()); + if (userProfile.getFirstName() != null + && userProfile.getLastName() != null + && !userProfile.getFirstName().trim().isEmpty() + && !userProfile.getLastName().trim().isEmpty()) { + gjUser.setPublicScreenName(userProfile.getFirstName() + " " + + userProfile.getLastName()); + } else { + gjUser.setPublicScreenName(userProfile.getLoginId()); + } return gjUser; } @@ -1237,4 +1268,30 @@ public void checkAdminAccess() { throw restErrorUtil.create403RESTException("Operation not allowed." + " loggedInUser=" + (sess != null ? sess.getXXPortalUser().getId() : "Not Logged In")); } + public Collection getRolesByLoginId(String loginId) { + if (loginId == null || loginId.trim().isEmpty()){ + return DEFAULT_ROLE_LIST; + } + XXPortalUser xXPortalUser=daoManager.getXXPortalUser().findByLoginId(loginId); + if(xXPortalUser==null){ + return DEFAULT_ROLE_LIST; + } + Collection xXPortalUserRoles = daoManager + .getXXPortalUserRole().findByUserId(xXPortalUser.getId()); + if(xXPortalUserRoles==null){ + return DEFAULT_ROLE_LIST; + } + Collection roleList = new ArrayList(); + for (XXPortalUserRole role : xXPortalUserRoles) { + if(role!=null && VALID_ROLE_LIST.contains(role.getUserRole())){ + if(!roleList.contains(role.getUserRole())){ + roleList.add(role.getUserRole()); + } + } + } + if(roleList==null || roleList.size()==0){ + return DEFAULT_ROLE_LIST; + } + return roleList; + } } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index 3f2c041b6b2..3784439ca6b 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -186,9 +186,11 @@ public VXUser getXUserByUserName(String userName) { public VXUser createXUser(VXUser vXUser) { checkAdminAccess(); String userName = vXUser.getName(); - if (userName == null || userName.isEmpty()) { - throw restErrorUtil.createRESTException("Please provide a valid " - + "username.", MessageEnums.INVALID_INPUT_DATA); + if (userName == null || "null".equalsIgnoreCase(userName) + || userName.trim().isEmpty()) { + throw restErrorUtil.createRESTException( + "Please provide a valid username.", + MessageEnums.INVALID_INPUT_DATA); } if (vXUser.getDescription() == null) { @@ -200,10 +202,23 @@ public VXUser createXUser(VXUser vXUser) { VXPortalUser vXPortalUser = new VXPortalUser(); vXPortalUser.setLoginId(userName); vXPortalUser.setFirstName(vXUser.getFirstName()); + if("null".equalsIgnoreCase(vXPortalUser.getFirstName())){ + vXPortalUser.setFirstName(""); + } vXPortalUser.setLastName(vXUser.getLastName()); + if("null".equalsIgnoreCase(vXPortalUser.getLastName())){ + vXPortalUser.setLastName(""); + } vXPortalUser.setEmailAddress(vXUser.getEmailAddress()); - vXPortalUser.setPublicScreenName(vXUser.getFirstName() + " " - + vXUser.getLastName()); + if (vXPortalUser.getFirstName() != null + && vXPortalUser.getLastName() != null + && !vXPortalUser.getFirstName().trim().isEmpty() + && !vXPortalUser.getLastName().trim().isEmpty()) { + vXPortalUser.setPublicScreenName(vXPortalUser.getFirstName() + " " + + vXPortalUser.getLastName()); + } else { + vXPortalUser.setPublicScreenName(vXUser.getName()); + } vXPortalUser.setPassword(actualPassword); vXPortalUser.setUserRoleList(vXUser.getUserRoleList()); vXPortalUser = userMgr.createDefaultAccountUser(vXPortalUser); @@ -324,8 +339,11 @@ private VXGroupUser createXGroupUser(Long userId, Long groupId) { } public VXUser updateXUser(VXUser vXUser) { - if (vXUser == null || vXUser.getName() == null || vXUser.getName().trim().isEmpty()) { - throw restErrorUtil.createRESTException("Please provide a valid " + "username.", MessageEnums.INVALID_INPUT_DATA); + if (vXUser == null || vXUser.getName() == null + || "null".equalsIgnoreCase(vXUser.getName()) + || vXUser.getName().trim().isEmpty()) { + throw restErrorUtil.createRESTException("Please provide a valid " + + "username.", MessageEnums.INVALID_INPUT_DATA); } checkAccess(vXUser.getName()); VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser @@ -337,13 +355,26 @@ public VXUser updateXUser(VXUser vXUser) { // TODO : There is a possibility that old user may not exist. vXPortalUser.setFirstName(vXUser.getFirstName()); + if("null".equalsIgnoreCase(vXPortalUser.getFirstName())){ + vXPortalUser.setFirstName(""); + } vXPortalUser.setLastName(vXUser.getLastName()); + if("null".equalsIgnoreCase(vXPortalUser.getLastName())){ + vXPortalUser.setLastName(""); + } vXPortalUser.setEmailAddress(vXUser.getEmailAddress()); vXPortalUser.setLoginId(vXUser.getName()); vXPortalUser.setStatus(vXUser.getStatus()); vXPortalUser.setUserRoleList(vXUser.getUserRoleList()); - vXPortalUser.setPublicScreenName(vXUser.getFirstName() + " " - + vXUser.getLastName()); + if (vXPortalUser.getFirstName() != null + && vXPortalUser.getLastName() != null + && !vXPortalUser.getFirstName().trim().isEmpty() + && !vXPortalUser.getLastName().trim().isEmpty()) { + vXPortalUser.setPublicScreenName(vXPortalUser.getFirstName() + " " + + vXPortalUser.getLastName()); + } else { + vXPortalUser.setPublicScreenName(vXUser.getName()); + } vXPortalUser.setUserSource(vXUser.getUserSource()); String hiddenPasswordString = PropertiesUtil.getProperty("ranger.password.hidden", "*****"); String password = vXUser.getPassword(); @@ -1247,6 +1278,7 @@ public VXStringList getUserRolesByExternalID(Long userId) { if(vXUser==null){ throw restErrorUtil.createRESTException("Please provide a valid ID", MessageEnums.INVALID_INPUT_DATA); } + checkAccess(vXUser.getName()); List portalUserRoleList =null; VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser.getName()); if(oldUserProfile!=null){ @@ -1260,6 +1292,7 @@ public VXStringList getUserRolesByExternalID(Long userId) { public VXStringList getUserRolesByName(String userName) { VXPortalUser vXPortalUser=null; if(userName!=null && !userName.trim().isEmpty()){ + checkAccess(userName); vXPortalUser = userMgr.getUserProfileByLoginId(userName); if(vXPortalUser!=null && vXPortalUser.getUserRoleList()!=null){ List portalUserRoleList = daoManager.getXXPortalUserRole().findByUserId(vXPortalUser.getId()); diff --git a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java index 40b08c414ca..f7e5d40cf4f 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java +++ b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java @@ -20,6 +20,7 @@ package org.apache.ranger.security.handler; import java.util.ArrayList; +import java.util.Collection; import java.util.List; import java.util.Map; import java.util.HashMap; @@ -230,6 +231,7 @@ private Authentication getLdapAuthentication(Authentication authentication) { authentication = ldapAuthenticationProvider .authenticate(finalAuthentication); + authentication=getAuthenticationWithGrantedAuthority(authentication); return authentication; } else { return authentication; @@ -272,6 +274,7 @@ public Authentication getADAuthentication(Authentication authentication) { principal, userPassword, grantedAuths); authentication = adAuthenticationProvider .authenticate(finalAuthentication); + authentication=getAuthenticationWithGrantedAuthority(authentication); return authentication; } else { return authentication; @@ -323,6 +326,7 @@ public Authentication getUnixAuthentication(Authentication authentication) { principal, userPassword, grantedAuths); authentication = jaasAuthenticationProvider .authenticate(finalAuthentication); + authentication=getAuthenticationWithGrantedAuthority(authentication); return authentication; } else { return authentication; @@ -399,6 +403,7 @@ private Authentication getADBindAuthentication(Authentication authentication) { final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths); authentication = ldapAuthenticationProvider.authenticate(finalAuthentication); + authentication=getAuthenticationWithGrantedAuthority(authentication); return authentication; } else { return authentication; @@ -464,6 +469,7 @@ private Authentication getLdapBindAuthentication(Authentication authentication) final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths); authentication = ldapAuthenticationProvider.authenticate(finalAuthentication); + authentication=getAuthenticationWithGrantedAuthority(authentication); return authentication; } else { return authentication; @@ -499,8 +505,6 @@ private Authentication getJDBCAuthentication(Authentication authentication,Strin if (userName != null && userPassword != null && !userName.trim().isEmpty()&& !userPassword.trim().isEmpty()) { final List grantedAuths = new ArrayList<>(); grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole)); - grantedAuths.add(new SimpleGrantedAuthority("ROLE_SYS_ADMIN")); - grantedAuths.add(new SimpleGrantedAuthority("ROLE_KEY_ADMIN")); final UserDetails principal = new User(userName, userPassword,grantedAuths); final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths); authentication= authenticator.authenticate(finalAuthentication); @@ -521,4 +525,24 @@ private Authentication getJDBCAuthentication(Authentication authentication,Strin } return authentication; } + private List getAuthorities(String username) { + Collection roleList=userMgr.getRolesByLoginId(username); + final List grantedAuths = new ArrayList<>(); + for(String role:roleList){ + grantedAuths.add(new SimpleGrantedAuthority(role)); + } + return grantedAuths; + } + + public Authentication getAuthenticationWithGrantedAuthority(Authentication authentication){ + UsernamePasswordAuthenticationToken result=null; + if(authentication!=null && authentication.isAuthenticated()){ + final List grantedAuths=getAuthorities(authentication.getName().toString()); + final UserDetails userDetails = new User(authentication.getName().toString(), authentication.getCredentials().toString(),grantedAuths); + result = new UsernamePasswordAuthenticationToken(userDetails,authentication.getCredentials(),grantedAuths); + result.setDetails(authentication.getDetails()); + return result; + } + return authentication; + } } From cb8f30c4aee9eff0f81b80e329d920366c36c4fb Mon Sep 17 00:00:00 2001 From: Velmurugan Periasamy Date: Wed, 25 Nov 2015 15:51:29 -0500 Subject: [PATCH 115/202] RANGER-745: Upgrade Apache commons-collections Signed-off-by: Velmurugan Periasamy --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 95b3b0f7d3c..356c9cd1c47 100644 --- a/pom.xml +++ b/pom.xml @@ -119,7 +119,7 @@ 1.8.3 1.2 1.9 - 3.2.1 + 3.2.2 1.8.1 1.10 1.4 @@ -532,4 +532,4 @@ - \ No newline at end of file + From 3c42cf249d99e8e42067abd00a09a03085f030a4 Mon Sep 17 00:00:00 2001 From: Velmurugan Periasamy Date: Tue, 1 Dec 2015 14:19:41 -0800 Subject: [PATCH 116/202] RANGER-755,756,757: ldaptool fixes (Sailaja Polavarapu via Velmurugan Periasamy) Signed-off-by: Velmurugan Periasamy --- .../ldapconfigcheck/scripts/run.sh | 8 ++++---- .../ranger/ldapconfigcheck/CommandLineOptions.java | 14 ++++++-------- 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh b/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh index 787e2166fb7..e5c313a4702 100755 --- a/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh @@ -19,7 +19,7 @@ AUTH=1 usage() { echo "usage: run.sh - -noauth ignore authentication properties + -a ignore authentication properties -d {all|users|groups} -h show help. -i Input file name @@ -33,7 +33,7 @@ cp="${cdir}/lib/*:${cdir}/conf" OUTDIR="${cdir}/output/" JAVA_CMD="java -cp ${cdir}/lib/ldapconfigcheck.jar:${cp} org.apache.ranger.ldapconfigcheck.LdapConfigCheckMain" -while getopts "i:o:d:r:noauthh" opt; do +while getopts "i:o:d:r:ah" opt; do case $opt in i) INFILE=$OPTARG JAVA_CMD="$JAVA_CMD -i $OPTARG" @@ -46,8 +46,8 @@ while getopts "i:o:d:r:noauthh" opt; do r) RETRIEVE=$OPTARG JAVA_CMD="$JAVA_CMD -r $OPTARG" ;; - noauth) AUTH=0 - JAVA_CMD="$JAVA_CMD -noauth" + a) AUTH=0 + JAVA_CMD="$JAVA_CMD -a" ;; h) usage ;; diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java index 790330f3842..c71e5cc7962 100644 --- a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java @@ -28,7 +28,7 @@ public class CommandLineOptions { private Options options = new Options(); private String input = null; private String output = null; - private String discoverProperties; + private String discoverProperties = null; private String retrieveValues = null; private boolean isAuthEnabled = true; private String ldapUrl = ""; @@ -46,7 +46,7 @@ public CommandLineOptions(String[] args) { options.addOption("o", "outputdir", true, "Output directory"); options.addOption("d", "discoverProperties", true, "{all|users|groups}"); options.addOption("r", "retrieve", true, "{all|users|groups}"); - options.addOption("noauth", "noAuthentication", false, "Ignore authentication properties"); + options.addOption("a", "noAuthentication", false, "Ignore authentication properties"); } public void parse() { @@ -72,9 +72,7 @@ public void parse() { System.out.println("Unsupported value for option d"); help(); } - } - - if (cmd.hasOption("r")) { + } else if (cmd.hasOption("r")) { retrieveValues = cmd.getOptionValue("r"); if (retrieveValues == null || (!retrieveValues.equalsIgnoreCase("all") && !retrieveValues.equalsIgnoreCase("users") && !retrieveValues.equalsIgnoreCase("groups"))) { @@ -82,15 +80,15 @@ public void parse() { help(); } } else { - if (discoverProperties == null || discoverProperties.isEmpty()) { + //if (discoverProperties == null || discoverProperties.isEmpty()) { System.out.println("Default to discover all usersync properties"); //help(); // If "d" or "r" option is not specified, then default to discover all usersync properties discoverProperties = "all"; - } + //} } - if (cmd.hasOption("noauth")) { + if (cmd.hasOption("a") || discoverProperties == null || (discoverProperties != null && !discoverProperties.equalsIgnoreCase("all"))) { isAuthEnabled = false; } From 049723c9ee5a3c1f9be6768ca21ef664043a9c0d Mon Sep 17 00:00:00 2001 From: Sailaja Polavarapu Date: Mon, 30 Nov 2015 13:18:59 -0800 Subject: [PATCH 117/202] Ranger-742: Made code changes to complete user search before performing group search. Also, added check to retrieve groups from user's memberof attribute only when group search is not enabled. Signed-off-by: Velmurugan Periasamy --- .../process/LdapUserGroupBuilder.java | 388 ++++++++++-------- 1 file changed, 210 insertions(+), 178 deletions(-) diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java index bab9e84d992..bb5fad5a3c3 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java @@ -21,8 +21,11 @@ import java.util.ArrayList; +import java.util.HashMap; import java.util.HashSet; +import java.util.Iterator; import java.util.List; +import java.util.Map; import java.util.Properties; import java.util.Set; import java.util.StringTokenizer; @@ -95,6 +98,7 @@ public class LdapUserGroupBuilder implements UserGroupSource { Mapper userNameRegExInst = null; Mapper groupNameRegExInst = null; + private List userGroupMap; public static void main(String[] args) throws Throwable { LdapUserGroupBuilder ugBuilder = new LdapUserGroupBuilder(); @@ -293,61 +297,62 @@ public boolean isChanged() { @Override public void updateSink(UserGroupSink sink) throws Throwable { LOG.info("LDAPUserGroupBuilder updateSink started"); - NamingEnumeration userSearchResultEnum = null; - NamingEnumeration groupSearchResultEnum = null; + userGroupMap = new ArrayList(); + NamingEnumeration userSearchResultEnum = null; + NamingEnumeration groupSearchResultEnum = null; try { createLdapContext(); - int total; - // Activate paged results - byte[] cookie = null; - if (pagedResultsEnabled) { - ldapContext.setRequestControls(new Control[]{ - new PagedResultsControl(pagedResultsSize, Control.NONCRITICAL) }); - } + int total; + // Activate paged results + byte[] cookie = null; + if (pagedResultsEnabled) { + ldapContext.setRequestControls(new Control[]{ + new PagedResultsControl(pagedResultsSize, Control.NONCRITICAL) }); + } int counter = 0; do { userSearchResultEnum = ldapContext - .search(userSearchBase, extendedUserSearchFilter, - userSearchControls); + .search(userSearchBase, extendedUserSearchFilter, + userSearchControls); while (userSearchResultEnum.hasMore()) { // searchResults contains all the user entries final SearchResult userEntry = userSearchResultEnum.next(); - if (userEntry == null) { - if (LOG.isInfoEnabled()) { - LOG.info("userEntry null, skipping sync for the entry"); - } - continue; - } - - Attributes attributes = userEntry.getAttributes(); - if (attributes == null) { - if (LOG.isInfoEnabled()) { - LOG.info("attributes missing for entry " + userEntry.getNameInNamespace() + - ", skipping sync"); - } - continue; - } - - Attribute userNameAttr = attributes.get(userNameAttribute); - if (userNameAttr == null) { - if (LOG.isInfoEnabled()) { - LOG.info(userNameAttribute + " missing for entry " + userEntry.getNameInNamespace() + - ", skipping sync"); - } - continue; - } + if (userEntry == null) { + if (LOG.isInfoEnabled()) { + LOG.info("userEntry null, skipping sync for the entry"); + } + continue; + } + + Attributes attributes = userEntry.getAttributes(); + if (attributes == null) { + if (LOG.isInfoEnabled()) { + LOG.info("attributes missing for entry " + userEntry.getNameInNamespace() + + ", skipping sync"); + } + continue; + } + + Attribute userNameAttr = attributes.get(userNameAttribute); + if (userNameAttr == null) { + if (LOG.isInfoEnabled()) { + LOG.info(userNameAttribute + " missing for entry " + userEntry.getNameInNamespace() + + ", skipping sync"); + } + continue; + } String userName = (String) userNameAttr.get(); - if (userName == null || userName.trim().isEmpty()) { - if (LOG.isInfoEnabled()) { - LOG.info(userNameAttribute + " empty for entry " + userEntry.getNameInNamespace() + - ", skipping sync"); - } - continue; - } + if (userName == null || userName.trim().isEmpty()) { + if (LOG.isInfoEnabled()) { + LOG.info(userNameAttribute + " empty for entry " + userEntry.getNameInNamespace() + + ", skipping sync"); + } + continue; + } if (userNameCaseConversionFlag) { if (userNameLowerCaseFlag) { @@ -357,73 +362,53 @@ public void updateSink(UserGroupSink sink) throws Throwable { userName = userName.toUpperCase() ; } } - + if (userNameRegExInst != null) { - userName = userNameRegExInst.transform(userName); + userName = userNameRegExInst.transform(userName); } - Set groups = new HashSet(); - - for (String useGroupNameAttribute : userGroupNameAttributeSet) { - Attribute userGroupfAttribute = userEntry.getAttributes().get(useGroupNameAttribute); - if (userGroupfAttribute != null) { - NamingEnumeration groupEnum = userGroupfAttribute.getAll(); - while (groupEnum.hasMore()) { - String gName = getShortGroupName((String) groupEnum - .next()); - if (groupNameCaseConversionFlag) { - if (groupNameLowerCaseFlag) { - gName = gName.toLowerCase(); - } else { - gName = gName.toUpperCase(); - } - } - if (groupNameRegExInst != null) { - gName = groupNameRegExInst.transform(gName); - } - groups.add(gName); - } - } - } - - if (groupSearchEnabled && groupUserMapSyncEnabled) { - LOG.info("groupSearch and groupUserMapSync are enabled, would search for groups and compute memberships"); - groupSearchResultEnum = ldapContext - .search(groupSearchBase, extendedGroupSearchFilter, - new Object[]{userEntry.getNameInNamespace()}, - groupSearchControls); - Set computedGroups = new HashSet(); - while (groupSearchResultEnum.hasMore()) { - final SearchResult groupEntry = groupSearchResultEnum.next(); - if (groupEntry != null) { - String gName = (String) groupEntry.getAttributes() - .get(groupNameAttribute).get(); - if (groupNameCaseConversionFlag) { - if (groupNameLowerCaseFlag) { - gName = gName.toLowerCase(); - } else { - gName = gName.toUpperCase(); - } - } - if (groupNameRegExInst != null) { - gName = groupNameRegExInst.transform(gName); - } - computedGroups.add(gName); - } - } - if (LOG.isInfoEnabled()) { - LOG.info("computed groups for user: " + userName +", groups: " + computedGroups); - } - groups.addAll(computedGroups); - } - - List groupList = new ArrayList(groups); + UserInfo userInfo = new UserInfo(userName, userEntry.getNameInNamespace()); + Set groups = new HashSet(); + + // Get all the groups from the group name attribute of the user only when group search is not enabled. + if (!groupSearchEnabled) { + for (String useGroupNameAttribute : userGroupNameAttributeSet) { + Attribute userGroupfAttribute = userEntry.getAttributes().get(useGroupNameAttribute); + if (userGroupfAttribute != null) { + NamingEnumeration groupEnum = userGroupfAttribute.getAll(); + while (groupEnum.hasMore()) { + String gName = getShortGroupName((String) groupEnum + .next()); + if (groupNameCaseConversionFlag) { + if (groupNameLowerCaseFlag) { + gName = gName.toLowerCase(); + } else { + gName = gName.toUpperCase(); + } + } + if (groupNameRegExInst != null) { + gName = groupNameRegExInst.transform(gName); + } + groups.add(gName); + } + } + } + } + + userInfo.addGroups(groups); + //populate the userGroupMap with username, userInfo. + //userInfo contains details of user that will be later used for + //group search to compute group membership as well as to call sink.addOrUpdateUser() + userGroupMap.add(userInfo); + + //List groupList = new ArrayList(groups); + List groupList = userInfo.getGroups(); counter++; if (counter <= 2000) { if (LOG.isInfoEnabled()) { LOG.info("Updating user count: " + counter - + ", userName: " + userName + ", groupList: " - + groupList); + + ", userName: " + userName + ", groupList: " + + groupList); } if ( counter == 2000 ) { LOG.info("===> 2000 user records have been synchronized so far. From now on, only a summary progress log will be written for every 100 users. To continue to see detailed log for every user, please enable Trace level logging. <==="); @@ -439,90 +424,112 @@ public void updateSink(UserGroupSink sink) throws Throwable { } } } - try { - sink.addOrUpdateUser(userName, groupList); - } catch (Throwable t) { - LOG.error("sink.addOrUpdateUser failed with exception: " + t.getMessage() - + ", for user: " + userName - + ", groups: " + groupList); - } + } - + // Examine the paged results control response - Control[] controls = ldapContext.getResponseControls(); - if (controls != null) { - for (int i = 0; i < controls.length; i++) { - if (controls[i] instanceof PagedResultsResponseControl) { - PagedResultsResponseControl prrc = - (PagedResultsResponseControl)controls[i]; - total = prrc.getResultSize(); - if (total != 0) { - LOG.debug("END-OF-PAGE total : " + total); - } else { - LOG.debug("END-OF-PAGE total : unknown"); - } - cookie = prrc.getCookie(); - } - } - } else { - LOG.debug("No controls were sent from the server"); - } - // Re-activate paged results - if (pagedResultsEnabled) { - ldapContext.setRequestControls(new Control[]{ - new PagedResultsControl(PAGE_SIZE, cookie, Control.CRITICAL) }); - } + Control[] controls = ldapContext.getResponseControls(); + if (controls != null) { + for (int i = 0; i < controls.length; i++) { + if (controls[i] instanceof PagedResultsResponseControl) { + PagedResultsResponseControl prrc = + (PagedResultsResponseControl)controls[i]; + total = prrc.getResultSize(); + if (total != 0) { + LOG.debug("END-OF-PAGE total : " + total); + } else { + LOG.debug("END-OF-PAGE total : unknown"); + } + cookie = prrc.getCookie(); + } + } + } else { + LOG.debug("No controls were sent from the server"); + } + // Re-activate paged results + if (pagedResultsEnabled) { + ldapContext.setRequestControls(new Control[]{ + new PagedResultsControl(PAGE_SIZE, cookie, Control.CRITICAL) }); + } } while (cookie != null); LOG.info("LDAPUserGroupBuilder.updateSink() completed with user count: " + counter); - if (groupSearchEnabled && !groupUserMapSyncEnabled) { - if (LOG.isInfoEnabled()) { - LOG.info("groupSearch enabled and groupUserMapSync not enabled, " - + "would search for groups, would not compute memberships"); - } - Set groupNames = new HashSet(); - groupSearchResultEnum = ldapContext - .search(groupSearchBase, extendedAllGroupsSearchFilter, - groupSearchControls); - - while (groupSearchResultEnum.hasMore()) { - final SearchResult groupEntry = groupSearchResultEnum.next(); - if (groupEntry.getAttributes().get(groupNameAttribute) == null) { - continue; - } - String gName = (String) groupEntry.getAttributes() - .get(groupNameAttribute).get(); - if (groupNameCaseConversionFlag) { - if (groupNameLowerCaseFlag) { - gName = gName.toLowerCase(); - } else { - gName = gName.toUpperCase(); - } - } - if (groupNameRegExInst != null) { - gName = groupNameRegExInst.transform(gName); - } - groupNames.add(gName); - } - if (LOG.isInfoEnabled()) { - LOG.info("found groups from ldap source: " + groupNames); - } - - // TODO: push groupNames to ranger - // POST http://:6080/service/xusers/secure/groups create group - // PUT http://:6080/service/xusers/secure/groups/{id} update group - // sink.addOrUpdateUser(groupNames); - - } + } finally { - if (userSearchResultEnum != null) { - userSearchResultEnum.close(); - } - if (groupSearchResultEnum != null) { - groupSearchResultEnum.close(); - } + if (userSearchResultEnum != null) { + userSearchResultEnum.close(); + } + if (groupSearchResultEnum != null) { + groupSearchResultEnum.close(); + } + closeLdapContext(); + } + // Perform group search + getUserGroups(sink); + } + + private void getUserGroups(UserGroupSink sink) throws Throwable { + NamingEnumeration groupSearchResultEnum = null; + LOG.debug("Total No. of users saved = " + userGroupMap.size()); + if (groupSearchEnabled && groupUserMapSyncEnabled) { + LOG.info("groupSearch and groupUserMapSync are enabled, would search for groups and compute memberships"); + createLdapContext(); + } + + Iterator userInfoIterator = userGroupMap.iterator(); + while(userInfoIterator.hasNext()) { + UserInfo userInfo = userInfoIterator.next(); + String userName = userInfo.getUserName(); + if (groupSearchEnabled && groupUserMapSyncEnabled) { + //LOG.info("groupSearch and groupUserMapSync are enabled, would search for groups and compute memberships"); + try { + + groupSearchResultEnum = ldapContext + .search(groupSearchBase, extendedGroupSearchFilter, + new Object[]{userInfo.getUserFullName()}, + groupSearchControls); + Set computedGroups = new HashSet(); + while (groupSearchResultEnum.hasMore()) { + final SearchResult groupEntry = groupSearchResultEnum.next(); + if (groupEntry != null) { + String gName = (String) groupEntry.getAttributes() + .get(groupNameAttribute).get(); + if (groupNameCaseConversionFlag) { + if (groupNameLowerCaseFlag) { + gName = gName.toLowerCase(); + } else { + gName = gName.toUpperCase(); + } + } + if (groupNameRegExInst != null) { + gName = groupNameRegExInst.transform(gName); + } + computedGroups.add(gName); + } + } + if (LOG.isInfoEnabled()) { + LOG.info("computed groups for user: " + userName +", groups: " + computedGroups); + } + userInfo.addGroups(computedGroups); + + } finally { + if (groupSearchResultEnum != null) { + groupSearchResultEnum.close(); + } + } + } + List groupList = userInfo.getGroups(); + try { + sink.addOrUpdateUser(userName, groupList); + } catch (Throwable t) { + LOG.error("sink.addOrUpdateUser failed with exception: " + t.getMessage() + + ", for user: " + userName + + ", groups: " + groupList); + } + } + if (groupSearchEnabled && groupUserMapSyncEnabled) { closeLdapContext(); } } @@ -544,3 +551,28 @@ private static String getShortGroupName(String longGroupName) throws InvalidName } } + +class UserInfo { + private String userName; + private String userFullName; + private Set groupList; + + public UserInfo(String userName, String userFullName) { + this.userName = userName; + this.userFullName = userFullName; + this.groupList = new HashSet(); + } + + public String getUserName() { + return userName; + } + public String getUserFullName() { + return userFullName; + } + public void addGroups(Set groups) { + groupList.addAll(groups); + } + public List getGroups() { + return (new ArrayList(groupList)); + } +} From 5bebb549a823e19b3b9db87969e59f780593d283 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Wed, 25 Nov 2015 13:48:14 +0530 Subject: [PATCH 118/202] RANGER-749 : Ranger KMS to support multiple KMS instances with keys across multiple clusters --- kms/scripts/exportKeysToJCEKS.sh | 19 +++ kms/scripts/importJCEKSKeys.sh | 2 +- .../hadoop/crypto/key/Ranger2JKSUtil.java | 134 ++++++++++++++++++ .../hadoop/crypto/key/RangerKeyStore.java | 40 +++++- src/main/assembly/kms.xml | 1 + 5 files changed, 188 insertions(+), 8 deletions(-) create mode 100644 kms/scripts/exportKeysToJCEKS.sh create mode 100644 kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java diff --git a/kms/scripts/exportKeysToJCEKS.sh b/kms/scripts/exportKeysToJCEKS.sh new file mode 100644 index 00000000000..03dbe48c0ef --- /dev/null +++ b/kms/scripts/exportKeysToJCEKS.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ------------------------------------------------------------------------------------- +RANGER_KMS_HOME=`dirname $0` +cp="${RANGER_KMS_HOME}/cred/lib/*:${RANGER_KMS_HOME}/./ews/webapp/WEB-INF/classes/conf/:${RANGER_KMS_HOME}/ews/webapp/config:${RANGER_KMS_HOME}/ews/lib/*:${RANGER_KMS_HOME}/ews/webapp/lib/*:${RANGER_KMS_HOME}/ews/webapp/META-INF" +java -cp "${cp}" org.apache.hadoop.crypto.key.Ranger2JKSUtil ${1} ${2} diff --git a/kms/scripts/importJCEKSKeys.sh b/kms/scripts/importJCEKSKeys.sh index 9c2f9fb1849..57a20538fd1 100755 --- a/kms/scripts/importJCEKSKeys.sh +++ b/kms/scripts/importJCEKSKeys.sh @@ -15,5 +15,5 @@ # limitations under the License. # ------------------------------------------------------------------------------------- RANGER_KMS_HOME=`dirname $0` -cp="${RANGER_KMS_HOME}/ews/webapp/config:${RANGER_KMS_HOME}/ews/lib/*:${RANGER_KMS_HOME}/ews/webapp/lib/*:${RANGER_KMS_HOME}/ews/webapp/META-INF:" +cp="${RANGER_KMS_HOME}/cred/lib/*:${RANGER_KMS_HOME}/./ews/webapp/WEB-INF/classes/conf/:${RANGER_KMS_HOME}/ews/webapp/config:${RANGER_KMS_HOME}/ews/lib/*:${RANGER_KMS_HOME}/ews/webapp/lib/*:${RANGER_KMS_HOME}/ews/webapp/META-INF" java -cp "${cp}" org.apache.hadoop.crypto.key.JKS2RangerUtil ${1} ${2} diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java new file mode 100644 index 00000000000..0def5e5bc93 --- /dev/null +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java @@ -0,0 +1,134 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.crypto.key; + +import java.io.Console; +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.nio.charset.Charset; +import java.security.KeyStore; +import java.security.KeyStoreException; + +import org.apache.hadoop.conf.Configuration; +import org.apache.ranger.kms.dao.DaoManager; + +public class Ranger2JKSUtil { + + private static final String DEFAULT_KEYSTORE_TYPE = "jceks" ; + private static final String ENCRYPTION_KEY = "ranger.db.encrypt.key.password" ; + + public static void showUsage() { + System.err.println("USAGE: java " + Ranger2JKSUtil.class.getName() + " [KeyStoreType]") ; + System.err.println(" If KeyStoreType is not provided, it will be considered as " + DEFAULT_KEYSTORE_TYPE) ; + System.err.println(" When execution of this utility, it will prompt for both keystore password and key password.") ; + } + + + public static void main(String[] args) throws IOException { + if (args.length == 0) { + System.err.println("Invalid number of parameters found.") ; + showUsage() ; + System.exit(1) ; + } + else { + String keyStoreFileName = args[0] ; + File f = new File(keyStoreFileName) ; + if (! f.exists()) { + f.createNewFile(); + } + String keyStoreType = (args.length == 2 ? args[1] : DEFAULT_KEYSTORE_TYPE) ; + try { + KeyStore.getInstance(keyStoreType) ; + } catch (KeyStoreException e) { + System.err.println("ERROR: Unable to get valid keystore for the type [" + keyStoreType + "]") ; + showUsage() ; + System.exit(1) ; + } + + new Ranger2JKSUtil().doExportKeysFromJKS(keyStoreFileName, keyStoreType); + + System.out.println("Keys from Ranger KMS Database has been successfully exported into " + keyStoreFileName); + + System.exit(0) ; + + } + } + + private void doExportKeysFromJKS(String keyStoreFileName, String keyStoreType) { + try { + char[] keyStorePassword = getPasswordFromConsole("Enter Password for the keystore FILE :") ; + char[] keyPassword = getPasswordFromConsole("Enter Password for the KEY(s) stored in the keystore:") ; + Configuration conf = RangerKeyStoreProvider.getDBKSConf(); + RangerKMSDB rangerkmsDb = new RangerKMSDB(conf); + DaoManager daoManager = rangerkmsDb.getDaoManager(); + RangerKeyStore dbStore = new RangerKeyStore(daoManager); + String password = conf.get(ENCRYPTION_KEY); + RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager); + char[] masterKey = rangerMasterKey.getMasterKey(password).toCharArray(); + OutputStream out = null; + try { + out = new FileOutputStream(new File(keyStoreFileName)); + dbStore.engineLoadToKeyStoreFile(out, keyStorePassword, keyPassword, masterKey, keyStoreType); + } + finally { + if (out != null) { + try { + out.close(); + } catch (Exception e) { + throw new RuntimeException("ERROR: Unable to close file stream for [" + keyStoreFileName + "]", e) ; + } + } + } + } + catch(Throwable t) { + throw new RuntimeException("Unable to export keys to [" + keyStoreFileName + "] due to exception.", t) ; + } + } + + private char[] getPasswordFromConsole(String prompt) throws IOException { + String ret = null ; + Console c=System.console(); + if (c == null) { + System.out.print(prompt + " "); + InputStream in=System.in; + int max=50; + byte[] b=new byte[max]; + int l= in.read(b); + l--; //last character is \n + if (l>0) { + byte[] e=new byte[l]; + System.arraycopy(b,0, e, 0, l); + ret = new String(e, Charset.defaultCharset()); + } + } else { + char[] pwd = c.readPassword(prompt + " ") ; + if (pwd == null) { + ret = null ; + } + else { + ret = new String(pwd); + } + } + if (ret == null) { + ret = "" ; + } + return ret.toCharArray() ; + } +} diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java index ff82f53eb3f..850104f9a38 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java @@ -42,6 +42,7 @@ import java.security.UnrecoverableKeyException; import java.security.cert.Certificate; import java.security.cert.CertificateException; +import java.util.ArrayList; import java.util.Date; import java.util.Enumeration; import java.util.Hashtable; @@ -223,10 +224,10 @@ public void engineStore(OutputStream stream, char[] password) throw new IllegalArgumentException("Ranger Master Key can't be null"); } - MessageDigest md = getKeyedMessageDigest(password); + MessageDigest md = getKeyedMessageDigest(password); byte digest[] = md.digest(); - for (Enumeration e = deltaEntries.keys(); e.hasMoreElements();) { + for (Enumeration e = deltaEntries.keys(); e.hasMoreElements();) { ByteArrayOutputStream baos = new ByteArrayOutputStream(); DataOutputStream dos = new DataOutputStream(new DigestOutputStream(baos, md)); @@ -282,7 +283,6 @@ private void dbOperationStore(XXRangerKeyStore rangerKeyStore) { xxRangerKeyStore = new XXRangerKeyStore(); keyStoreExists = false; } - xxRangerKeyStore = mapToEntityBean(rangerKeyStore, xxRangerKeyStore, 0); if (keyStoreExists) { xxRangerKeyStore = rangerKMSDao.update(xxRangerKeyStore); @@ -483,13 +483,13 @@ public void engineSetKeyEntry(String alias, Key key, char[] password, public void engineLoadKeyStoreFile(InputStream stream, char[] storePass, char[] keyPass, char[] masterKey, String fileFormat) throws IOException, NoSuchAlgorithmException, CertificateException { - synchronized(keyEntries) { + synchronized(deltaEntries) { KeyStore ks; try { ks = KeyStore.getInstance(fileFormat); ks.load(stream, storePass); - keyEntries.clear(); + deltaEntries.clear(); for (Enumeration name = ks.aliases(); name.hasMoreElements();){ SecretKeyEntry entry = new SecretKeyEntry(); String alias = (String) name.nextElement(); @@ -532,8 +532,34 @@ public void engineLoadKeyStoreFile(InputStream stream, char[] storePass, char[] entry.date = ks.getCreationDate(alias); entry.version = (alias.split("@").length == 2)?(Integer.parseInt(alias.split("@")[1])):0; entry.description = k.getFormat()+" - "+ks.getType(); - keyEntries.put(alias, entry); - } + deltaEntries.put(alias, entry); + } + } catch (Throwable t) { + logger.error("Unable to load keystore file ", t); + throw new IOException(t) ; + } + } + } + + public void engineLoadToKeyStoreFile(OutputStream stream, char[] storePass, char[] keyPass, char[] masterKey, String fileFormat) + throws IOException, NoSuchAlgorithmException, CertificateException + { + synchronized(keyEntries) { + KeyStore ks; + try { + ks = KeyStore.getInstance(fileFormat); + ks.load(null, storePass); + String alias = null; + engineLoad(null, masterKey); + Enumeration e = engineAliases(); + Key key; + while (e.hasMoreElements()) { + alias = e.nextElement(); + key = engineGetKey(alias, masterKey); + ks.setKeyEntry(alias, key, keyPass, null); + } + + ks.store(stream, storePass); } catch (Throwable t) { logger.error("Unable to load keystore file ", t); throw new IOException(t) ; diff --git a/src/main/assembly/kms.xml b/src/main/assembly/kms.xml index 52ab5a0d1eb..5c9e11be217 100755 --- a/src/main/assembly/kms.xml +++ b/src/main/assembly/kms.xml @@ -304,6 +304,7 @@ setup.sh install.properties importJCEKSKeys.sh + exportKeysToJCEKS.sh 544 From f9fc17f14806fc884c7d701bade39978d99aff6e Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Tue, 24 Nov 2015 18:09:34 +0530 Subject: [PATCH 119/202] RANGER-748 : Fix - Users in policy got changed after upgrade --- .../java/org/apache/ranger/biz/RangerPolicyRetriever.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java index 2415df7ae65..36d52af6409 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java @@ -44,6 +44,7 @@ import org.apache.ranger.entity.XXPortalUser; import org.apache.ranger.entity.XXResourceDef; import org.apache.ranger.entity.XXService; +import org.apache.ranger.entity.XXUser; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; @@ -250,10 +251,10 @@ String getUserName(Long userId) { ret = userNames.get(userId); if(ret == null) { - XXPortalUser user = daoMgr.getXXPortalUser().getById(userId); + XXUser user = daoMgr.getXXUser().getById(userId); if(user != null) { - ret = user.getLoginId(); + ret = user.getName(); // Name is `loginId` userNames.put(userId, ret); } From eb966b30a7154064c5a83ada48346a2074785210 Mon Sep 17 00:00:00 2001 From: rmani Date: Wed, 2 Dec 2015 15:31:37 -0800 Subject: [PATCH 120/202] RANGER-754:Ranger YARN Plugin lookup and test connection should support SPENGO enabled HTTP Authentication --- .../plugin/client/HadoopConfigHolder.java | 62 +++-- .../service-defs/ranger-servicedef-yarn.json | 35 ++- .../services/yarn/client/YarnClient.java | 228 ++++++++++-------- .../yarn/client/YarnConnectionMgr.java | 18 +- .../services/yarn/client/YarnResourceMgr.java | 14 +- 5 files changed, 217 insertions(+), 140 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java index f95e10e2db7..9d14ae67ab2 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java @@ -22,6 +22,7 @@ import java.io.IOException; import java.io.InputStream; import java.util.*; +import java.util.Map.Entry; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -96,6 +97,7 @@ public static HadoopConfigHolder getInstance(String aDatasourceName, Map -1) ; } - } } @@ -342,21 +345,26 @@ public Properties getProperties(String aResourceName) { } public String getHadoopSecurityAuthentication() { - Properties repoParam = null ; String ret = null; - - HashMap resourceName2PropertiesMap = dataSource2ResourceListMap.get(this.getDatasourceName()) ; - - if ( resourceName2PropertiesMap != null) { - repoParam=resourceName2PropertiesMap.get(DEFAULT_RESOURCE_NAME); + String sectionName = RANGER_SECTION_NAME; + + if ( defaultConfigFile != null) { + sectionName = defaultConfigFile; + } + + if ( LOG.isDebugEnabled() ) { + LOG.debug("==> HadoopConfigHolder.getHadoopSecurityAuthentication( " + " DataSource : " + sectionName + " Property : " + HADOOP_SECURITY_AUTHENTICATION + ")" ); } + + ret = getProperties(sectionName,HADOOP_SECURITY_AUTHENTICATION); - if ( repoParam != null ) { - ret = (String)repoParam.get(HADOOP_SECURITY_AUTHENTICATION); + if ( LOG.isDebugEnabled() ) { + LOG.debug("<== HadoopConfigHolder.getHadoopSecurityAuthentication(" + " DataSource : " + sectionName + " Property : " + HADOOP_SECURITY_AUTHENTICATION + " Value : " + ret + ")" ); } + return ret; - } - + } + public String getUserName() { return userName; } @@ -377,6 +385,32 @@ public Set getRangerInternalPropertyKeys() { return rangerInternalPropertyKeys; } + + private String getProperties(String sectionName, String property) { + + if ( LOG.isDebugEnabled() ) { + LOG.debug("==> HadoopConfigHolder.getProperties( " + " DataSource : " + sectionName + " Property : " + property + ")" ); + } + + Properties repoParam = null ; + String ret = null; + + HashMap resourceName2PropertiesMap = dataSource2ResourceListMap.get(this.getDatasourceName()) ; + + if ( resourceName2PropertiesMap != null) { + repoParam=resourceName2PropertiesMap.get(sectionName); + } + + if ( repoParam != null ) { + ret = (String)repoParam.get(property); + } + + if ( LOG.isDebugEnabled() ) { + LOG.debug("<== HadoopConfigHolder.getProperties( " + " DataSource : " + sectionName + " Property : " + property + " Value : " + ret); + } + + return ret; + } } diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json index ff1f39fcc46..ff93dfe5700 100644 --- a/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json @@ -82,6 +82,19 @@ { "itemId": 4, + "name": "hadoop.security.authentication", + "type": "enum", + "subType": "authnType", + "mandatory": true, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Authentication Type", + "defaultValue": "simple" + }, + + { + "itemId": 5, "name": "commonNameForCertificate", "type": "string", "mandatory": false, @@ -90,11 +103,31 @@ "uiHint":"", "label": "Common Name for Certificate" } + ], "enums": [ - + { + "itemId": 1, + "name": "authnType", + "elements": + [ + { + "itemId": 1, + "name": "simple", + "label": "Simple" + }, + + { + "itemId": 2, + "name": "kerberos", + "label": "Kerberos" + } + ], + + "defaultIndex": 0 + } ], "contextEnrichers": diff --git a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnClient.java b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnClient.java index fc07760dd50..0f3ed89d492 100644 --- a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnClient.java +++ b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnClient.java @@ -19,6 +19,9 @@ package org.apache.ranger.services.yarn.client; +import java.net.Authenticator; +import java.net.PasswordAuthentication; +import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.HashMap; import java.util.List; @@ -26,6 +29,7 @@ import java.util.concurrent.Callable; import java.util.concurrent.TimeUnit; +import javax.security.auth.Subject; import org.apache.commons.io.FilenameUtils; import org.apache.log4j.Logger; @@ -40,7 +44,7 @@ import com.sun.jersey.api.client.ClientResponse; import com.sun.jersey.api.client.WebResource; -public class YarnClient { +public class YarnClient extends BaseClient { public static final Logger LOG = Logger.getLogger(YarnClient.class) ; @@ -57,16 +61,27 @@ public class YarnClient { String userName; String password; - public YarnClient(String yarnQueueUrl, String yarnUserName, String yarnPassWord) { - - this.yarnQUrl = yarnQueueUrl; - this.userName = yarnUserName ; - this.password = yarnPassWord; + public YarnClient(String serviceName, Map configs) { + + super(serviceName,configs,"yarn-client") ; + + this.yarnQUrl = configs.get("yarn.url"); + this.userName = configs.get("username"); + this.password = configs.get("password"); + if (this.yarnQUrl == null || this.yarnQUrl.isEmpty()) { + LOG.error("No value found for configuration 'yarn.url'. YARN resource lookup will fail"); + } + if (this.userName == null || this.userName.isEmpty()) { + LOG.error("No value found for configuration 'usename'. YARN resource lookup will fail"); + } + if (this.password == null || this.password.isEmpty()) { + LOG.error("No value found for configuration 'password'. YARN resource lookup will fail"); + } + if (LOG.isDebugEnabled()) { - LOG.debug("Yarn Client is build with url [" + yarnQueueUrl + "] user: [" + yarnPassWord + "], password: [" + "" + "]"); + LOG.debug("Yarn Client is build with url [" + this.yarnQUrl + "] user: [" + this.userName + "], password: [" + "*********" + "]"); } - } public List getQueueList(final String queueNameMatching, final List existingQueueList) { @@ -74,107 +89,122 @@ public List getQueueList(final String queueNameMatching, final List ret = null; - - Callable> yarnQueueListGetter = new Callable>() { + + Callable> callableYarnQListGetter = new Callable>() { + @Override public List call() { - - List lret = new ArrayList(); - - String url = yarnQUrl + YARN_LIST_API_ENDPOINT ; - - Client client = null ; - ClientResponse response = null ; - - try { - client = Client.create() ; - - WebResource webResource = client.resource(url); - - response = webResource.accept(EXPECTED_MIME_TYPE) - .get(ClientResponse.class); - - if (LOG.isDebugEnabled()) { - LOG.debug("getQueueList():calling " + url); - } - - if (response != null) { - if (LOG.isDebugEnabled()) { - LOG.debug("getQueueList():response.getStatus()= " + response.getStatus()); - } - if (response.getStatus() == 200) { - String jsonString = response.getEntity(String.class); - Gson gson = new GsonBuilder().setPrettyPrinting().create(); - YarnSchedulerResponse yarnQResponse = gson.fromJson(jsonString, YarnSchedulerResponse.class); - if (yarnQResponse != null) { - List yarnQueueList = yarnQResponse.getQueueNames(); - if (yarnQueueList != null) { - for ( String yarnQueueName : yarnQueueList) { - if ( existingQueueList != null && existingQueueList.contains(yarnQueueName)) { - continue; - } - if (queueNameMatching == null || queueNameMatching.isEmpty() - || yarnQueueName.startsWith(queueNameMatching)) { - if (LOG.isDebugEnabled()) { - LOG.debug("getQueueList():Adding yarnQueue " + yarnQueueName); + List yarnQueueListGetter = null; + + Subject subj = getLoginSubject(); + + if (subj != null) { + yarnQueueListGetter = Subject.doAs(subj, new PrivilegedAction>() { + + @Override + public List run() { + + List lret = new ArrayList(); + + String url = yarnQUrl + YARN_LIST_API_ENDPOINT ; + + Client client = null ; + + ClientResponse response = null ; + + try { + client = Client.create() ; + + WebResource webResource = client.resource(url); + + response = webResource.accept(EXPECTED_MIME_TYPE) + .get(ClientResponse.class); + + if (LOG.isDebugEnabled()) { + LOG.debug("getQueueList():calling " + url); + } + + if (response != null) { + if (LOG.isDebugEnabled()) { + LOG.debug("getQueueList():response.getStatus()= " + response.getStatus()); + } + if (response.getStatus() == 200) { + String jsonString = response.getEntity(String.class); + Gson gson = new GsonBuilder().setPrettyPrinting().create(); + YarnSchedulerResponse yarnQResponse = gson.fromJson(jsonString, YarnSchedulerResponse.class); + if (yarnQResponse != null) { + List yarnQueueList = yarnQResponse.getQueueNames(); + if (yarnQueueList != null) { + for ( String yarnQueueName : yarnQueueList) { + if ( existingQueueList != null && existingQueueList.contains(yarnQueueName)) { + continue; + } + if (queueNameMatching == null || queueNameMatching.isEmpty() + || yarnQueueName.startsWith(queueNameMatching)) { + if (LOG.isDebugEnabled()) { + LOG.debug("getQueueList():Adding yarnQueue " + yarnQueueName); + } + lret.add(yarnQueueName) ; + } } - lret.add(yarnQueueName) ; } } - } + } else{ + LOG.info("getQueueList():response.getStatus()= " + response.getStatus() + " for URL " + url + ", so returning null list"); + String jsonString = response.getEntity(String.class); + LOG.info(jsonString); + lret = null; } - } else{ - LOG.info("getQueueList():response.getStatus()= " + response.getStatus() + " for URL " + url + ", so returning null list"); - String jsonString = response.getEntity(String.class); - LOG.info(jsonString); + } else { + lret = null; + String msgDesc = "Unable to get a valid response for " + + "expected mime type : [" + EXPECTED_MIME_TYPE + + "] URL : " + url + " - got null response."; + LOG.error(msgDesc); + HadoopException hdpException = new HadoopException(msgDesc); + hdpException.generateResponseDataMap(false, msgDesc, + msgDesc + errMsg, null, null); + throw hdpException; + } + } catch (HadoopException he) { lret = null; + throw he; + } catch (Throwable t) { + lret = null; + String msgDesc = "Exception while getting Yarn Queue List." + + " URL : " + url; + HadoopException hdpException = new HadoopException(msgDesc, + t); + + LOG.error(msgDesc, t); + + hdpException.generateResponseDataMap(false, + BaseClient.getMessage(t), msgDesc + errMsg, null, + null); + throw hdpException; + + } finally { + if (response != null) { + response.close(); + } + + if (client != null) { + client.destroy(); + } } - } else { - lret = null; - String msgDesc = "Unable to get a valid response for " - + "expected mime type : [" + EXPECTED_MIME_TYPE - + "] URL : " + url + " - got null response."; - LOG.error(msgDesc); - HadoopException hdpException = new HadoopException(msgDesc); - hdpException.generateResponseDataMap(false, msgDesc, - msgDesc + errMsg, null, null); - throw hdpException; - } - } catch (HadoopException he) { - lret = null; - throw he; - } catch (Throwable t) { - lret = null; - String msgDesc = "Exception while getting Yarn Queue List." - + " URL : " + url; - HadoopException hdpException = new HadoopException(msgDesc, - t); - - LOG.error(msgDesc, t); - - hdpException.generateResponseDataMap(false, - BaseClient.getMessage(t), msgDesc + errMsg, null, - null); - throw hdpException; - - } finally { - if (response != null) { - response.close(); - } - - if (client != null) { - client.destroy(); + return lret ; } + } ); } - return lret ; - } - } ; + return yarnQueueListGetter; + } + }; try { - ret = timedTask(yarnQueueListGetter, 5, TimeUnit.SECONDS); + ret = timedTask(callableYarnQListGetter, 5, TimeUnit.SECONDS); } catch ( Throwable t) { LOG.error("Unable to get Yarn Queue list from [" + yarnQUrl + "]", t) ; String msgDesc = "Unable to get a valid response for " @@ -243,12 +273,7 @@ public static YarnClient getYarnClient(String serviceName, + errMsg, null, null); throw hdpException; } else { - String yarnUrl = configs.get("yarn.url"); - String yarnUserName = configs.get("username"); - String yarnPassWord = configs.get("password"); - yarnClient = new YarnClient (yarnUrl, yarnUserName, - yarnPassWord); - + yarnClient = new YarnClient (serviceName, configs); } return yarnClient; } @@ -299,5 +324,4 @@ public static T timedTask(Callable callableObj, long timeout, TimeUnit timeUnit) throws Exception { return callableObj.call(); } - } diff --git a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnConnectionMgr.java b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnConnectionMgr.java index e2cc2ef2426..1d39998d5ff 100644 --- a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnConnectionMgr.java +++ b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnConnectionMgr.java @@ -19,25 +19,17 @@ package org.apache.ranger.services.yarn.client; +import java.util.Map; + import org.apache.log4j.Logger; public class YarnConnectionMgr { public static final Logger LOG = Logger.getLogger(YarnConnectionMgr.class); - - public static YarnClient getYarnClient(final String yarnURL, String userName, String password) { - YarnClient yarnClient = null; - if (yarnURL == null || yarnURL.isEmpty()) { - LOG.error("Can not create YarnClient: yarnURL is empty"); - } else if (userName == null || userName.isEmpty()) { - LOG.error("Can not create YarnClient: YarnuserName is empty"); - } else if (password == null || password.isEmpty()) { - LOG.error("Can not create YarnClient: YarnPassWord is empty"); - } else { - yarnClient = new YarnClient(yarnURL, userName, password); - } - return yarnClient; + + public static YarnClient getYarnClient(String serviceName, Map configs) { + return new YarnClient(serviceName, configs); } } diff --git a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnResourceMgr.java b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnResourceMgr.java index 95d29c0817c..97fdf190934 100644 --- a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnResourceMgr.java +++ b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnResourceMgr.java @@ -65,23 +65,17 @@ public static List getYarnResources(String serviceName, Map getYarnResource(String url, String username, String password,String yarnQueueName, List yarnQueueList) { - final YarnClient yarnClient = YarnConnectionMgr.getYarnClient(url, username, password); + public static List getYarnResource(String serviceName, Map configs, String yarnQueueName, List yarnQueueList) { + final YarnClient yarnClient = YarnConnectionMgr.getYarnClient(serviceName, configs); List topologyList = null; if (yarnClient != null) { synchronized(yarnClient) { From 371293af2c2868e54afeab5a87ed259f72448575 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Mon, 17 Aug 2015 09:19:03 +0530 Subject: [PATCH 121/202] RANGER-607 : Allow to create multiple policy items for same user or group Signed-off-by: Madhan Neethiraj (cherry picked from commit 13cdf4fb66fbc490bceafce6b9b6fed966e4bb35) --- .../webapp/scripts/views/policies/PermissionList.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js b/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js index 0cba319728b..b3922482784 100644 --- a/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js +++ b/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js @@ -358,11 +358,11 @@ define(function(require) { getSelectdValues : function($select, typeGroup){ var vals = [],selectedVals = []; var name = typeGroup ? 'group' : 'user'; - this.collection.each(function(m){ - if(!_.isUndefined(m.get(name+'Name')) && !_.isNull(m.get(name+'Name'))){ - vals.push.apply(vals, m.get(name+'Name').split(',')); - } - }); +// this.collection.each(function(m){ +// if(!_.isUndefined(m.get(name+'Name')) && !_.isNull(m.get(name+'Name'))){ +// vals.push.apply(vals, m.get(name+'Name').split(',')); +// } +// }); if(!_.isEmpty($select.select2('data'))) selectedVals = _.map($select.select2('data'),function(obj){ return obj.text}); vals.push.apply(vals , selectedVals); From ad5393599c6acee4a4b2c8c902f23cd264fa9f29 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Thu, 3 Dec 2015 09:25:38 +0530 Subject: [PATCH 122/202] RANGER-758 : Handle special characters in passwords starting from -r Signed-off-by: Velmurugan Periasamy --- .../src/main/java/org/apache/util/sql/Jisql.java | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/jisql/src/main/java/org/apache/util/sql/Jisql.java b/jisql/src/main/java/org/apache/util/sql/Jisql.java index cf7563c7130..fe8dc425286 100644 --- a/jisql/src/main/java/org/apache/util/sql/Jisql.java +++ b/jisql/src/main/java/org/apache/util/sql/Jisql.java @@ -588,6 +588,16 @@ public void parseArgs(String argv[]) throws Throwable { // walk through the list once to find the formatter. then, use the // command line parser to do it "for real" // + String passwordValue=null; + for (int argumentIndex = 0; argumentIndex < argv.length; argumentIndex++) { + if ("-p".equalsIgnoreCase(argv[argumentIndex]) || "-password".equalsIgnoreCase(argv[argumentIndex]) ) { + if(argv.length>argumentIndex + 1){ + passwordValue=argv[argumentIndex + 1]; + argv[argumentIndex + 1]=""; + break; + } + } + } for (int argumentIndex = 0; argumentIndex < argv.length; argumentIndex++) { if (argv[argumentIndex].equals("-formatter")) { formatterClassName = argv[argumentIndex + 1]; @@ -677,10 +687,7 @@ else if (driverName.compareToIgnoreCase("sybasesajdbc4") == 0) else if (options.has("u")) userName = (String) options.valueOf("u"); - if (options.has("password")) - password = (String) options.valueOf("password"); - else if (options.has("p")) - password = (String) options.valueOf("p"); + password=passwordValue; if (options.has("driverinfo")) printDriverDetails = true; From 740fa9514fa59e2e9a07ad5110f8844551b37d5e Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Thu, 3 Dec 2015 10:20:59 +0530 Subject: [PATCH 123/202] RANGER-761 : Transaction logs not getting generated under audit menu admin tab if policy name is changed --- .../ranger/service/RangerPolicyService.java | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java index d853972483b..aaadea71163 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java @@ -53,6 +53,7 @@ public class RangerPolicyService extends RangerPolicyServiceBase trxLogAttrs = new HashMap(); String actionCreate; @@ -178,6 +179,8 @@ private XXTrxLog processFieldToCreateTrxLog(Field field, String objectName, value = processPolicyResourcesForTrxLog(field.get(vObj)); } else if (fieldName.equalsIgnoreCase(POLICY_ITEM_CLASS_FIELD_NAME)) { value = processPolicyItemsForTrxLog(field.get(vObj)); + } else if (fieldName.equalsIgnoreCase(POLICY_NAME_CLASS_FIELD_NAME)){ + value = processPolicyNameForTrxLog(field.get(vObj)); } else { value = "" + field.get(vObj); } @@ -216,6 +219,10 @@ private XXTrxLog processFieldToCreateTrxLog(Field field, String objectName, if (oldPolicy != null) { oldValue = processPolicyItemsForTrxLog(oldPolicy.getPolicyItems()); } + } else if (fieldName.equalsIgnoreCase(POLICY_NAME_CLASS_FIELD_NAME)){ + if (oldPolicy != null) { + oldValue = processPolicyNameForTrxLog(oldPolicy.getName()); + } } if (oldValue == null || value.equalsIgnoreCase(oldValue)) { return null; @@ -229,6 +236,11 @@ private XXTrxLog processFieldToCreateTrxLog(Field field, String objectName, if(compareTwoPolicyItemList(value, oldValue)) { return null; } + } else if (fieldName.equalsIgnoreCase(POLICY_NAME_CLASS_FIELD_NAME)) { + //compare old and new policyName + if(compareTwoPolicyName(value, oldValue)) { + return null; + } } xTrxLog.setPreviousValue(oldValue); xTrxLog.setNewValue(value); @@ -368,4 +380,27 @@ private String processPolicyResourcesForTrxLog(Object value) { return ret; } + private boolean compareTwoPolicyName(String value, String oldValue) { + if (value==null && oldValue==null) { + return org.apache.commons.lang.StringUtils.equals(value, oldValue); + } + if (value!=null && oldValue!=null && value.trim().isEmpty() && oldValue.trim().isEmpty()) { + return true; + } + if (stringUtil.isEmpty(value) || stringUtil.isEmpty(oldValue)) { + return false; + } + if(!value.equals(oldValue)) { + return false; + } + return true; + } + + private String processPolicyNameForTrxLog(Object value) { + if (value == null) { + return ""; + } + String name = (String) value; + return name; + } } From 56c91929c400a12cd478407d52e2be880d395240 Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Fri, 4 Dec 2015 00:08:32 -0800 Subject: [PATCH 124/202] RANGER-737 Kafka plugin: add create/delete operation types added as via RANGER-737 to service-def --- .../service-defs/ranger-servicedef-kafka.json | 15 +++++++++++++-- .../kafka/authorizer/RangerKafkaAuthorizer.java | 3 +++ .../kafka/authorizer/RangerKafkaAuthorizer.java | 4 ++-- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json index bf7a4df5ad2..839d7806d01 100644 --- a/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json @@ -60,6 +60,16 @@ "name":"describe", "label":"Describe" }, + { + "itemId":8, + "name":"create", + "label":"Create" + }, + { + "itemId":9, + "name":"delete", + "label":"Delete" + }, { "itemId":7, "name":"kafka_admin", @@ -68,11 +78,12 @@ "publish", "consume", "configure", - "describe" + "describe", + "create", + "delete" ] } - ], "configs":[ { diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java index 7ca12ce0966..2adf5d5e109 100644 --- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java +++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java @@ -125,6 +125,9 @@ public boolean authorize(Session session, Operation operation, // TODO: If resource type if consumer group, then allow it by default if (resource.resourceType().equals(Group$.MODULE$)) { + if (logger.isDebugEnabled()) { + logger.debug("If resource type if consumer group, then we allow it by default! Returning true"); + } return true; } diff --git a/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java index 90b1ab006c9..644a223f430 100644 --- a/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java +++ b/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java @@ -126,7 +126,7 @@ public void close() { @Override public boolean authorize(Session session, Operation operation,Resource resource) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerKafkaAuthorizer.authorize(Session, Operation, Resource)"); + LOG.debug(String.format("==> RangerKafkaAuthorizer.authorize(Session=%s, Operation=%s, Resource=%s)", session, operation, resource)); } boolean ret = false; @@ -140,7 +140,7 @@ public boolean authorize(Session session, Operation operation,Resource resource) } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerKafkaAuthorizer.authorize(Session, Operation, Resource)"); + LOG.debug("<== RangerKafkaAuthorizer.authorize: " + ret); } return ret; From e9dd40803f2adc740776a973449dbc9509194a4e Mon Sep 17 00:00:00 2001 From: rmani Date: Fri, 4 Dec 2015 11:09:51 -0800 Subject: [PATCH 125/202] RANGER-766:Yarn Plugin Config hadoop.security.authentication should be non-mandatory with default value --- .../src/main/resources/service-defs/ranger-servicedef-yarn.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json index ff93dfe5700..53f9e186dda 100644 --- a/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json @@ -85,7 +85,7 @@ "name": "hadoop.security.authentication", "type": "enum", "subType": "authnType", - "mandatory": true, + "mandatory": false, "validationRegEx":"", "validationMessage": "", "uiHint":"", From 299cbfaef81afa10da2ba719871dcf78381833d4 Mon Sep 17 00:00:00 2001 From: Velmurugan Periasamy Date: Fri, 4 Dec 2015 19:41:56 -0500 Subject: [PATCH 126/202] RANGER-742 : Removed the dependency on groupUserMapSyncEnabled flag (Sailaja Polavarapu via Velmurugan Periasamy) Signed-off-by: Velmurugan Periasamy --- .../process/LdapUserGroupBuilder.java | 21 ++++++++++++------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java index bb5fad5a3c3..99403d7bb40 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java @@ -473,8 +473,8 @@ public void updateSink(UserGroupSink sink) throws Throwable { private void getUserGroups(UserGroupSink sink) throws Throwable { NamingEnumeration groupSearchResultEnum = null; LOG.debug("Total No. of users saved = " + userGroupMap.size()); - if (groupSearchEnabled && groupUserMapSyncEnabled) { - LOG.info("groupSearch and groupUserMapSync are enabled, would search for groups and compute memberships"); + if (groupSearchEnabled) { + LOG.info("groupSearch is enabled, would search for groups and compute memberships"); createLdapContext(); } @@ -482,10 +482,8 @@ private void getUserGroups(UserGroupSink sink) throws Throwable { while(userInfoIterator.hasNext()) { UserInfo userInfo = userInfoIterator.next(); String userName = userInfo.getUserName(); - if (groupSearchEnabled && groupUserMapSyncEnabled) { - //LOG.info("groupSearch and groupUserMapSync are enabled, would search for groups and compute memberships"); + if (groupSearchEnabled) { try { - groupSearchResultEnum = ldapContext .search(groupSearchBase, extendedGroupSearchFilter, new Object[]{userInfo.getUserFullName()}, @@ -494,8 +492,15 @@ private void getUserGroups(UserGroupSink sink) throws Throwable { while (groupSearchResultEnum.hasMore()) { final SearchResult groupEntry = groupSearchResultEnum.next(); if (groupEntry != null) { - String gName = (String) groupEntry.getAttributes() - .get(groupNameAttribute).get(); + Attribute groupNameAttr = groupEntry.getAttributes() != null? groupEntry.getAttributes().get(groupNameAttribute) : null; + if (groupNameAttr == null) { + if (LOG.isInfoEnabled()) { + LOG.info(groupNameAttribute + " empty for entry " + groupEntry.getNameInNamespace() + + ", skipping sync"); + } + continue; + } + String gName = (String) groupNameAttr.get(); if (groupNameCaseConversionFlag) { if (groupNameLowerCaseFlag) { gName = gName.toLowerCase(); @@ -529,7 +534,7 @@ private void getUserGroups(UserGroupSink sink) throws Throwable { + ", groups: " + groupList); } } - if (groupSearchEnabled && groupUserMapSyncEnabled) { + if (groupSearchEnabled) { closeLdapContext(); } } From 053fccc52329062169a08c057bf398bcdb5fde74 Mon Sep 17 00:00:00 2001 From: Sailaja Polavarapu Date: Fri, 4 Dec 2015 14:11:36 -0800 Subject: [PATCH 127/202] Ranger-767: Refactored org.apache.ranger.ldapusersync.process.PolicyMgrUserGroupBuilder to extend from org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder in order to remove code duplication and support backward compatibility. Signed-off-by: Velmurugan Periasamy --- .../process/PolicyMgrUserGroupBuilder.java | 684 +----------------- 1 file changed, 3 insertions(+), 681 deletions(-) diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java index c99f7a0ac75..7271df3c989 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java @@ -19,700 +19,22 @@ package org.apache.ranger.ldapusersync.process; -import java.io.File; -import java.io.FileInputStream; -import java.io.FileNotFoundException; -import java.io.InputStream; -import java.net.UnknownHostException; -import java.security.KeyStore; -import java.security.SecureRandom; -import java.util.ArrayList; -import java.util.HashMap; import java.util.List; -import java.util.regex.Pattern; -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.KeyManager; -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSession; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; -import javax.ws.rs.core.MediaType; - -import org.apache.log4j.Level; -import org.apache.log4j.Logger; -import org.apache.ranger.unixusersync.config.UserGroupSyncConfig; -import org.apache.ranger.unixusersync.model.GetXGroupListResponse; -import org.apache.ranger.unixusersync.model.GetXUserGroupListResponse; -import org.apache.ranger.unixusersync.model.GetXUserListResponse; -import org.apache.ranger.unixusersync.model.MUserInfo; -import org.apache.ranger.unixusersync.model.XGroupInfo; -import org.apache.ranger.unixusersync.model.XUserGroupInfo; -import org.apache.ranger.unixusersync.model.XUserInfo; -import org.apache.ranger.usergroupsync.UserGroupSink; - -import com.google.gson.Gson; -import com.google.gson.GsonBuilder; -import com.sun.jersey.api.client.Client; -import com.sun.jersey.api.client.ClientResponse; -import com.sun.jersey.api.client.WebResource; -import com.sun.jersey.api.client.config.ClientConfig; -import com.sun.jersey.api.client.config.DefaultClientConfig; -import com.sun.jersey.api.client.filter.HTTPBasicAuthFilter; -import com.sun.jersey.client.urlconnection.HTTPSProperties; - -public class PolicyMgrUserGroupBuilder implements UserGroupSink { - - private static final Logger LOG = Logger.getLogger(PolicyMgrUserGroupBuilder.class) ; - - public static final String PM_USER_LIST_URI = "/service/xusers/users/" ; // GET - private static final String PM_ADD_USER_URI = "/service/xusers/users/" ; // POST - - public static final String PM_GROUP_LIST_URI = "/service/xusers/groups/" ; // GET - private static final String PM_ADD_GROUP_URI = "/service/xusers/groups/" ; // POST - - public static final String PM_USER_GROUP_MAP_LIST_URI = "/service/xusers/groupusers/" ; // GET - private static final String PM_ADD_USER_GROUP_LINK_URI = "/service/xusers/groupusers/" ; // POST - - private static final String PM_DEL_USER_GROUP_LINK_URI = "/service/xusers/group/${groupName}/user/${userName}" ; // DELETE - - private static final String PM_ADD_LOGIN_USER_URI = "/service/users/default" ; // POST - - private static String LOCAL_HOSTNAME = "unknown" ; - private String recordsToPullPerCall = "1000" ; - private boolean isMockRun = false ; - private String policyMgrBaseUrl ; - - private UserGroupSyncConfig config = UserGroupSyncConfig.getInstance() ; - - private List xgroupList = new ArrayList() ; - private List xuserList = new ArrayList() ; - private List xusergroupList = new ArrayList() ; - private HashMap userId2XUserInfoMap = new HashMap() ; - private HashMap userName2XUserInfoMap = new HashMap() ; - private HashMap groupName2XGroupInfoMap = new HashMap() ; - - private String keyStoreFile = null ; - private String keyStoreFilepwd = null; - private String trustStoreFile = null ; - private String trustStoreFilepwd = null ; - private String keyStoreType = null ; - private String trustStoreType = null ; - private HostnameVerifier hv = null ; - - private SSLContext sslContext = null ; - - - static { - try { - LOCAL_HOSTNAME = java.net.InetAddress.getLocalHost().getHostName(); - } catch (UnknownHostException e) { - LOCAL_HOSTNAME = "unknown" ; - } - } - +public class PolicyMgrUserGroupBuilder extends org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder { public static void main(String[] args) throws Throwable { PolicyMgrUserGroupBuilder ugbuilder = new PolicyMgrUserGroupBuilder() ; ugbuilder.init() ; -// ugbuilder.print(); -// ugbuilder.addMUser("testuser") ; -// ugbuilder.addXUserInfo("testuser") ; -// ugbuilder.addXGroupInfo("testgroup") ; -// XUserInfo u = ugbuilder.addXUserInfo("testuser") ; -// XGroupInfo g = ugbuilder.addXGroupInfo("testgroup") ; -// ugbuilder.addXUserGroupInfo(u, g) ; } - public synchronized void init() throws Throwable { - recordsToPullPerCall = config.getMaxRecordsPerAPICall() ; - policyMgrBaseUrl = config.getPolicyManagerBaseURL() ; - isMockRun = config.isMockRunEnabled() ; - - if (isMockRun) { - LOG.setLevel(Level.DEBUG) ; - } - - keyStoreFile = config.getSSLKeyStorePath() ; - keyStoreFilepwd = config.getSSLKeyStorePathPassword() ; - trustStoreFile = config.getSSLTrustStorePath() ; - trustStoreFilepwd = config.getSSLTrustStorePathPassword() ; - keyStoreType = KeyStore.getDefaultType() ; - trustStoreType = KeyStore.getDefaultType() ; - - buildUserGroupInfo() ; - } - - private void buildUserGroupInfo() throws Throwable { - buildGroupList(); - buildUserList(); - buildUserGroupLinkList() ; - rebuildUserGroupMap() ; - if (LOG.isDebugEnabled()) { - this.print(); - } - } - - private String getURL(String uri) { - String ret = null ; - ret = policyMgrBaseUrl + (uri.startsWith("/") ? uri : ("/" + uri)) ; - return ret; - } - - - - private void rebuildUserGroupMap() { - - List newUsers = new ArrayList(); - for(XUserInfo user : xuserList) { - addUserToList(user, newUsers); - } - xuserList.addAll(newUsers); - - List newGroups = new ArrayList(); - for(XGroupInfo group : xgroupList) { - addGroupToList(group, newGroups); - } - xgroupList.addAll(newGroups); - - for(XUserGroupInfo ug : xusergroupList) { - addUserGroupToList(ug); - } - } - - - private void addUserToList(XUserInfo aUserInfo, List newUsers) { - if (! xuserList.contains(aUserInfo)) { - newUsers.add(aUserInfo); - } - - String userId = aUserInfo.getId() ; - - if (userId != null) { - userId2XUserInfoMap.put(userId, aUserInfo) ; - } - - String userName = aUserInfo.getName(); - - if (userName != null) { - userName2XUserInfoMap.put(userName, aUserInfo) ; - } - } - - - private void addGroupToList(XGroupInfo aGroupInfo, List newGroups) { - - if (! xgroupList.contains(aGroupInfo) ) { - newGroups.add(aGroupInfo); - } - - if (aGroupInfo.getName() != null) { - groupName2XGroupInfoMap.put(aGroupInfo.getName(), aGroupInfo) ; - } - + super.init(); } - - private void addUserGroupToList(XUserGroupInfo ugInfo) { - String userId = ugInfo.getUserId() ; - - if (userId != null) { - XUserInfo user = userId2XUserInfoMap.get(userId) ; - - if (user != null) { - List groups = user.getGroups() ; - if (! groups.contains(ugInfo.getGroupName())) { - groups.add(ugInfo.getGroupName()) ; - } - } - } - } - - private void delUserGroupFromList(XUserInfo userInfo, XGroupInfo groupInfo) { - List groups = userInfo.getGroups() ; - if (groups.contains(groupInfo.getName())) { - groups.remove(groupInfo.getName()) ; - } - } - - private void print() { - LOG.debug("Number of users read [" + xuserList.size() + "]"); - for(XUserInfo user : xuserList) { - LOG.debug("USER: " + user.getName()) ; - for(String group : user.getGroups()) { - LOG.debug("\tGROUP: " + group) ; - } - } - } - @Override public void addOrUpdateUser(String userName, List groups) { - XUserInfo user = userName2XUserInfoMap.get(userName) ; - - if (groups == null) { - groups = new ArrayList() ; - } - - if (user == null) { // Does not exists - LOG.debug("INFO: addPMAccount(" + userName + ")" ) ; - if (! isMockRun) { - addMUser(userName) ; - } - - LOG.debug("INFO: addPMXAUser(" + userName + ")" ) ; - if (! isMockRun) { - user = addXUserInfo(userName) ; - } - - for(String g : groups) { - LOG.debug("INFO: addPMXAGroupToUser(" + userName + "," + g + ")" ) ; - } - if (! isMockRun ) { - addXUserGroupInfo(user, groups) ; - } - } - else { // Validate group memberships - List oldGroups = user.getGroups() ; - - List addGroups = new ArrayList() ; - List delGroups = new ArrayList() ; - - for(String group : groups) { - if (! oldGroups.contains(group)) { - addGroups.add(group) ; - } - } - - for(String group : oldGroups) { - if (! groups.contains(group) ) { - delGroups.add(group) ; - } - } - - for(String g : addGroups) { - LOG.debug("INFO: addPMXAGroupToUser(" + userName + "," + g + ")" ) ; - } - if (! isMockRun) { - addXUserGroupInfo(user, addGroups) ; - } - - for(String g : delGroups) { - LOG.debug("INFO: delPMXAGroupFromUser(" + userName + "," + g + ")" ) ; - } - - if (! isMockRun ) { - delXUserGroupInfo(user, delGroups) ; - } - - } - } - - - private void buildGroupList() { - - Client c = getClient() ; - - int totalCount = 100 ; - int retrievedCount = 0 ; - - while (retrievedCount < totalCount) { - - WebResource r = c.resource(getURL(PM_GROUP_LIST_URI)) - .queryParam("pageSize", recordsToPullPerCall) - .queryParam("startIndex", String.valueOf(retrievedCount)) ; - - String response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class); - - LOG.debug("RESPONSE: [" + response + "]") ; - - Gson gson = new GsonBuilder().create() ; - - GetXGroupListResponse groupList = gson.fromJson(response, GetXGroupListResponse.class) ; - - totalCount = groupList.getTotalCount() ; - - if (groupList.getXgroupInfoList() != null) { - xgroupList.addAll(groupList.getXgroupInfoList()) ; - retrievedCount = xgroupList.size() ; - - for(XGroupInfo g : groupList.getXgroupInfoList()) { - LOG.debug("GROUP: Id:" + g.getId() + ", Name: " + g.getName() + ", Description: " + g.getDescription()) ; - } - } - } - + super.addOrUpdateUser(userName, groups); } - - - private void buildUserList() { - - Client c = getClient() ; - - int totalCount = 100 ; - int retrievedCount = 0 ; - - while (retrievedCount < totalCount) { - - WebResource r = c.resource(getURL(PM_USER_LIST_URI)) - .queryParam("pageSize", recordsToPullPerCall) - .queryParam("startIndex", String.valueOf(retrievedCount)) ; - - String response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class); - - Gson gson = new GsonBuilder().create() ; - - LOG.debug("RESPONSE: [" + response + "]") ; - - GetXUserListResponse userList = gson.fromJson(response, GetXUserListResponse.class) ; - - totalCount = userList.getTotalCount() ; - - if (userList.getXuserInfoList() != null) { - xuserList.addAll(userList.getXuserInfoList()) ; - retrievedCount = xuserList.size() ; - - for(XUserInfo u : userList.getXuserInfoList()) { - LOG.debug("USER: Id:" + u.getId() + ", Name: " + u.getName() + ", Description: " + u.getDescription()) ; - } - } - } - - } - - - private void buildUserGroupLinkList() { - - Client c = getClient() ; - - int totalCount = 100 ; - int retrievedCount = 0 ; - - while (retrievedCount < totalCount) { - - WebResource r = c.resource(getURL(PM_USER_GROUP_MAP_LIST_URI)) - .queryParam("pageSize", recordsToPullPerCall) - .queryParam("startIndex", String.valueOf(retrievedCount)) ; - - String response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class); - - LOG.debug("RESPONSE: [" + response + "]") ; - - Gson gson = new GsonBuilder().create() ; - - GetXUserGroupListResponse usergroupList = gson.fromJson(response, GetXUserGroupListResponse.class) ; - - totalCount = usergroupList.getTotalCount() ; - - if (usergroupList.getXusergroupInfoList() != null) { - xusergroupList.addAll(usergroupList.getXusergroupInfoList()) ; - retrievedCount = xusergroupList.size() ; - - for(XUserGroupInfo ug : usergroupList.getXusergroupInfoList()) { - LOG.debug("USER_GROUP: UserId:" + ug.getUserId() + ", Name: " + ug.getGroupName()) ; - } - } - } - - } - - - - private XUserInfo addXUserInfo(String aUserName) { - XUserInfo ret = null ; - - XUserInfo addUser = new XUserInfo() ; - addUser.setName(aUserName); - addUser.setDescription(aUserName + " - add from Unix box") ; - - Client c = getClient() ; - - WebResource r = c.resource(getURL(PM_ADD_USER_URI)) ; - - Gson gson = new GsonBuilder().create() ; - - String jsonString = gson.toJson(addUser) ; - - String response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString) ; - - LOG.debug("RESPONSE: [" + response + "]") ; - - ret = gson.fromJson(response, XUserInfo.class) ; - - if (ret != null) { - addUserToList(ret, xuserList); - } - - return ret ; - } - - private XGroupInfo addXGroupInfo(String aGroupName) { - - XGroupInfo ret = null ; - - XGroupInfo addGroup = new XGroupInfo() ; - addGroup.setName(aGroupName); - addGroup.setDescription(aGroupName + " - add from Unix box") ; - addGroup.setGroupType("1") ; - - Client c = getClient() ; - - WebResource r = c.resource(getURL(PM_ADD_GROUP_URI)) ; - - Gson gson = new GsonBuilder().create() ; - - String jsonString = gson.toJson(addGroup) ; - - String response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString) ; - - LOG.debug("RESPONSE: [" + response + "]") ; - - ret = gson.fromJson(response, XGroupInfo.class) ; - - if (ret != null) { - addGroupToList(ret, xgroupList); - } - - return ret ; - } - - - - private void addXUserGroupInfo(XUserInfo aUserInfo, List aGroupList) { - for(String groupName : aGroupList) { - XGroupInfo group = groupName2XGroupInfoMap.get(groupName) ; - if (group == null) { - group = addXGroupInfo(groupName) ; - } - addXUserGroupInfo(aUserInfo, group) ; - } - } - - private XUserGroupInfo addXUserGroupInfo(XUserInfo aUserInfo, XGroupInfo aGroupInfo) { - - XUserGroupInfo ret = null ; - - XUserGroupInfo ugInfo = new XUserGroupInfo() ; - - ugInfo.setUserId(aUserInfo.getId()); - ugInfo.setGroupName(aGroupInfo.getName()) ; - // ugInfo.setParentGroupId("1"); - - Client c = getClient() ; - - WebResource r = c.resource(getURL(PM_ADD_USER_GROUP_LINK_URI)) ; - - Gson gson = new GsonBuilder().create() ; - - String jsonString = gson.toJson(ugInfo) ; - - String response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString) ; - - LOG.debug("RESPONSE: [" + response + "]") ; - - ret = gson.fromJson(response, XUserGroupInfo.class) ; - - if (ret != null) { - addUserGroupToList(ret); - } - - return ret ; - - } - - private void delXUserGroupInfo(XUserInfo aUserInfo, List aGroupList) { - for(String groupName : aGroupList) { - XGroupInfo group = groupName2XGroupInfoMap.get(groupName) ; - if (group != null) { - delXUserGroupInfo(aUserInfo, group) ; - } - } - } - - private void delXUserGroupInfo(XUserInfo aUserInfo, XGroupInfo aGroupInfo) { - - Client c = getClient() ; - - String uri = PM_DEL_USER_GROUP_LINK_URI.replaceAll(Pattern.quote("${groupName}"), aGroupInfo.getName()).replaceAll(Pattern.quote("${userName}"), aUserInfo.getName()) ; - - WebResource r = c.resource(getURL(uri)) ; - - ClientResponse response = r.delete(ClientResponse.class) ; - - LOG.debug("RESPONSE: [" + response.toString() + "]") ; - - - if (response.getStatus() == 200) { - delUserGroupFromList(aUserInfo, aGroupInfo) ; - } - - } - - - private MUserInfo addMUser(String aUserName) { - - MUserInfo ret = null ; - - MUserInfo userInfo = new MUserInfo() ; - - userInfo.setLoginId(aUserName); - userInfo.setFirstName(aUserName); - userInfo.setLastName(aUserName); - userInfo.setEmailAddress(aUserName + "@" + LOCAL_HOSTNAME); - - Client c = getClient() ; - - WebResource r = c.resource(getURL(PM_ADD_LOGIN_USER_URI)) ; - - Gson gson = new GsonBuilder().create() ; - - String jsonString = gson.toJson(userInfo) ; - - String response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString) ; - - LOG.debug("RESPONSE[" + response + "]") ; - - ret = gson.fromJson(response, MUserInfo.class) ; - - LOG.debug("MUser Creation successful " + ret); - - return ret ; - - } - - - private synchronized Client getClient() { - - Client ret = null; - - if (policyMgrBaseUrl.startsWith("https://")) { - - ClientConfig config = new DefaultClientConfig(); - - if (sslContext == null) { - - try { - - KeyManager[] kmList = null; - TrustManager[] tmList = null; - - if (keyStoreFile != null && keyStoreFilepwd != null) { - - KeyStore keyStore = KeyStore.getInstance(keyStoreType); - InputStream in = null ; - try { - in = getFileInputStream(keyStoreFile) ; - if (in == null) { - LOG.error("Unable to obtain keystore from file [" + keyStoreFile + "]"); - return ret ; - } - keyStore.load(in, keyStoreFilepwd.toCharArray()); - KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - keyManagerFactory.init(keyStore, keyStoreFilepwd.toCharArray()); - kmList = keyManagerFactory.getKeyManagers(); - } - finally { - if (in != null) { - in.close(); - } - } - - } - - if (trustStoreFile != null && trustStoreFilepwd != null) { - - KeyStore trustStore = KeyStore.getInstance(trustStoreType); - InputStream in = null ; - try { - in = getFileInputStream(trustStoreFile) ; - if (in == null) { - LOG.error("Unable to obtain keystore from file [" + trustStoreFile + "]"); - return ret ; - } - trustStore.load(in, trustStoreFilepwd.toCharArray()); - TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - trustManagerFactory.init(trustStore); - tmList = trustManagerFactory.getTrustManagers(); - } - finally { - if (in != null) { - in.close() ; - } - } - } - - sslContext = SSLContext.getInstance("SSL"); - - sslContext.init(kmList, tmList, new SecureRandom()); - - hv = new HostnameVerifier() { - public boolean verify(String urlHostName, SSLSession session) { - return session.getPeerHost().equals(urlHostName); - } - }; - } - catch(Throwable t) { - throw new RuntimeException("Unable to create SSLConext for communication to policy manager", t); - } - - } - - config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, new HTTPSProperties(hv, sslContext)); - - ret = Client.create(config); - - - } - else { - ClientConfig cc = new DefaultClientConfig(); - cc.getProperties().put(ClientConfig.PROPERTY_FOLLOW_REDIRECTS, true); - ret = Client.create(cc); - } - if(ret!=null){ - String username = config.getPolicyMgrUserName(); - String password = config.getPolicyMgrPassword(); - if(username==null||password==null||username.trim().isEmpty()||password.trim().isEmpty()){ - username=config.getDefaultPolicyMgrUserName(); - password=config.getDefaultPolicyMgrPassword(); - } - if(username!=null && password!=null){ - ret.addFilter(new HTTPBasicAuthFilter(username, password)); - } - } - return ret ; - } - - private InputStream getFileInputStream(String path) throws FileNotFoundException { - - InputStream ret = null; - - File f = new File(path); - - if (f.exists()) { - ret = new FileInputStream(f); - } else { - ret = getClass().getResourceAsStream(path); - - if (ret == null) { - if (! path.startsWith("/")) { - ret = getClass().getResourceAsStream("/" + path); - } - } - - if (ret == null) { - ret = ClassLoader.getSystemClassLoader().getResourceAsStream(path) ; - if (ret == null) { - if (! path.startsWith("/")) { - ret = ClassLoader.getSystemResourceAsStream("/" + path); - } - } - } - } - - return ret; - } - - } From 6d4ea47f7817933e0033dd8047fa977c0cc032fe Mon Sep 17 00:00:00 2001 From: Sailaja Polavarapu Date: Fri, 4 Dec 2015 16:58:39 -0800 Subject: [PATCH 128/202] Ranger-767: Removed the init() & addOrUpdate() methods from derived class as they are redundant. Signed-off-by: Velmurugan Periasamy --- .../ldapusersync/process/PolicyMgrUserGroupBuilder.java | 9 --------- 1 file changed, 9 deletions(-) diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java index 7271df3c989..ea0b26a593c 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java @@ -28,13 +28,4 @@ public static void main(String[] args) throws Throwable { ugbuilder.init() ; } - - public synchronized void init() throws Throwable { - super.init(); - } - - @Override - public void addOrUpdateUser(String userName, List groups) { - super.addOrUpdateUser(userName, groups); - } } From 5be2cdba7f9246625b12505070ea7764d4dba5dd Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Sun, 6 Dec 2015 02:04:32 +0530 Subject: [PATCH 129/202] RANGER-733 : Implement best coding practices to resolve issues found during code scan --- .../org/apache/ranger/db/XXTrxLogDao.java | 36 +++++++ .../patch/cliutil/XXTrxLogUpdateUtil.java | 102 ++++++++++++++++++ .../ranger/service/RangerPolicyService.java | 14 +-- .../resources/META-INF/jpa_named_queries.xml | 11 ++ 4 files changed, 150 insertions(+), 13 deletions(-) create mode 100644 security-admin/src/main/java/org/apache/ranger/patch/cliutil/XXTrxLogUpdateUtil.java diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXTrxLogDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXTrxLogDao.java index 63e0d6359d1..53443686ee1 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXTrxLogDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXTrxLogDao.java @@ -63,5 +63,41 @@ public Long findMaxObjIdOfClassType(int classType) { return null; } } + public Long getMaxIdOfXXTrxLog(){ + Long maxXTrxLogID=new Long(0); + try { + maxXTrxLogID = (Long) getEntityManager() + .createNamedQuery("XXTrxLog.getMaxIdOfXXTrxLog", Long.class) + .getSingleResult(); + } catch (NoResultException e) { + logger.debug(e.getMessage()); + }finally{ + if(maxXTrxLogID==null){ + maxXTrxLogID=new Long(0); + } + } + return maxXTrxLogID; + } + + public int updateXTrxLog(long idFrom,long idTo,int objClassType,String attrName,String newValue){ + int rowAffected=-1; + if(objClassType == 0 ||attrName==null || newValue==null){ + return rowAffected; + } + try { + //idFrom and idTo both exclusive + rowAffected=getEntityManager().createNamedQuery("XXTrxLog.updateLogAttr", tClass) + .setParameter("idFrom", idFrom) + .setParameter("idTo", idTo) + .setParameter("objClassType", objClassType) + .setParameter("attrName", attrName) + .setParameter("newValue", newValue) + .executeUpdate(); + }catch (NoResultException e) { + logger.debug(e.getMessage()); + } + return rowAffected; + } + } diff --git a/security-admin/src/main/java/org/apache/ranger/patch/cliutil/XXTrxLogUpdateUtil.java b/security-admin/src/main/java/org/apache/ranger/patch/cliutil/XXTrxLogUpdateUtil.java new file mode 100644 index 00000000000..beafd1c50c5 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/patch/cliutil/XXTrxLogUpdateUtil.java @@ -0,0 +1,102 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ranger.patch.cliutil; + +import org.apache.log4j.Logger; +import org.apache.ranger.common.AppConstants; +import org.apache.ranger.db.RangerDaoManager; +import org.apache.ranger.patch.BaseLoader; +import org.apache.ranger.service.XPortalUserService; +import org.apache.ranger.biz.XUserMgr; +import org.apache.ranger.util.CLIUtil; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +@Component +public class XXTrxLogUpdateUtil extends BaseLoader { + private static Logger logger = Logger + .getLogger(XXTrxLogUpdateUtil.class); + + @Autowired + XUserMgr xUserMgr; + + @Autowired + XPortalUserService xPortalUserService; + + @Autowired + RangerDaoManager daoManager; + + public static void main(String[] args) { + logger.info("main()"); + try { + XXTrxLogUpdateUtil loader = (XXTrxLogUpdateUtil) CLIUtil + .getBean(XXTrxLogUpdateUtil.class); + + loader.init(); + while (loader.isMoreToProcess()) { + loader.load(); + } + logger.info("Load complete. Exiting!!!"); + System.exit(0); + } catch (Exception e) { + logger.error("Error loading", e); + System.exit(1); + } + } + + @Override + public void init() throws Exception { + // Do Nothing + } + + @Override + public void execLoad() { + logger.info("==> XTrxLogUpdate.execLoad() Start."); + updateXTrxLog(); + logger.info("<== XTrxLogUpdate.execLoad() End."); + } + + public void updateXTrxLog() { + long maxXTrxLogID = daoManager.getXXTrxLog().getMaxIdOfXXTrxLog(); + if(maxXTrxLogID==0){ + return; + } + long maxRowsPerBatch=10000; + //To ceil the actual division result i.e noOfBatches=maxXTrxLogID/maxRowsPerBatch + long noOfBatches=(maxXTrxLogID+maxRowsPerBatch-1)/maxRowsPerBatch; + long minRange=0; + long maxRange=maxXTrxLogID<=maxRowsPerBatch ? maxXTrxLogID : maxRowsPerBatch; + long startTimeInMS=0; + long timeTaken=0; + for(long index=1;index<=noOfBatches;index++){ + logger.info("Batch "+ index+" of total "+noOfBatches); + startTimeInMS=System.currentTimeMillis(); + //minRange and maxRange both exclusive, if we add +1 in maxRange + int rowsAffected=daoManager.getXXTrxLog().updateXTrxLog(minRange,maxRange+1,AppConstants.CLASS_TYPE_XA_USER,"Password",AppConstants.Masked_String); + timeTaken=(System.currentTimeMillis()-startTimeInMS); + logger.info(rowsAffected +" rows affected ("+timeTaken+" ms)"); + minRange=maxRange; + maxRange=maxRange+maxRowsPerBatch; + } + } + + @Override + public void printStats() { + } + +} diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java index aaadea71163..4a14ab9bc81 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java @@ -381,19 +381,7 @@ private String processPolicyResourcesForTrxLog(Object value) { } private boolean compareTwoPolicyName(String value, String oldValue) { - if (value==null && oldValue==null) { - return org.apache.commons.lang.StringUtils.equals(value, oldValue); - } - if (value!=null && oldValue!=null && value.trim().isEmpty() && oldValue.trim().isEmpty()) { - return true; - } - if (stringUtil.isEmpty(value) || stringUtil.isEmpty(oldValue)) { - return false; - } - if(!value.equals(oldValue)) { - return false; - } - return true; + return org.apache.commons.lang.StringUtils.equals(value, oldValue); } private String processPolicyNameForTrxLog(Object value) { diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml index 65dd17f7d73..55c4f1c8bc6 100644 --- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml +++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml @@ -656,4 +656,15 @@ xpu.id=:userId and gmp.isAllowed=:isAllowed + + select max(obj.id) from XXTrxLog obj + + + UPDATE XXTrxLog obj SET obj.newValue = :newValue + WHERE obj.id > :idFrom + AND obj.id < :idTo + AND obj.objectClassType = :objClassType + AND obj.attributeName = :attrName + + From a2b96f64e3b124236dd83c36f2a5c8ba6d185307 Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Mon, 7 Dec 2015 17:30:07 -0800 Subject: [PATCH 130/202] RANGER-772 Hive plugin: IMPORT table should authorize database level create privilage if IMPORT can lead to table creation --- .../hive/authorizer/RangerHiveAuthorizer.java | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 7aaf8a18884..eb2ea1eb895 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -304,6 +304,9 @@ public void checkPrivileges(HiveOperationType hiveOpType, } for(RangerHiveAccessRequest request : requests) { + if (LOG.isDebugEnabled()) { + LOG.debug("request: " + request); + } RangerHiveResource resource = (RangerHiveResource)request.getResource(); RangerAccessResult result = null; @@ -641,6 +644,18 @@ private HiveAccessType getAccessType(HivePrivilegeObject hiveObj, HiveOperationT break; case IMPORT: + /* + This can happen during hive IMPORT command IFF a table is also being created as part of IMPORT. + If so then + - this would appear in the outputHObjs, i.e. accessType == false + - user then must have CREATE permission on the database + + During IMPORT commnad it is not possible for a database to be in inputHObj list. Thus returning SELECT + when accessType==true is never expacted to be hit in practice. + */ + accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.CREATE; + break; + case EXPORT: case LOAD: accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.UPDATE; From 389b20c8ef4f622da26c2e47080843708d537926 Mon Sep 17 00:00:00 2001 From: Sailaja Polavarapu Date: Tue, 8 Dec 2015 10:48:14 -0800 Subject: [PATCH 131/202] Ranger-767: Fixing a coverity issue CID 133255: FindBugs: Bad practice (FB.UI_INHERITANCE_UNSAFE_GETRESOURCE) Signed-off-by: Velmurugan Periasamy --- .../ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java index 78e3e7229c0..3e4deaec7e2 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java @@ -778,7 +778,7 @@ private InputStream getFileInputStream(String path) throws FileNotFoundException if (f.exists()) { ret = new FileInputStream(f); } else { - ret = getClass().getResourceAsStream(path); + ret = PolicyMgrUserGroupBuilder.class.getResourceAsStream(path); if (ret == null) { if (! path.startsWith("/")) { From 689339f1933c2115d468a893e5cb0e55bb4843c0 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Wed, 9 Dec 2015 11:10:16 +0530 Subject: [PATCH 132/202] RANGER-773 : Fix newly found Coverity scan issues for Ranger KMS Signed-off-by: Velmurugan Periasamy --- .../hadoop/crypto/key/Ranger2JKSUtil.java | 5 +++- .../hadoop/crypto/key/RangerKeyStore.java | 23 ++++++++++++------- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java index 0def5e5bc93..e1ba61111ca 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java @@ -51,7 +51,10 @@ public static void main(String[] args) throws IOException { String keyStoreFileName = args[0] ; File f = new File(keyStoreFileName) ; if (! f.exists()) { - f.createNewFile(); + boolean ret = f.createNewFile(); + if (!ret) { + System.err.println("Error creating new keystore file. fileName="+ args[0]); + } } String keyStoreType = (args.length == 2 ? args[1] : DEFAULT_KEYSTORE_TYPE) ; try { diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java index 850104f9a38..abfab25f050 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java @@ -138,9 +138,9 @@ public Date engineGetCreationDate(String alias) { public void addKeyEntry(String alias, Key key, char[] password, String cipher, int bitLength, String description, int version, String attributes) throws KeyStoreException { + SecretKeyEntry entry = new SecretKeyEntry(); synchronized(deltaEntries) { - try { - + try { Class c = null; Object o = null; try { @@ -152,8 +152,6 @@ public void addKeyEntry(String alias, Key key, char[] password, String cipher, i logger.error(e.getMessage()); throw new KeyStoreException(e.getMessage()); } - - SecretKeyEntry entry = new SecretKeyEntry(); entry.date = new Date(); // seal and store the key Method m = c.getDeclaredMethod("seal", Key.class); @@ -165,13 +163,20 @@ public void addKeyEntry(String alias, Key key, char[] password, String cipher, i entry.description = description; entry.version = version; entry.attributes = attributes; - deltaEntries.put(alias.toLowerCase(), entry); - keyEntries.put(alias.toLowerCase(), entry); + deltaEntries.put(alias.toLowerCase(), entry); } catch (Exception e) { logger.error(e.getMessage()); throw new KeyStoreException(e.getMessage()); } } + synchronized(keyEntries) { + try { + keyEntries.put(alias.toLowerCase(), entry); + }catch (Exception e) { + logger.error(e.getMessage()); + throw new KeyStoreException(e.getMessage()); + } + } } @Override @@ -180,8 +185,10 @@ public void engineDeleteEntry(String alias) { synchronized(keyEntries) { dbOperationDelete(convertAlias(alias)); - keyEntries.remove(convertAlias(alias)); - deltaEntries.remove(convertAlias(alias)); + keyEntries.remove(convertAlias(alias)); + } + synchronized(deltaEntries) { + deltaEntries.remove(convertAlias(alias)); } } From ba0d2e38c6cead561bfc9843bb0e8db67a0d9c9c Mon Sep 17 00:00:00 2001 From: Velmurugan Periasamy Date: Thu, 10 Dec 2015 13:22:37 -0500 Subject: [PATCH 133/202] RANGER-778: Fix user update issue --- .../src/main/java/org/apache/ranger/biz/RangerBizUtil.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java index 872f61e3e58..306236ada0d 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java @@ -1335,8 +1335,7 @@ public void createTrxLog(List trxLogList) { for (XXTrxLog xTrxLog : trxLogList) { if (xTrxLog != null) { - if ("Password".equalsIgnoreCase(xTrxLog.getAttributeName() - .trim())) { + if ("Password".equalsIgnoreCase(StringUtil.trim(xTrxLog.getAttributeName()))) { if (xTrxLog.getPreviousValue() != null && !xTrxLog.getPreviousValue().trim().isEmpty() && !"null".equalsIgnoreCase(xTrxLog From b205c086ddef9974d5cf2c7555fd147556c14d8c Mon Sep 17 00:00:00 2001 From: Don Bosco Durai Date: Sun, 20 Sep 2015 01:57:35 -0400 Subject: [PATCH 134/202] RANGER-266: Solr configuration and setup files and documentation (cherry-picked commit c5ae2edd9948b9cbb463533589b356c9b4313fae) Signed-off-by: Velmurugan Periasamy --- .../contrib/solr_for_audit_setup/README.txt | 25 + .../conf/admin-extra.html | 24 + .../conf/admin-extra.menu-bottom.html | 25 + .../conf/admin-extra.menu-top.html | 25 + .../solr_for_audit_setup/conf/elevate.xml | 38 + .../solr_for_audit_setup/conf/schema.xml | 118 ++ .../solr_for_audit_setup/conf/solrconfig.xml | 1865 +++++++++++++++++ .../solr_for_audit_setup/install.properties | 96 + .../resources/log4j.properties.template | 39 + .../contrib/solr_for_audit_setup/setup.sh | 421 ++++ .../add_ranger_audits_conf_to_zk.sh.template | 63 + ...reate_ranger_audits_collection.sh.template | 33 + .../solr_cloud/scripts/start_solr.sh.template | 39 + .../solr_cloud/scripts/stop_solr.sh.template | 35 + .../solr_cloud/solr.xml.template | 26 + .../ranger_audits/core.properties.template | 20 + .../scripts/start_solr.sh.template | 38 + .../scripts/stop_solr.sh.template | 35 + .../solr_standalone/solr.xml | 19 + src/main/assembly/admin-web.xml | 7 + 20 files changed, 2991 insertions(+) create mode 100644 security-admin/contrib/solr_for_audit_setup/README.txt create mode 100755 security-admin/contrib/solr_for_audit_setup/conf/admin-extra.html create mode 100755 security-admin/contrib/solr_for_audit_setup/conf/admin-extra.menu-bottom.html create mode 100755 security-admin/contrib/solr_for_audit_setup/conf/admin-extra.menu-top.html create mode 100644 security-admin/contrib/solr_for_audit_setup/conf/elevate.xml create mode 100644 security-admin/contrib/solr_for_audit_setup/conf/schema.xml create mode 100644 security-admin/contrib/solr_for_audit_setup/conf/solrconfig.xml create mode 100644 security-admin/contrib/solr_for_audit_setup/install.properties create mode 100644 security-admin/contrib/solr_for_audit_setup/resources/log4j.properties.template create mode 100755 security-admin/contrib/solr_for_audit_setup/setup.sh create mode 100755 security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/add_ranger_audits_conf_to_zk.sh.template create mode 100755 security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/create_ranger_audits_collection.sh.template create mode 100755 security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/start_solr.sh.template create mode 100755 security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/stop_solr.sh.template create mode 100644 security-admin/contrib/solr_for_audit_setup/solr_cloud/solr.xml.template create mode 100644 security-admin/contrib/solr_for_audit_setup/solr_standalone/ranger_audits/core.properties.template create mode 100755 security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/start_solr.sh.template create mode 100755 security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/stop_solr.sh.template create mode 100644 security-admin/contrib/solr_for_audit_setup/solr_standalone/solr.xml diff --git a/security-admin/contrib/solr_for_audit_setup/README.txt b/security-admin/contrib/solr_for_audit_setup/README.txt new file mode 100644 index 00000000000..ac4eb8ed12e --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/README.txt @@ -0,0 +1,25 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +This folder consists of the scripts required to install and configure Solr +as an audit destination/source for Apache Ranger. + +Check Apache Ranger Wiki page for more information: +https://cwiki.apache.org/confluence/display/RANGER/Install+and+Configure+Solr+for+Ranger+Audits+-+Apache+Ranger+0.5 + +Steps: +1. Update install.properties +2. ./setup.sh +3. Check $SOLR_RANGER_HOME/install_notes.txt for additional instructions diff --git a/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.html b/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.html new file mode 100755 index 00000000000..fecab20513d --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.html @@ -0,0 +1,24 @@ + + + diff --git a/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.menu-bottom.html b/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.menu-bottom.html new file mode 100755 index 00000000000..3359a460a48 --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.menu-bottom.html @@ -0,0 +1,25 @@ + + + + diff --git a/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.menu-top.html b/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.menu-top.html new file mode 100755 index 00000000000..0886cee37a4 --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.menu-top.html @@ -0,0 +1,25 @@ + + + + diff --git a/security-admin/contrib/solr_for_audit_setup/conf/elevate.xml b/security-admin/contrib/solr_for_audit_setup/conf/elevate.xml new file mode 100644 index 00000000000..25d5cebe4fb --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/conf/elevate.xml @@ -0,0 +1,38 @@ + + + + + + + + + + + + + + + + + diff --git a/security-admin/contrib/solr_for_audit_setup/conf/schema.xml b/security-admin/contrib/solr_for_audit_setup/conf/schema.xml new file mode 100644 index 00000000000..df569741ec0 --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/conf/schema.xml @@ -0,0 +1,118 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + id + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/security-admin/contrib/solr_for_audit_setup/conf/solrconfig.xml b/security-admin/contrib/solr_for_audit_setup/conf/solrconfig.xml new file mode 100644 index 00000000000..0991eba25f0 --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/conf/solrconfig.xml @@ -0,0 +1,1865 @@ + + + + + + + + + 5.0.0 + + + + + + + + + + + + + + + + + + + + + + + ${solr.data.dir:} + + + + + + + + + ${solr.hdfs.home:} + + ${solr.hdfs.confdir:} + + ${solr.hdfs.blockcache.enabled:true} + + ${solr.hdfs.blockcache.global:true} + + + + + + + + + + true + managed-schema + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ${solr.lock.type:native} + + + + + + + + + + + + + + + + true + + + + + + + + + + + + + + + + ${solr.ulog.dir:} + + + + + ${solr.autoCommit.maxTime:15000} + false + + + + + + ${solr.autoSoftCommit.maxTime:5000} + + + + + + + + + + + + + + + + 1024 + + + + + + + + + + + + + + + + + + + + + + + + + true + + + + + + 20 + + + 200 + + + + + + + + + + + + static firstSearcher warming in solrconfig.xml + + + + + + false + + + 2 + + + + + + + + + + + + + + + + + + + + + + solr-data-config.xml + + + + + + + + explicit + 10 + text + + + + + + + + + + + + + + explicit + json + true + text + + + + + + + + true + json + true + + + + + + + + explicit + + + velocity + browse + layout + + + edismax + *:* + 10 + *,score + + + on + 1 + + + + + + + text + add-unknown-fields-to-the-schema + + + + + + + + + + + + + true + ignored_ + + + true + links + ignored_ + + + + + + + + + + + + + + + + + + + + + + + + solrpingquery + + + all + + + + + + + + + explicit + true + + + + + + + + + + + + + + + + text_general + + + + + + default + text + solr.DirectSolrSpellChecker + + internal + + 0.5 + + 2 + + 1 + + 5 + + 4 + + 0.01 + + + + + + wordbreak + solr.WordBreakSolrSpellChecker + name + true + true + 10 + + + + + + + + + + + + + + + + text + + default + wordbreak + on + true + 10 + 5 + 5 + true + true + 10 + 5 + + + spellcheck + + + + + + mySuggester + FuzzyLookupFactory + DocumentDictionaryFactory + cat + price + string + + + + + + true + 10 + + + suggest + + + + + + + + + text + true + + + tvComponent + + + + + + + lingo + + + org.carrot2.clustering.lingo.LingoClusteringAlgorithm + + + clustering/carrot2 + + + + + stc + org.carrot2.clustering.stc.STCClusteringAlgorithm + + + + + kmeans + org.carrot2.clustering.kmeans.BisectingKMeansClusteringAlgorithm + + + + + + + true + true + + name + + id + + features + + true + + + + false + + + edismax + + text^0.5 features^1.0 name^1.2 sku^1.5 id^10.0 manu^1.1 cat^1.4 + + *:* + 10 + *,score + + + clustering + + + + + + + + + + true + false + + + terms + + + + + + + + string + elevate.xml + + + + + + explicit + text + + + elevator + + + + + + + + + + + 100 + + + + + + + + 70 + + 0.5 + + [-\w ,/\n\"']{20,200} + + + + + + + ]]> + ]]> + + + + + + + + + + + + + + + + + + + + + + + + ,, + ,, + ,, + ,, + ,]]> + ]]> + + + + + + 10 + .,!? + + + + + + + WORD + + + en + US + + + + + + + + + + + + + + + + yyyy-MM-dd'T'HH:mm:ss.SSSZ + yyyy-MM-dd'T'HH:mm:ss,SSSZ + yyyy-MM-dd'T'HH:mm:ss.SSS + yyyy-MM-dd'T'HH:mm:ss,SSS + yyyy-MM-dd'T'HH:mm:ssZ + yyyy-MM-dd'T'HH:mm:ss + yyyy-MM-dd'T'HH:mmZ + yyyy-MM-dd'T'HH:mm + yyyy-MM-dd HH:mm:ss.SSSZ + yyyy-MM-dd HH:mm:ss,SSSZ + yyyy-MM-dd HH:mm:ss.SSS + yyyy-MM-dd HH:mm:ss,SSS + yyyy-MM-dd HH:mm:ssZ + yyyy-MM-dd HH:mm:ss + yyyy-MM-dd HH:mmZ + yyyy-MM-dd HH:mm + yyyy-MM-dd + + + + text_general + + java.lang.Boolean + booleans + + + java.util.Date + tdates + + + java.lang.Long + java.lang.Integer + tlongs + + + java.lang.Number + tdoubles + + + + + + + + + + + + + + + + + + + + + + + text/plain; charset=UTF-8 + + + + + ${velocity.template.base.dir:} + + + + + 5 + + + + + + + + + + + + + + + + + + *:* + + + diff --git a/security-admin/contrib/solr_for_audit_setup/install.properties b/security-admin/contrib/solr_for_audit_setup/install.properties new file mode 100644 index 00000000000..92ec1e6f84b --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/install.properties @@ -0,0 +1,96 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#Note: +#1. This file is sourced from setup.sh, so make sure there are no spaces after the "=" +#2. For variable with file path, please provide full path + +#!/bin/bash + +#JAVA_HOME to be used by Solr. Solr only support JDK 1.7 and above. If JAVA_HOME is not set +#in the env, then please set it here +#JAVA_HOME= + +#The operating system (linux) user used by Solr process. You need to run Solr as the below user +SOLR_USER=solr + +#If you want this script to isntall Solr, set the value to true. If it is already installed, then set this to false +#If it is true, then it will download and install it. +#NOTE: If you want the script to install Solr, then this script needs to be executed as root. +SOLR_INSTALL=false + +### BEGIN: if SOLR_INSTALL==true ### +#Location to download Solr. If SOLR_INSTALL is true, then SOLR_DOWNLOAD_URL is mandatory + +#For open source version, pick a mirror from below. Recommended versions are Apache Solr 5.2.1 or above +#http://lucene.apache.org/solr/mirrors-solr-latest-redir.html + +#Note: If possible, use the link from one of the mirror site +#SOLR_DOWNLOAD_URL=http://archive.apache.org/dist/lucene/solr/5.2.1/solr-5.2.1.tgz +SOLR_DOWNLOAD_URL= + +### END: if SOLR_INSTALL==true ### + +#The folder where Solr is installed. If SOLR_INSTALL=false, then Solr need to be preinstalled, else the setup will +#install at the below location +#Note: If you are using RPM from LucidWorks in HDP, then Solr is by default installed in the following location: +#SOLR_INSTALL_FOLDER=/opt/lucidworks-hdpsearch/solr +SOLR_INSTALL_FOLDER=/opt/solr + +#The location for the Solr configuration for Ranger. This script copies required configuration and +#startup scripts to the $SOLR_RANGER_HOME folder. +#NOTE: In SolrCloud mode, the data folders are under this folder. So make sure this is on seperate drive +# with enough disk space. Have 1TB free disk space on this volume. Also regularly monitor available disk space +# for this volume +#SOLR_RANGER_HOME=/opt/solr/ranger_audit_server +SOLR_RANGER_HOME=/opt/solr/ranger_audit_server + +#Port for Solr instance to be used by Ranger. +SOLR_RANGER_PORT=6083 + +#Standalone or SolrCloud. Valid values are "standalone" or "solrcloud" +SOLR_DEPLOYMENT=standalone + +#### BEGIN: if SOLR_DEPLOYMENT=standalone ########################## +#Location for the data files. Make sure it has enough disk space. Since audits records can grow dramatically, +#please have 1TB free disk space for the data folder. Also regularly monitor available disk space for this volume +SOLR_RANGER_DATA_FOLDER=/opt/solr/ranger_audit_server/data +#### END: if SOLR_DEPLOYMENT=standalone ########################## + + +#### BEGIN: if SOLR_DEPLOYMENT=solrcloud ########################## +#Comma seperated list of of zookeeper host and path. Give fully qualified domain name for the host +#SOLR_ZK=localhost:2181/ranger_audits +SOLR_ZK= +#Base URL of the Solr. Used for creating collections +SOLR_HOST_URL=http://`hostname -f`:${SOLR_RANGER_PORT} +#Number of shards +SOLR_SHARDS=1 +#Number of replication +SOLR_REPLICATION=1 +#### END: if SOLR_DEPLOYMENT=solrcloud ########################## + +#Location for the log file. Please note that "solr" or the process owner should have write permission +#to log folder +#SOLR_LOG_FOLDER=logs +SOLR_LOG_FOLDER=/var/log/solr/ranger_audits + + +#Memory for Solr. Both min and max memory to the java process are set to this value. +#Note: In production, please assign enough memory. It is recommended to have at least 2GB RAM. +# Higher the RAM, the better. Solr core can take upto 32GB. For dev test you can use 512m +#SOLR_MAX_MEM=2g +#SOLR_MAX_MEM=512m +SOLR_MAX_MEM=2g diff --git a/security-admin/contrib/solr_for_audit_setup/resources/log4j.properties.template b/security-admin/contrib/solr_for_audit_setup/resources/log4j.properties.template new file mode 100644 index 00000000000..61b25ff90ea --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/resources/log4j.properties.template @@ -0,0 +1,39 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Logging level +solr.log=__SOLR_LOG_FOLDER__ +log4j.rootLogger=INFO, file, CONSOLE + +log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender + +log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout +log4j.appender.CONSOLE.layout.ConversionPattern=%-4r [%t] %-5p %c %x [%X{collection} %X{shard} %X{replica} %X{core}] \u2013 %m%n + +#- size rotation with log cleanup. +log4j.appender.file=org.apache.log4j.RollingFileAppender +log4j.appender.file.MaxFileSize=4MB +log4j.appender.file.MaxBackupIndex=9 + +#- File to log to and log format +log4j.appender.file.File=${solr.log}/solr.log +log4j.appender.file.layout=org.apache.log4j.PatternLayout +log4j.appender.file.layout.ConversionPattern=%d{ISO8601} [%t] %-5p [%X{collection} %X{shard} %X{replica} %X{core}] %C (%F:%L) - %m%n + +log4j.logger.org.apache.zookeeper=WARN +log4j.logger.org.apache.hadoop=WARN + +# set to INFO to enable infostream log messages +log4j.logger.org.apache.solr.update.LoggingInfoStream=OFF diff --git a/security-admin/contrib/solr_for_audit_setup/setup.sh b/security-admin/contrib/solr_for_audit_setup/setup.sh new file mode 100755 index 00000000000..11d55010332 --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/setup.sh @@ -0,0 +1,421 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#This script downloads Solr (optional) and sets up Solr for Ranger Audit Server +curr_dir=`pwd` + +. ./install.properties + +#Current timestamp +ts=$(date +"%m%d%y%H%M%S") + +#Validate all variables +check_java_version() { + #Check for JAVA_HOME + if [ "${JAVA_HOME}" == "" ]; then + echo "Error: JAVA_HOME environment property not defined, aborting installation." + exit 1 + fi + + export JAVA_BIN=${JAVA_HOME}/bin/java + + if [ ! -x ${JAVA_BIN} ]; then + echo "Error: '${JAVA_BIN}' command not found" + exit 1; + fi + + version=$("$JAVA_BIN" -version 2>&1 | awk -F '"' '/version/ {print $2}') + major=`echo ${version} | cut -d. -f1` + minor=`echo ${version} | cut -d. -f2` + if [[ "${major}" == 1 && "${minor}" < 7 ]] ; then + echo "Error: Java 1.7 or above is required, current java version is $version" + exit 1; + fi +} + +#Check Java version. Minimum JDK 1.7 is needed +check_java_version + +if [ "$SOLR_INSTALL_FOLDER" = "" ]; then + echo "Error: SOLR_INSTALL_FOLDER not set" + exit 1 +fi + +if [ "$SOLR_RANGER_HOME" = "" ]; then + echo "Error: SOLR_RANGER_HOME not set" + exit 1 +fi + +if [ "$SOLR_RANGER_PORT" = "" ]; then + echo "Error: SOLR_RANGER_PORT not set" + exit 1 +fi + +if [ "$SOLR_DEPLOYMENT" = "standalone" ]; then + if [ "$SOLR_RANGER_DATA_FOLDER" = "" ]; then + echo "Error: SOLR_RANGER_DATA_FOLDER not set" + exit 1 + fi +else + if [ "$SOLR_ZK" = "" ]; then + echo "Error: SOLR_ZK not set" + exit 1 + fi +fi + +if [ "$SOLR_USER" = "" ]; then + SOLR_USER=solr +fi + +if [ "$SOLR_RANGER_COLLECTION" = "" ]; then + SOLR_RANGER_COLLECTION=ranger_audits +fi + +curr_user=`whoami` +is_root=0 +if [ -w /etc/passwd ]; then + is_root=1 +fi + + +if [ "$SOLR_INSTALL" = "true" -a $is_root -eq 0 ]; then + echo "Error: Solr will be installed only if run as root. Please download and install before continuing" + exit 1 +fi + +if [ "$SOLR_INSTALL" = "true" -a "$SOLR_DOWNLOAD_URL" = "" ]; then + echo "Error: If SOLR_INSTALL=true, then SOLR_DOWNLOAD_URL can't be empty" + exit 1 +fi + +if [ "$SOLR_LOG_FOLDER" = "logs" ]; then + NEW_SOLR_LOG_FOLDER=$SOLR_INSTALL/server/${$SOLR_LOG_FOLDER} + echo "`date`|INFO|Changing SOLR_LOG_FOLDER from $SOLR_LOG_FOLDER to $NEW_SOLR_LOG_FOLDER" + SOLR_LOG_FOLDER=$NEW_SOLR_LOG_FOLDER +fi + +function run_root_usage { + echo "sudo chown -R $SOLR_USER:$SOLR_USER $SOLR_INSTALL_FOLDER" + echo "sudo mkdir -p $SOLR_RANGER_HOME" + echo "sudo chown -R $SOLR_USER:$SOLR_USER $SOLR_RANGER_HOME" + if [ "$SOLR_LOG_FOLDER" != "logs" ]; then + echo "sudo mkdir -p $SOLR_LOG_FOLDER" + echo "sudo chown -R $SOLR_USER:$SOLR_USER $SOLR_LOG_FOLDER" + fi +} + +if [ $is_root -ne 1 ]; then + if [ "$SOLR_USER" != "$curr_user" ]; then + echo "`date`|ERROR|You need to run this script as root or as user $SOLR_USER" + echo "If you need to run as $SOLR_USER, then first execute the following commands as root or sudo" + id $SOLR_USER 2>&1 > /dev/null + if [ $? -ne 0 ]; then + echo "sudo adduser $SOLR_USER" + fi + run_root_usage + exit 1 + fi + + #Let's make $curr_user has permission to write to $SOLR_RANGER_HOME and also chown + mkdir -p $SOLR_RANGER_HOME 2> /dev/null + if [ ! -d $SOLR_RANGER_HOME ]; then + echo "`date`|ERROR|Solr Ranger Home folder <$SOLR_RANGER_HOME> could not be created. Current user is $curr_user" + run_root_usage + exit 1 + fi + + test_file=${SOLR_RANGER_HOME}/testfile_${ts}.txt + touch $test_file 2> /dev/null + if [ $? -ne 0 ]; then + echo "`date`|ERROR|User $curr_user doesn't have permission to write to $SOLR_RANGER_HOME." + run_root_usage + exit 1 + fi + + chown $SOLR_USER:$SOLR_USER $test_file 2> /dev/null + if [ $? -ne 0 ]; then + echo "`date`|ERROR|User $curr_user doesn't have permission chown to $SOLR_USER in $SOLR_RANGER_HOME" + run_root_usage + exit 1 + fi + rm -f $test_file + + #Solr on first time startup, it creates the webapp folder. So the $SOLR_USER needs permission to create webapp + test_file=$SOLR_INSTALL_FOLDER/testfile_${ts}.txt + touch $test_file 2> /dev/null + if [ $? -ne 0 ]; then + echo "`date`|ERROR|User $curr_user doesn't have write permission to $SOLR_INSTALL_FOLDER" + run_root_usage + exit 1 + fi + rm -f $test_file + + #Let's make $curr_user has permission to write to logs folder + mkdir -p $SOLR_LOG_FOLDER 2> /dev/null + if [ ! -d $SOLR_LOG_FOLDER ]; then + echo "`date`|ERROR|Log folder <$SOLR_LOG_FOLDER> could not be created. Current user is $curr_user" + run_root_usage + exit 1 + fi + + test_file=$SOLR_LOG_FOLDER/testfile_${ts}.txt + touch $test_file 2> /dev/null + if [ $? -ne 0 ]; then + echo "`date`|ERROR|User $curr_user doesn't have permission to write to log folder $SOLR_LOG_FOLDER" + run_root_usage + exit 1 + fi + rm -f $test_file +fi + + +if [ -d $SOLR_RANGER_HOME ]; then + #echo "`date`|WARN|Solr Ranger Home <$SOLR_RANGER_HOME> exists. Moving to ${SOLR_RANGER_HOME}.bk.${ts}" + echo "`date`|INFO|Solr Ranger Home <$SOLR_RANGER_HOME> exists. Will overwrite configurations" + #mv $SOLR_RANGER_HOME ${SOLR_RANGER_HOME}.bk.${ts} +fi + + +#Download and install Solr if needed +if [ "$SOLR_INSTALL" = "true" ]; then + if [ ! -x `which wget 2> /dev/null` ]; then + echo "Error: wget is not found in the path. Please install wget" + exit + fi + + if [ -d $SOLR_INSTALL_FOLDER ]; then + echo "`date`|WARN|$SOLR_INSTALL_FOLDER exists. This script will overwrite some files" + fi + + echo "`date`|INFO|Downloading solr from $SOLR_DOWNLOAD_URL" + #Temporary create a folder to untar the folder + tmp_folder=/tmp/solr_untar_${ts} + mkdir -p ${tmp_folder} + cd ${tmp_folder} + wget $SOLR_DOWNLOAD_URL + #Assuming this is a new folder and there will be only one file + tgz_file=`ls *z` + if [ ! -f $tgz_file ]; then + echo "`date`|ERROR|Downloaded file <`pwd`/$tgz_file> not found" + exit 1 + fi + + mkdir tmp + tar xfz $tgz_file -C tmp + cd tmp + + #Assuming there will only one folder begining with "s" + solr_folder=`ls | grep "^solr"` + + if [ ! -d $solr_folder ]; then + echo "`date`|ERROR|Solr temporary folder `pwd`/<$solr_folder> not found" + exit 1 + fi + + if [ -d $SOLR_INSTALL_FOLDER ]; then + echo "`date`|WARN|$SOLR_INSTALL_FOLDER exists. Moving to ${SOLR_INSTALL_FOLDER}.bk.${ts}" + mv $SOLR_INSTALL_FOLDER ${SOLR_INSTALL_FOLDER}.bk.${ts} + fi + + mv $solr_folder $SOLR_INSTALL_FOLDER + rm -rf $tmp_folder + echo "`date`|INFO|Installed Solr in $SOLR_INSTALL_FOLDER" +fi + +if [ ! -d $SOLR_INSTALL_FOLDER ]; then + echo "`date`|ERROR|$SOLR_INSTALL_FOLDER not found. Check \$SOLR_INSTALL_FOLDER" + exit 1 +fi + +if [ ! -x $SOLR_INSTALL_FOLDER/bin/solr ]; then + echo "`date`|ERROR|Solr doesn't seem to be installed properly. $SOLR_INSTALL_FOLDER/bin/solr doesn't exist. Please check $SOLR_INSTALL_FOLDER" + exit 1 +fi + +########## At this point, we have the Solr installed folder #### + +######### Copy the Solr config file for Ranger ###### +cd $curr_dir + +mkdir -p $SOLR_RANGER_HOME/resources +cp -r resources/* $SOLR_RANGER_HOME/resources + +if [ "$SOLR_DEPLOYMENT" = "standalone" ]; then + echo "`date`|INFO|Configuring standalone instance" + echo "`date`|INFO|Copying Ranger Audit Server configuration to $SOLR_RANGER_HOME" + cp -r solr_standalone/* $SOLR_RANGER_HOME + mkdir -p $SOLR_RANGER_HOME/${SOLR_RANGER_COLLECTION}/conf + cp -r conf/* $SOLR_RANGER_HOME/${SOLR_RANGER_COLLECTION}/conf + sed "s#__RANGER_AUDITS_DATA_FOLDER__#$SOLR_RANGER_DATA_FOLDER#g" $SOLR_RANGER_HOME/${SOLR_RANGER_COLLECTION}/core.properties.template > $SOLR_RANGER_HOME/${SOLR_RANGER_COLLECTION}/core.properties + sed -e "s#__JAVA_HOME__#$JAVA_HOME#g" -e "s#__SOLR_USER__#$SOLR_USER#g" -e "s#__SOLR_MAX_MEM__#$SOLR_MAX_MEM#g" -e "s#__SOLR_INSTALL_DIR__#$SOLR_INSTALL_FOLDER#g" -e "s#__SOLR_RANGER_HOME__#$SOLR_RANGER_HOME#g" -e "s#__SOLR_PORT__#$SOLR_RANGER_PORT#g" -e "s#__SOLR_LOG_FOLDER__#$SOLR_LOG_FOLDER#g" $SOLR_RANGER_HOME/scripts/start_solr.sh.template > $SOLR_RANGER_HOME/scripts/start_solr.sh + +else + + echo "`date`|INFO|Configuring SolrCloud instance" + cp -r solr_cloud/* $SOLR_RANGER_HOME + mkdir -p $SOLR_RANGER_HOME/conf + cp -r conf/* $SOLR_RANGER_HOME/conf + + #Get the first ZooKeeper host:port/path + FIRST_SOLR_ZK=$(IFS="," ; set -- $SOLR_ZK ; echo $1) + + sed -e "s#__JAVA_HOME__#$JAVA_HOME#g" -e "s#__SOLR_USER__#$SOLR_USER#g" -e "s#__SOLR_MAX_MEM__#$SOLR_MAX_MEM#g" -e "s#__SOLR_INSTALL_DIR__#$SOLR_INSTALL_FOLDER#g" -e "s#__SOLR_RANGER_HOME__#$SOLR_RANGER_HOME#g" -e "s#__SOLR_PORT__#$SOLR_RANGER_PORT#g" -e "s#__SOLR_ZK__#$SOLR_ZK#g" -e "s#__SOLR_LOG_FOLDER__#$SOLR_LOG_FOLDER#g" $SOLR_RANGER_HOME/scripts/start_solr.sh.template > $SOLR_RANGER_HOME/scripts/start_solr.sh + + sed -e "s#__JAVA_HOME__#$JAVA_HOME#g" -e "s#__SOLR_USER__#$SOLR_USER#g" -e "s#__SOLR_INSTALL_DIR__#$SOLR_INSTALL_FOLDER#g" -e "s#__SOLR_RANGER_HOME__#$SOLR_RANGER_HOME#g" -e "s#__SOLR_ZK__#$FIRST_SOLR_ZK#g" $SOLR_RANGER_HOME/scripts/add_ranger_audits_conf_to_zk.sh.template > $SOLR_RANGER_HOME/scripts/add_ranger_audits_conf_to_zk.sh + sed -e "s#__JAVA_HOME__#$JAVA_HOME#g" -e "s#__SOLR_INSTALL_DIR__#$SOLR_INSTALL_FOLDER#g" -e "s#__SOLR_ZK__#$SOLR_ZK#g" -e "s#__SOLR_HOST_URL__#$SOLR_HOST_URL#g" -e "s#__SOLR_SHARDS__#$SOLR_SHARDS#g" -e "s#__SOLR_REPLICATION__#$SOLR_REPLICATION#g" $SOLR_RANGER_HOME/scripts/create_ranger_audits_collection.sh.template > $SOLR_RANGER_HOME/scripts/create_ranger_audits_collection.sh + sed -e "s#__SOLR_PORT__#$SOLR_RANGER_PORT#g" $SOLR_RANGER_HOME/solr.xml.template > $SOLR_RANGER_HOME/solr.xml +fi + +#Common overrides +sed -e "s#__JAVA_HOME__#$JAVA_HOME#g" -e "s#__SOLR_USER__#$SOLR_USER#g" -e "s#__SOLR_INSTALL_DIR__#$SOLR_INSTALL_FOLDER#g" -e "s#__SOLR_PORT__#$SOLR_RANGER_PORT#g" -e "s#__SOLR_LOG_FOLDER__#$SOLR_LOG_FOLDER#g" $SOLR_RANGER_HOME/scripts/stop_solr.sh.template > $SOLR_RANGER_HOME/scripts/stop_solr.sh +sed -e "s#__SOLR_LOG_FOLDER__#$SOLR_LOG_FOLDER#g" $SOLR_RANGER_HOME/resources/log4j.properties.template > $SOLR_RANGER_HOME/resources/log4j.properties + + +#Let's make all ownership is given to $SOLR_USER +if [ $is_root -eq 1 ]; then + #Let's see if $SOLR_USER exists. + id $SOLR_USER 2>&1 > /dev/null + if [ $? -ne 0 ]; then + echo "`date`|INFO|Creating user $SOLR_USER" + adduser $SOLR_USER + fi + + chown -R $SOLR_USER:$SOLR_USER $SOLR_INSTALL_FOLDER + mkdir -p $SOLR_RANGER_HOME + chown -R $SOLR_USER:$SOLR_USER $SOLR_RANGER_HOME + mkdir -p $SOLR_LOG_FOLDER + chown -R $SOLR_USER:$SOLR_USER $SOLR_LOG_FOLDER +else + chown -R $SOLR_USER:$SOLR_USER $SOLR_RANGER_HOME +fi +chmod a+x $SOLR_RANGER_HOME/scripts/*.sh + +SOLR_INSTALL_NOTES=$SOLR_RANGER_HOME/install_notes.txt +echo "Solr installation notes for Ranger Audits." > $SOLR_INSTALL_NOTES + +cat > $SOLR_INSTALL_NOTES <> $SOLR_INSTALL_NOTES <> $SOLR_INSTALL_NOTES <> $SOLR_INSTALL_NOTES <> $SOLR_INSTALL_NOTES <> $SOLR_INSTALL_NOTES <> $SOLR_INSTALL_NOTES <> $SOLR_INSTALL_NOTES <> $SOLR_INSTALL_NOTES <> $SOLR_INSTALL_NOTES <> $SOLR_INSTALL_NOTES <> $SOLR_INSTALL_NOTES <> $SOLR_INSTALL_NOTES <&1 > /dev/null +if [ $? -ne 0 ]; then + echo "curl is not fould. Please install it for creating the collection" + exit 1 +fi + +set -x +curl --negotiate -u : "${SOLR_HOST_URL}/solr/admin/collections?action=CREATE&name=${COLLECTION_NAME}&numShards=${SHARDS}&replicationFactor=${REPLICATION}&collection.configName=$CONF_NAME&maxShardsPerNode=100" diff --git a/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/start_solr.sh.template b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/start_solr.sh.template new file mode 100755 index 00000000000..f5a327e38fd --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/start_solr.sh.template @@ -0,0 +1,39 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +JAVA_HOME=__JAVA_HOME__ +SOLR_USER=__SOLR_USER__ +SOLR_ZK=__SOLR_ZK__ +SOLR_MEMORY=__SOLR_MAX_MEM__ +SOLR_INSTALL_DIR=__SOLR_INSTALL_DIR__ +SOLR_RANGER_HOME=__SOLR_RANGER_HOME__ +SOLR_PORT=__SOLR_PORT__ +SOLR_LOG4J_FILEPATH=$SOLR_RANGER_HOME/resources/log4j.properties + +export SOLR_LOGS_DIR=__SOLR_LOG_FOLDER__ + +if [ "`whoami`" != "$SOLR_USER" ]; then + if [ -w /etc/passwd ]; then + echo "Running this script as $SOLR_USER..." + su $SOLR_USER $0 + else + echo "ERROR: You need to run this script $0 as user $SOLR_USER. You are currently running it as `whoami`" + fi + + exit 1 +fi + +$SOLR_INSTALL_DIR/bin/solr start -p $SOLR_PORT -d $SOLR_INSTALL_DIR/server -m $SOLR_MEMORY -s $SOLR_RANGER_HOME -Dlog4j.configuration=file://$SOLR_LOG4J_FILEPATH -c -z $SOLR_ZK diff --git a/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/stop_solr.sh.template b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/stop_solr.sh.template new file mode 100755 index 00000000000..5b85c25c780 --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/stop_solr.sh.template @@ -0,0 +1,35 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +JAVA_HOME=__JAVA_HOME__ +SOLR_USER=__SOLR_USER__ +SOLR_INSTALL_DIR=__SOLR_INSTALL_DIR__ +SOLR_PORT=__SOLR_PORT__ + +export SOLR_LOGS_DIR=__SOLR_LOG_FOLDER__ + +if [ "`whoami`" != "$SOLR_USER" ]; then + if [ -w /etc/passwd ]; then + echo "Running this script as $SOLR_USER..." + su $SOLR_USER $0 + else + echo "ERROR: You need to run this script $0 as user $SOLR_USER. You are currently running it as `whoami`" + fi + + exit 1 +fi + +$SOLR_INSTALL_DIR/bin/solr stop -p $SOLR_PORT diff --git a/security-admin/contrib/solr_for_audit_setup/solr_cloud/solr.xml.template b/security-admin/contrib/solr_for_audit_setup/solr_cloud/solr.xml.template new file mode 100644 index 00000000000..2fab75108ab --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/solr_cloud/solr.xml.template @@ -0,0 +1,26 @@ + + + + + ${host:} + ${jetty.port:__SOLR_PORT__} + ${hostContext:solr} + ${zkClientTimeout:15000} + ${genericCoreNodeNames:true} + + diff --git a/security-admin/contrib/solr_for_audit_setup/solr_standalone/ranger_audits/core.properties.template b/security-admin/contrib/solr_for_audit_setup/solr_standalone/ranger_audits/core.properties.template new file mode 100644 index 00000000000..f2d3205885b --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/solr_standalone/ranger_audits/core.properties.template @@ -0,0 +1,20 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name=ranger_audits +config=solrconfig.xml +schema=schema.xml +dataDir=__RANGER_AUDITS_DATA_FOLDER__ diff --git a/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/start_solr.sh.template b/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/start_solr.sh.template new file mode 100755 index 00000000000..2a4bb385db8 --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/start_solr.sh.template @@ -0,0 +1,38 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +JAVA_HOME=__JAVA_HOME__ +SOLR_USER=__SOLR_USER__ +SOLR_MEMORY=__SOLR_MAX_MEM__ +SOLR_INSTALL_DIR=__SOLR_INSTALL_DIR__ +SOLR_RANGER_HOME=__SOLR_RANGER_HOME__ +SOLR_PORT=__SOLR_PORT__ +SOLR_LOG4J_FILEPATH=$SOLR_RANGER_HOME/resources/log4j.properties + +export SOLR_LOGS_DIR=__SOLR_LOG_FOLDER__ + +if [ "`whoami`" != "$SOLR_USER" ]; then + if [ -w /etc/passwd ]; then + echo "Running this script as $SOLR_USER..." + su $SOLR_USER $0 + else + echo "ERROR: You need to run this script $0 as user $SOLR_USER. You are currently running it as `whoami`" + fi + + exit 1 +fi + +$SOLR_INSTALL_DIR/bin/solr start -p $SOLR_PORT -d $SOLR_INSTALL_DIR/server -m $SOLR_MEMORY -s $SOLR_RANGER_HOME -Dlog4j.configuration=file://$SOLR_LOG4J_FILEPATH diff --git a/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/stop_solr.sh.template b/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/stop_solr.sh.template new file mode 100755 index 00000000000..5b85c25c780 --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/stop_solr.sh.template @@ -0,0 +1,35 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +JAVA_HOME=__JAVA_HOME__ +SOLR_USER=__SOLR_USER__ +SOLR_INSTALL_DIR=__SOLR_INSTALL_DIR__ +SOLR_PORT=__SOLR_PORT__ + +export SOLR_LOGS_DIR=__SOLR_LOG_FOLDER__ + +if [ "`whoami`" != "$SOLR_USER" ]; then + if [ -w /etc/passwd ]; then + echo "Running this script as $SOLR_USER..." + su $SOLR_USER $0 + else + echo "ERROR: You need to run this script $0 as user $SOLR_USER. You are currently running it as `whoami`" + fi + + exit 1 +fi + +$SOLR_INSTALL_DIR/bin/solr stop -p $SOLR_PORT diff --git a/security-admin/contrib/solr_for_audit_setup/solr_standalone/solr.xml b/security-admin/contrib/solr_for_audit_setup/solr_standalone/solr.xml new file mode 100644 index 00000000000..4720e055824 --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/solr_standalone/solr.xml @@ -0,0 +1,19 @@ + + + + diff --git a/src/main/assembly/admin-web.xml b/src/main/assembly/admin-web.xml index 4f34ef6ad63..7a8dca024e3 100644 --- a/src/main/assembly/admin-web.xml +++ b/src/main/assembly/admin-web.xml @@ -361,6 +361,13 @@ security-admin/db 544 + + + /contrib + security-admin/contrib + 544 + + / security-admin/scripts From 8e74e5abf780870b595ea4d7d4f248102e15311f Mon Sep 17 00:00:00 2001 From: Don Bosco Durai Date: Mon, 5 Oct 2015 16:11:04 -0700 Subject: [PATCH 135/202] RANGER-173: Utility scripts to create HDFS audit folders and policies (cherry-picked commit ed27cecb62fe4ec7f9855326b5a8d3632ca0a3c9) Signed-off-by: Velmurugan Periasamy --- ...reate_hdfs_folders_for_audit_non_secure.sh | 66 ++++++++++++++++++ .../create_hdfs_folders_for_audit_secure.sh | 67 +++++++++++++++++++ 2 files changed, 133 insertions(+) create mode 100755 security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh create mode 100755 security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh diff --git a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh new file mode 100755 index 00000000000..eec3a08a359 --- /dev/null +++ b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh @@ -0,0 +1,66 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#Usage: Run this script as user hdfs. +#Creating folders required for Apache Ranger auditing to HDFS. +#Note 1: Use this script only for non-secure/kerberos environment +# + +set -x +hdfs dfs -mkdir -p /ranger/audit +hdfs dfs -chown hdfs:hdfs /ranger/audit +hdfs dfs -chmod 755 /ranger +hdfs dfs -chmod 755 /ranger/audit + +hdfs dfs -mkdir -p /ranger/audit/hbaseMaster +hdfs dfs -chown hbase:hbase /ranger/audit/hbaseMaster +hdfs dfs -chmod -R 0700 /ranger/audit/hbaseMaster + +hdfs dfs -mkdir -p /ranger/audit/hbaseRegional +hdfs dfs -chown hbase:hbase /ranger/audit/hbaseRegional +hdfs dfs -chmod -R 0700 /ranger/audit/hbaseRegional + +hdfs dfs -mkdir -p /ranger/audit/hdfs +hdfs dfs -chown hdfs:hdfs /ranger/audit/hdfs +hdfs dfs -chmod -R 0700 /ranger/audit/hdfs + +hdfs dfs -mkdir -p /ranger/audit/hiveServer2 +hdfs dfs -chown hive:hive /ranger/audit/hiveServer2 +hdfs dfs -chmod -R 0700 /ranger/audit/hiveServer2 + +hdfs dfs -mkdir -p /ranger/audit/kafka +hdfs dfs -chown kafka:kafka /ranger/audit/kafka +hdfs dfs -chmod -R 0700 /ranger/audit/kafka + +hdfs dfs -mkdir -p /ranger/audit/kms +hdfs dfs -chown kms:kms /ranger/audit/kms +hdfs dfs -chmod -R 0700 /ranger/audit/kms + +hdfs dfs -mkdir -p /ranger/audit/knox +hdfs dfs -chown knox:knox /ranger/audit/knox +hdfs dfs -chmod -R 0700 /ranger/audit/knox + +hdfs dfs -mkdir -p /ranger/audit/solr +hdfs dfs -chown solr:solr /ranger/audit/solr +hdfs dfs -chmod -R 0700 /ranger/audit/solr + +hdfs dfs -mkdir -p /ranger/audit/storm +hdfs dfs -chown storm:storm /ranger/audit/storm +hdfs dfs -chmod -R 0700 /ranger/audit/storm + +hdfs dfs -mkdir -p /ranger/audit/yarn +hdfs dfs -chown yarn:yarn /ranger/audit/yarn +hdfs dfs -chmod -R 0700 /ranger/audit/yarn diff --git a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh new file mode 100755 index 00000000000..b15beeef9a3 --- /dev/null +++ b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh @@ -0,0 +1,67 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#Usage: Run this script as user hdfs. +#Creating folders required for Apache Ranger auditing to HDFS. +#Note 1: Use this script only for non-secure/kerberos environment +# + +set -x +hdfs dfs -mkdir -p /ranger/audit +hdfs dfs -chown hdfs:hdfs /ranger/audit +hdfs dfs -chmod 755 /ranger +hdfs dfs -chmod 755 /ranger/audit + + +hdfs dfs -mkdir -p /ranger/audit/hbaseMaster +hdfs dfs -chown hbase:hbase /ranger/audit/hbaseMaster +hdfs dfs -chmod -R 0700 /ranger/audit/hbaseMaster + +hdfs dfs -mkdir -p /ranger/audit/hbaseRegional +hdfs dfs -chown hbase:hbase /ranger/audit/hbaseRegional +hdfs dfs -chmod -R 0700 /ranger/audit/hbaseRegional + +hdfs dfs -mkdir -p /ranger/audit/hdfs +hdfs dfs -chown hdfs:hdfs /ranger/audit/hdfs +hdfs dfs -chmod -R 0700 /ranger/audit/hdfs + +hdfs dfs -mkdir -p /ranger/audit/hiveServer2 +hdfs dfs -chown hive:hive /ranger/audit/hiveServer2 +hdfs dfs -chmod -R 0700 /ranger/audit/hiveServer2 + +hdfs dfs -mkdir -p /ranger/audit/kafka +hdfs dfs -chown kafka:kafka /ranger/audit/kafka +hdfs dfs -chmod -R 0700 /ranger/audit/kafka + +hdfs dfs -mkdir -p /ranger/audit/kms +hdfs dfs -chown HTTP:HTTP /ranger/audit/kms +hdfs dfs -chmod -R 0700 /ranger/audit/kms + +hdfs dfs -mkdir -p /ranger/audit/knox +hdfs dfs -chown knox:knox /ranger/audit/knox +hdfs dfs -chmod -R 0700 /ranger/audit/knox + +hdfs dfs -mkdir -p /ranger/audit/solr +hdfs dfs -chown solr:solr /ranger/audit/solr +hdfs dfs -chmod -R 0700 /ranger/audit/solr + +hdfs dfs -mkdir -p /ranger/audit/storm +hdfs dfs -chown storm:storm /ranger/audit/storm +hdfs dfs -chmod -R 0700 /ranger/audit/storm + +hdfs dfs -mkdir -p /ranger/audit/yarn +hdfs dfs -chown yarn:yarn /ranger/audit/yarn +hdfs dfs -chmod -R 0700 /ranger/audit/yarn From f48ad91b84bee57ef083246d1f8c51fa4ffbb484 Mon Sep 17 00:00:00 2001 From: Don Bosco Durai Date: Mon, 5 Oct 2015 21:44:03 -0700 Subject: [PATCH 136/202] RANGER-173: Applied review feedback to use variables for user/group (cherry-picked commit 9cb055fc1a2f568f5b5fa9ab8ca0db43c56cf096) Signed-off-by: Velmurugan Periasamy --- ...reate_hdfs_folders_for_audit_non_secure.sh | 42 +++++++++++------- .../create_hdfs_folders_for_audit_secure.sh | 44 ++++++++++++------- 2 files changed, 55 insertions(+), 31 deletions(-) diff --git a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh index eec3a08a359..ade46a7e3f1 100755 --- a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh +++ b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh @@ -14,53 +14,65 @@ # See the License for the specific language governing permissions and # limitations under the License. -#Usage: Run this script as user hdfs. -#Creating folders required for Apache Ranger auditing to HDFS. -#Note 1: Use this script only for non-secure/kerberos environment -# +#Usage: Run this script as user hdfs or the HDFS admin user. +#This script creates the folders in HDFS required by Apache Ranger for writing Audit records +#Note 1: Use this script only for non-kerberos environment. In non-kerberos environment, Ranger KMS writes the audit logs as user "kms" +#Note 2: Please update the below variables according to your environment + +HBASE_USER_GROUP=hbase:hbase +HDFS_USER_GROUP=hdfs:hdfs +HIVE_USER_GROUP=hive:hive +KAFKA_USER_GROUP=kafka:kafka +KMS_USER_GROUP=kms:kms +KNOX_USER_GROUP=knox:knox +SOLR_USER_GROUP=solr:solr +STORM_USER_GROUP=storm:storm +YARN_USER_GROUP=yarn:yarn set -x +#Create parent folder with rx permission hdfs dfs -mkdir -p /ranger/audit -hdfs dfs -chown hdfs:hdfs /ranger/audit +hdfs dfs -chown $HDFS_USER_GROUP /ranger/audit hdfs dfs -chmod 755 /ranger hdfs dfs -chmod 755 /ranger/audit hdfs dfs -mkdir -p /ranger/audit/hbaseMaster -hdfs dfs -chown hbase:hbase /ranger/audit/hbaseMaster +hdfs dfs -chown $HBASE_USER_GROUP /ranger/audit/hbaseMaster hdfs dfs -chmod -R 0700 /ranger/audit/hbaseMaster hdfs dfs -mkdir -p /ranger/audit/hbaseRegional -hdfs dfs -chown hbase:hbase /ranger/audit/hbaseRegional +hdfs dfs -chown $HBASE_USER_GROUP /ranger/audit/hbaseRegional hdfs dfs -chmod -R 0700 /ranger/audit/hbaseRegional hdfs dfs -mkdir -p /ranger/audit/hdfs -hdfs dfs -chown hdfs:hdfs /ranger/audit/hdfs +hdfs dfs -chown $HDFS_USER_GROUP /ranger/audit/hdfs hdfs dfs -chmod -R 0700 /ranger/audit/hdfs hdfs dfs -mkdir -p /ranger/audit/hiveServer2 -hdfs dfs -chown hive:hive /ranger/audit/hiveServer2 +hdfs dfs -chown $HIVE_USER_GROUP /ranger/audit/hiveServer2 hdfs dfs -chmod -R 0700 /ranger/audit/hiveServer2 hdfs dfs -mkdir -p /ranger/audit/kafka -hdfs dfs -chown kafka:kafka /ranger/audit/kafka +hdfs dfs -chown $KAFKA_USER_GROUP /ranger/audit/kafka hdfs dfs -chmod -R 0700 /ranger/audit/kafka hdfs dfs -mkdir -p /ranger/audit/kms -hdfs dfs -chown kms:kms /ranger/audit/kms +hdfs dfs -chown $KMS_USER_GROUP /ranger/audit/kms hdfs dfs -chmod -R 0700 /ranger/audit/kms hdfs dfs -mkdir -p /ranger/audit/knox -hdfs dfs -chown knox:knox /ranger/audit/knox +hdfs dfs -chown $KNOX_USER_GROUP /ranger/audit/knox hdfs dfs -chmod -R 0700 /ranger/audit/knox hdfs dfs -mkdir -p /ranger/audit/solr -hdfs dfs -chown solr:solr /ranger/audit/solr +hdfs dfs -chown $SOLR_USER_GROUP /ranger/audit/solr hdfs dfs -chmod -R 0700 /ranger/audit/solr hdfs dfs -mkdir -p /ranger/audit/storm -hdfs dfs -chown storm:storm /ranger/audit/storm +hdfs dfs -chown $STORM_USER_GROUP /ranger/audit/storm hdfs dfs -chmod -R 0700 /ranger/audit/storm hdfs dfs -mkdir -p /ranger/audit/yarn -hdfs dfs -chown yarn:yarn /ranger/audit/yarn +hdfs dfs -chown $YARN_USER_GROUP /ranger/audit/yarn hdfs dfs -chmod -R 0700 /ranger/audit/yarn + diff --git a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh index b15beeef9a3..12a4c93f6df 100755 --- a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh +++ b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh @@ -14,54 +14,66 @@ # See the License for the specific language governing permissions and # limitations under the License. -#Usage: Run this script as user hdfs. -#Creating folders required for Apache Ranger auditing to HDFS. -#Note 1: Use this script only for non-secure/kerberos environment -# +#Usage: Run this script as user hdfs or the HDFS admin user. +#This script creates the folders in HDFS required by Apache Ranger for writing Audit records +#Note 1: Use this script only for non-kerberos environment. In non-kerberos environment, Ranger KMS writes the audit logs as user "HTTP" +#Note 2: Please update the below variables according to your environment + +HBASE_USER_GROUP=hbase:hbase +HDFS_USER_GROUP=hdfs:hdfs +HIVE_USER_GROUP=hive:hive +KAFKA_USER_GROUP=kafka:kafka +KMS_USER_GROUP=HTTP:HTTP +KNOX_USER_GROUP=knox:knox +SOLR_USER_GROUP=solr:solr +STORM_USER_GROUP=storm:storm +YARN_USER_GROUP=yarn:yarn set -x + +#Create parent folder with rx permission hdfs dfs -mkdir -p /ranger/audit -hdfs dfs -chown hdfs:hdfs /ranger/audit +hdfs dfs -chown $HDFS_USER_GROUP /ranger/audit hdfs dfs -chmod 755 /ranger hdfs dfs -chmod 755 /ranger/audit - hdfs dfs -mkdir -p /ranger/audit/hbaseMaster -hdfs dfs -chown hbase:hbase /ranger/audit/hbaseMaster +hdfs dfs -chown $HBASE_USER_GROUP /ranger/audit/hbaseMaster hdfs dfs -chmod -R 0700 /ranger/audit/hbaseMaster hdfs dfs -mkdir -p /ranger/audit/hbaseRegional -hdfs dfs -chown hbase:hbase /ranger/audit/hbaseRegional +hdfs dfs -chown $HBASE_USER_GROUP /ranger/audit/hbaseRegional hdfs dfs -chmod -R 0700 /ranger/audit/hbaseRegional hdfs dfs -mkdir -p /ranger/audit/hdfs -hdfs dfs -chown hdfs:hdfs /ranger/audit/hdfs +hdfs dfs -chown $HDFS_USER_GROUP /ranger/audit/hdfs hdfs dfs -chmod -R 0700 /ranger/audit/hdfs hdfs dfs -mkdir -p /ranger/audit/hiveServer2 -hdfs dfs -chown hive:hive /ranger/audit/hiveServer2 +hdfs dfs -chown $HIVE_USER_GROUP /ranger/audit/hiveServer2 hdfs dfs -chmod -R 0700 /ranger/audit/hiveServer2 hdfs dfs -mkdir -p /ranger/audit/kafka -hdfs dfs -chown kafka:kafka /ranger/audit/kafka +hdfs dfs -chown $KAFKA_USER_GROUP /ranger/audit/kafka hdfs dfs -chmod -R 0700 /ranger/audit/kafka hdfs dfs -mkdir -p /ranger/audit/kms -hdfs dfs -chown HTTP:HTTP /ranger/audit/kms +hdfs dfs -chown $KMS_USER_GROUP /ranger/audit/kms hdfs dfs -chmod -R 0700 /ranger/audit/kms hdfs dfs -mkdir -p /ranger/audit/knox -hdfs dfs -chown knox:knox /ranger/audit/knox +hdfs dfs -chown $KNOX_USER_GROUP /ranger/audit/knox hdfs dfs -chmod -R 0700 /ranger/audit/knox hdfs dfs -mkdir -p /ranger/audit/solr -hdfs dfs -chown solr:solr /ranger/audit/solr +hdfs dfs -chown $SOLR_USER_GROUP /ranger/audit/solr hdfs dfs -chmod -R 0700 /ranger/audit/solr hdfs dfs -mkdir -p /ranger/audit/storm -hdfs dfs -chown storm:storm /ranger/audit/storm +hdfs dfs -chown $STORM_USER_GROUP /ranger/audit/storm hdfs dfs -chmod -R 0700 /ranger/audit/storm hdfs dfs -mkdir -p /ranger/audit/yarn -hdfs dfs -chown yarn:yarn /ranger/audit/yarn +hdfs dfs -chown $YARN_USER_GROUP /ranger/audit/yarn hdfs dfs -chmod -R 0700 /ranger/audit/yarn + From 262da5a45405927a0b2ace9d0bab283aaa947529 Mon Sep 17 00:00:00 2001 From: Don Bosco Durai Date: Wed, 9 Dec 2015 16:23:11 -0800 Subject: [PATCH 137/202] RANGER-728: Update Solr script to resolve issues with ZK and creating collection (cherry-picked commit 269617d5dbf13fcbf9600efca72bc5a803f49a92) Signed-off-by: Velmurugan Periasamy --- .../create_hdfs_folders_for_audit_secure.sh | 4 +- .../solr_for_audit_setup/conf/managed-schema | 92 + .../solr_for_audit_setup/conf/schema.xml | 118 -- .../solr_for_audit_setup/conf/solrconfig.xml | 13 + .../conf/solrconfig.xml.j2 | 1878 +++++++++++++++++ .../solr_for_audit_setup/install.properties | 3 + ...roperties.template => log4j.properties.j2} | 5 +- .../contrib/solr_for_audit_setup/setup.sh | 31 +- ...ate => add_ranger_audits_conf_to_zk.sh.j2} | 10 +- ... => create_ranger_audits_collection.sh.j2} | 12 +- .../solr_cloud/scripts/solr.in.sh.j2 | 116 + .../solr_cloud/scripts/solr.sh.j2 | 21 + .../scripts/start_solr.sh.j2} | 13 +- .../scripts/stop_solr.sh.j2} | 17 +- .../{solr.xml.template => solr.xml.j2} | 2 +- ...properties.template => core.properties.j2} | 2 +- .../solr_standalone/scripts/solr.in.sh.j2 | 116 + .../solr_standalone/scripts/solr.sh.j2 | 21 + .../scripts/start_solr.sh.j2} | 12 +- .../scripts/stop_solr.sh.j2} | 18 +- 20 files changed, 2318 insertions(+), 186 deletions(-) create mode 100644 security-admin/contrib/solr_for_audit_setup/conf/managed-schema delete mode 100644 security-admin/contrib/solr_for_audit_setup/conf/schema.xml create mode 100644 security-admin/contrib/solr_for_audit_setup/conf/solrconfig.xml.j2 rename security-admin/contrib/solr_for_audit_setup/resources/{log4j.properties.template => log4j.properties.j2} (95%) rename security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/{add_ranger_audits_conf_to_zk.sh.template => add_ranger_audits_conf_to_zk.sh.j2} (92%) rename security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/{create_ranger_audits_collection.sh.template => create_ranger_audits_collection.sh.j2} (84%) create mode 100755 security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/solr.in.sh.j2 create mode 100755 security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/solr.sh.j2 rename security-admin/contrib/solr_for_audit_setup/{solr_standalone/scripts/stop_solr.sh.template => solr_cloud/scripts/start_solr.sh.j2} (83%) rename security-admin/contrib/solr_for_audit_setup/{solr_standalone/scripts/start_solr.sh.template => solr_cloud/scripts/stop_solr.sh.j2} (69%) rename security-admin/contrib/solr_for_audit_setup/solr_cloud/{solr.xml.template => solr.xml.j2} (94%) rename security-admin/contrib/solr_for_audit_setup/solr_standalone/ranger_audits/{core.properties.template => core.properties.j2} (95%) create mode 100755 security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/solr.in.sh.j2 create mode 100755 security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/solr.sh.j2 rename security-admin/contrib/solr_for_audit_setup/{solr_cloud/scripts/stop_solr.sh.template => solr_standalone/scripts/start_solr.sh.j2} (84%) rename security-admin/contrib/solr_for_audit_setup/{solr_cloud/scripts/start_solr.sh.template => solr_standalone/scripts/stop_solr.sh.j2} (67%) diff --git a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh index 12a4c93f6df..9a5bdd55b0e 100755 --- a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh +++ b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh @@ -14,9 +14,9 @@ # See the License for the specific language governing permissions and # limitations under the License. -#Usage: Run this script as user hdfs or the HDFS admin user. +#Usage: Use this script in kerberos enabled hadoop only. Run this script after kinit'ing as hdfs user #This script creates the folders in HDFS required by Apache Ranger for writing Audit records -#Note 1: Use this script only for non-kerberos environment. In non-kerberos environment, Ranger KMS writes the audit logs as user "HTTP" +#Note 1: Use this script only for kerberos environment. In kerberos environment, Ranger KMS writes the audit logs as user "HTTP" #Note 2: Please update the below variables according to your environment HBASE_USER_GROUP=hbase:hbase diff --git a/security-admin/contrib/solr_for_audit_setup/conf/managed-schema b/security-admin/contrib/solr_for_audit_setup/conf/managed-schema new file mode 100644 index 00000000000..7b9769a21b2 --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/conf/managed-schema @@ -0,0 +1,92 @@ + + + + id + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/security-admin/contrib/solr_for_audit_setup/conf/schema.xml b/security-admin/contrib/solr_for_audit_setup/conf/schema.xml deleted file mode 100644 index df569741ec0..00000000000 --- a/security-admin/contrib/solr_for_audit_setup/conf/schema.xml +++ /dev/null @@ -1,118 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - id - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/security-admin/contrib/solr_for_audit_setup/conf/solrconfig.xml b/security-admin/contrib/solr_for_audit_setup/conf/solrconfig.xml index 0991eba25f0..7e71f9ac754 100644 --- a/security-admin/contrib/solr_for_audit_setup/conf/solrconfig.xml +++ b/security-admin/contrib/solr_for_audit_setup/conf/solrconfig.xml @@ -1642,6 +1642,19 @@ See http://wiki.apache.org/solr/GuessingFieldTypes --> + + _ttl_ + +1095DAYS + + + 300 + _ttl_ + _expire_at_ + + + _expire_at_ + + diff --git a/security-admin/contrib/solr_for_audit_setup/conf/solrconfig.xml.j2 b/security-admin/contrib/solr_for_audit_setup/conf/solrconfig.xml.j2 new file mode 100644 index 00000000000..b6017f3788c --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/conf/solrconfig.xml.j2 @@ -0,0 +1,1878 @@ + + + + + + + + + 5.0.0 + + + + + + + + + + + + + + + + + + + + + + + ${solr.data.dir:} + + + + + + + + + ${solr.hdfs.home:} + + ${solr.hdfs.confdir:} + + ${solr.hdfs.blockcache.enabled:true} + + ${solr.hdfs.blockcache.global:true} + + + + + + + + + + true + managed-schema + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ${solr.lock.type:native} + + + + + + + + + + + + + + + + true + + + + + + + + + + + + + + + + ${solr.ulog.dir:} + + + + + ${solr.autoCommit.maxTime:15000} + false + + + + + + ${solr.autoSoftCommit.maxTime:5000} + + + + + + + + + + + + + + + + 1024 + + + + + + + + + + + + + + + + + + + + + + + + + true + + + + + + 20 + + + 200 + + + + + + + + + + + + static firstSearcher warming in solrconfig.xml + + + + + + false + + + 2 + + + + + + + + + + + + + + + + + + + + + + solr-data-config.xml + + + + + + + + explicit + 10 + text + + + + + + + + + + + + + + explicit + json + true + text + + + + + + + + true + json + true + + + + + + + + explicit + + + velocity + browse + layout + + + edismax + *:* + 10 + *,score + + + on + 1 + + + + + + + text + add-unknown-fields-to-the-schema + + + + + + + + + + + + + true + ignored_ + + + true + links + ignored_ + + + + + + + + + + + + + + + + + + + + + + + + solrpingquery + + + all + + + + + + + + + explicit + true + + + + + + + + + + + + + + + + text_general + + + + + + default + text + solr.DirectSolrSpellChecker + + internal + + 0.5 + + 2 + + 1 + + 5 + + 4 + + 0.01 + + + + + + wordbreak + solr.WordBreakSolrSpellChecker + name + true + true + 10 + + + + + + + + + + + + + + + + text + + default + wordbreak + on + true + 10 + 5 + 5 + true + true + 10 + 5 + + + spellcheck + + + + + + mySuggester + FuzzyLookupFactory + DocumentDictionaryFactory + cat + price + string + + + + + + true + 10 + + + suggest + + + + + + + + + text + true + + + tvComponent + + + + + + + lingo + + + org.carrot2.clustering.lingo.LingoClusteringAlgorithm + + + clustering/carrot2 + + + + + stc + org.carrot2.clustering.stc.STCClusteringAlgorithm + + + + + kmeans + org.carrot2.clustering.kmeans.BisectingKMeansClusteringAlgorithm + + + + + + + true + true + + name + + id + + features + + true + + + + false + + + edismax + + text^0.5 features^1.0 name^1.2 sku^1.5 id^10.0 manu^1.1 cat^1.4 + + *:* + 10 + *,score + + + clustering + + + + + + + + + + true + false + + + terms + + + + + + + + string + elevate.xml + + + + + + explicit + text + + + elevator + + + + + + + + + + + 100 + + + + + + + + 70 + + 0.5 + + [-\w ,/\n\"']{20,200} + + + + + + + ]]> + ]]> + + + + + + + + + + + + + + + + + + + + + + + + ,, + ,, + ,, + ,, + ,]]> + ]]> + + + + + + 10 + .,!? + + + + + + + WORD + + + en + US + + + + + + + + + + + _ttl_ + +{{MAX_AUDIT_RETENTION_DAYS}}DAYS + + + 300 + _ttl_ + _expire_at_ + + + _expire_at_ + + + + + + + + + yyyy-MM-dd'T'HH:mm:ss.SSSZ + yyyy-MM-dd'T'HH:mm:ss,SSSZ + yyyy-MM-dd'T'HH:mm:ss.SSS + yyyy-MM-dd'T'HH:mm:ss,SSS + yyyy-MM-dd'T'HH:mm:ssZ + yyyy-MM-dd'T'HH:mm:ss + yyyy-MM-dd'T'HH:mmZ + yyyy-MM-dd'T'HH:mm + yyyy-MM-dd HH:mm:ss.SSSZ + yyyy-MM-dd HH:mm:ss,SSSZ + yyyy-MM-dd HH:mm:ss.SSS + yyyy-MM-dd HH:mm:ss,SSS + yyyy-MM-dd HH:mm:ssZ + yyyy-MM-dd HH:mm:ss + yyyy-MM-dd HH:mmZ + yyyy-MM-dd HH:mm + yyyy-MM-dd + + + + text_general + + java.lang.Boolean + booleans + + + java.util.Date + tdates + + + java.lang.Long + java.lang.Integer + tlongs + + + java.lang.Number + tdoubles + + + + + + + + + + + + + + + + + + + + + + + text/plain; charset=UTF-8 + + + + + ${velocity.template.base.dir:} + + + + + 5 + + + + + + + + + + + + + + + + + + *:* + + + diff --git a/security-admin/contrib/solr_for_audit_setup/install.properties b/security-admin/contrib/solr_for_audit_setup/install.properties index 92ec1e6f84b..bed980bc9e3 100644 --- a/security-admin/contrib/solr_for_audit_setup/install.properties +++ b/security-admin/contrib/solr_for_audit_setup/install.properties @@ -26,6 +26,9 @@ #The operating system (linux) user used by Solr process. You need to run Solr as the below user SOLR_USER=solr +#How long to keep the audit logs. Default is 3 years (1095 days) +MAX_AUDIT_RETENTION_DAYS=1095 + #If you want this script to isntall Solr, set the value to true. If it is already installed, then set this to false #If it is true, then it will download and install it. #NOTE: If you want the script to install Solr, then this script needs to be executed as root. diff --git a/security-admin/contrib/solr_for_audit_setup/resources/log4j.properties.template b/security-admin/contrib/solr_for_audit_setup/resources/log4j.properties.j2 similarity index 95% rename from security-admin/contrib/solr_for_audit_setup/resources/log4j.properties.template rename to security-admin/contrib/solr_for_audit_setup/resources/log4j.properties.j2 index 61b25ff90ea..67ad656eee1 100644 --- a/security-admin/contrib/solr_for_audit_setup/resources/log4j.properties.template +++ b/security-admin/contrib/solr_for_audit_setup/resources/log4j.properties.j2 @@ -14,8 +14,9 @@ # limitations under the License. # Logging level -solr.log=__SOLR_LOG_FOLDER__ -log4j.rootLogger=INFO, file, CONSOLE +solr.log={{SOLR_LOG_FOLDER}} +#log4j.rootLogger=INFO, file, CONSOLE +log4j.rootLogger=INFO, file log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender diff --git a/security-admin/contrib/solr_for_audit_setup/setup.sh b/security-admin/contrib/solr_for_audit_setup/setup.sh index 11d55010332..ddf28d6326c 100755 --- a/security-admin/contrib/solr_for_audit_setup/setup.sh +++ b/security-admin/contrib/solr_for_audit_setup/setup.sh @@ -16,7 +16,6 @@ #This script downloads Solr (optional) and sets up Solr for Ranger Audit Server curr_dir=`pwd` - . ./install.properties #Current timestamp @@ -259,30 +258,36 @@ if [ "$SOLR_DEPLOYMENT" = "standalone" ]; then cp -r solr_standalone/* $SOLR_RANGER_HOME mkdir -p $SOLR_RANGER_HOME/${SOLR_RANGER_COLLECTION}/conf cp -r conf/* $SOLR_RANGER_HOME/${SOLR_RANGER_COLLECTION}/conf - sed "s#__RANGER_AUDITS_DATA_FOLDER__#$SOLR_RANGER_DATA_FOLDER#g" $SOLR_RANGER_HOME/${SOLR_RANGER_COLLECTION}/core.properties.template > $SOLR_RANGER_HOME/${SOLR_RANGER_COLLECTION}/core.properties - sed -e "s#__JAVA_HOME__#$JAVA_HOME#g" -e "s#__SOLR_USER__#$SOLR_USER#g" -e "s#__SOLR_MAX_MEM__#$SOLR_MAX_MEM#g" -e "s#__SOLR_INSTALL_DIR__#$SOLR_INSTALL_FOLDER#g" -e "s#__SOLR_RANGER_HOME__#$SOLR_RANGER_HOME#g" -e "s#__SOLR_PORT__#$SOLR_RANGER_PORT#g" -e "s#__SOLR_LOG_FOLDER__#$SOLR_LOG_FOLDER#g" $SOLR_RANGER_HOME/scripts/start_solr.sh.template > $SOLR_RANGER_HOME/scripts/start_solr.sh + sed -e "s#{{MAX_AUDIT_RETENTION_DAYS}}#$MAX_AUDIT_RETENTION_DAYS#g" $SOLR_RANGER_HOME/${SOLR_RANGER_COLLECTION}/conf/solrconfig.xml.j2 > $SOLR_RANGER_HOME/${SOLR_RANGER_COLLECTION}/conf/solrconfig.xml + sed "s#{{RANGER_AUDITS_DATA_FOLDER}}#$SOLR_RANGER_DATA_FOLDER#g" $SOLR_RANGER_HOME/${SOLR_RANGER_COLLECTION}/core.properties.j2 > $SOLR_RANGER_HOME/${SOLR_RANGER_COLLECTION}/core.properties + sed -e "s#{{JAVA_HOME}}#$JAVA_HOME#g" -e "s#{{SOLR_USER}}#$SOLR_USER#g" -e "s#{{SOLR_MAX_MEM}}#$SOLR_MAX_MEM#g" -e "s#{{SOLR_INSTALL_DIR}}#$SOLR_INSTALL_FOLDER#g" -e "s#{{SOLR_RANGER_HOME}}#$SOLR_RANGER_HOME#g" -e "s#{{SOLR_PORT}}#$SOLR_RANGER_PORT#g" -e "s#{{SOLR_LOG_FOLDER}}#$SOLR_LOG_FOLDER#g" $SOLR_RANGER_HOME/scripts/solr.in.sh.j2 > $SOLR_RANGER_HOME/scripts/solr.in.sh + else - echo "`date`|INFO|Configuring SolrCloud instance" cp -r solr_cloud/* $SOLR_RANGER_HOME mkdir -p $SOLR_RANGER_HOME/conf cp -r conf/* $SOLR_RANGER_HOME/conf #Get the first ZooKeeper host:port/path - FIRST_SOLR_ZK=$(IFS="," ; set -- $SOLR_ZK ; echo $1) + #FIRST_SOLR_ZK=$(IFS="," ; set -- $SOLR_ZK ; echo $1) + FIRST_SOLR_ZK=$SOLR_ZK - sed -e "s#__JAVA_HOME__#$JAVA_HOME#g" -e "s#__SOLR_USER__#$SOLR_USER#g" -e "s#__SOLR_MAX_MEM__#$SOLR_MAX_MEM#g" -e "s#__SOLR_INSTALL_DIR__#$SOLR_INSTALL_FOLDER#g" -e "s#__SOLR_RANGER_HOME__#$SOLR_RANGER_HOME#g" -e "s#__SOLR_PORT__#$SOLR_RANGER_PORT#g" -e "s#__SOLR_ZK__#$SOLR_ZK#g" -e "s#__SOLR_LOG_FOLDER__#$SOLR_LOG_FOLDER#g" $SOLR_RANGER_HOME/scripts/start_solr.sh.template > $SOLR_RANGER_HOME/scripts/start_solr.sh + sed -e "s#{{MAX_AUDIT_RETENTION_DAYS}}#$MAX_AUDIT_RETENTION_DAYS#g" $SOLR_RANGER_HOME/conf/solrconfig.xml.j2 > $SOLR_RANGER_HOME/conf/solrconfig.xml + + sed -e "s#{{JAVA_HOME}}#$JAVA_HOME#g" -e "s#{{SOLR_USER}}#$SOLR_USER#g" -e "s#{{SOLR_MAX_MEM}}#$SOLR_MAX_MEM#g" -e "s#{{SOLR_INSTALL_DIR}}#$SOLR_INSTALL_FOLDER#g" -e "s#{{SOLR_RANGER_HOME}}#$SOLR_RANGER_HOME#g" -e "s#{{SOLR_PORT}}#$SOLR_RANGER_PORT#g" -e "s#{{SOLR_ZK}}#$SOLR_ZK#g" -e "s#{{SOLR_LOG_FOLDER}}#$SOLR_LOG_FOLDER#g" $SOLR_RANGER_HOME/scripts/solr.in.sh.j2 > $SOLR_RANGER_HOME/scripts/solr.in.sh + + sed -e "s#{{JAVA_HOME}}#$JAVA_HOME#g" -e "s#{{SOLR_USER}}#$SOLR_USER#g" -e "s#{{SOLR_INSTALL_DIR}}#$SOLR_INSTALL_FOLDER#g" -e "s#{{SOLR_RANGER_HOME}}#$SOLR_RANGER_HOME#g" -e "s#{{SOLR_ZK}}#$FIRST_SOLR_ZK#g" $SOLR_RANGER_HOME/scripts/add_ranger_audits_conf_to_zk.sh.j2 > $SOLR_RANGER_HOME/scripts/add_ranger_audits_conf_to_zk.sh + sed -e "s#{{JAVA_HOME}}#$JAVA_HOME#g" -e "s#{{SOLR_INSTALL_DIR}}#$SOLR_INSTALL_FOLDER#g" -e "s#{{SOLR_ZK}}#$SOLR_ZK#g" -e "s#{{SOLR_HOST_URL}}#$SOLR_HOST_URL#g" -e "s#{{SOLR_SHARDS}}#$SOLR_SHARDS#g" -e "s#{{SOLR_REPLICATION}}#$SOLR_REPLICATION#g" $SOLR_RANGER_HOME/scripts/create_ranger_audits_collection.sh.j2 > $SOLR_RANGER_HOME/scripts/create_ranger_audits_collection.sh + sed -e "s#{{SOLR_PORT}}#$SOLR_RANGER_PORT#g" $SOLR_RANGER_HOME/solr.xml.j2 > $SOLR_RANGER_HOME/solr.xml - sed -e "s#__JAVA_HOME__#$JAVA_HOME#g" -e "s#__SOLR_USER__#$SOLR_USER#g" -e "s#__SOLR_INSTALL_DIR__#$SOLR_INSTALL_FOLDER#g" -e "s#__SOLR_RANGER_HOME__#$SOLR_RANGER_HOME#g" -e "s#__SOLR_ZK__#$FIRST_SOLR_ZK#g" $SOLR_RANGER_HOME/scripts/add_ranger_audits_conf_to_zk.sh.template > $SOLR_RANGER_HOME/scripts/add_ranger_audits_conf_to_zk.sh - sed -e "s#__JAVA_HOME__#$JAVA_HOME#g" -e "s#__SOLR_INSTALL_DIR__#$SOLR_INSTALL_FOLDER#g" -e "s#__SOLR_ZK__#$SOLR_ZK#g" -e "s#__SOLR_HOST_URL__#$SOLR_HOST_URL#g" -e "s#__SOLR_SHARDS__#$SOLR_SHARDS#g" -e "s#__SOLR_REPLICATION__#$SOLR_REPLICATION#g" $SOLR_RANGER_HOME/scripts/create_ranger_audits_collection.sh.template > $SOLR_RANGER_HOME/scripts/create_ranger_audits_collection.sh - sed -e "s#__SOLR_PORT__#$SOLR_RANGER_PORT#g" $SOLR_RANGER_HOME/solr.xml.template > $SOLR_RANGER_HOME/solr.xml fi #Common overrides -sed -e "s#__JAVA_HOME__#$JAVA_HOME#g" -e "s#__SOLR_USER__#$SOLR_USER#g" -e "s#__SOLR_INSTALL_DIR__#$SOLR_INSTALL_FOLDER#g" -e "s#__SOLR_PORT__#$SOLR_RANGER_PORT#g" -e "s#__SOLR_LOG_FOLDER__#$SOLR_LOG_FOLDER#g" $SOLR_RANGER_HOME/scripts/stop_solr.sh.template > $SOLR_RANGER_HOME/scripts/stop_solr.sh -sed -e "s#__SOLR_LOG_FOLDER__#$SOLR_LOG_FOLDER#g" $SOLR_RANGER_HOME/resources/log4j.properties.template > $SOLR_RANGER_HOME/resources/log4j.properties - +sed -e "s#{{JAVA_HOME}}#$JAVA_HOME#g" -e "s#{{SOLR_INSTALL_DIR}}#$SOLR_INSTALL_FOLDER#g" -e "s#{{SOLR_PORT}}#$SOLR_RANGER_PORT#g" -e "s#{{SOLR_USER}}#$SOLR_USER#g" -e "s#{{SOLR_LOG_FOLDER}}#$SOLR_LOG_FOLDER#g" -e "s#{{SOLR_RANGER_HOME}}#$SOLR_RANGER_HOME#g" $SOLR_RANGER_HOME/scripts/stop_solr.sh.j2 > $SOLR_RANGER_HOME/scripts/stop_solr.sh +sed -e "s#{{SOLR_LOG_FOLDER}}#$SOLR_LOG_FOLDER#g" $SOLR_RANGER_HOME/resources/log4j.properties.j2 > $SOLR_RANGER_HOME/resources/log4j.properties +sed -e "s#{{JAVA_HOME}}#$JAVA_HOME#g" -e "s#{{SOLR_USER}}#$SOLR_USER#g" -e "s#{{SOLR_ZK}}#$SOLR_ZK#g" -e "s#{{SOLR_INSTALL_DIR}}#$SOLR_INSTALL_FOLDER#g" -e "s#{{SOLR_RANGER_HOME}}#$SOLR_RANGER_HOME#g" -e "s#{{SOLR_PORT}}#$SOLR_RANGER_PORT#g" $SOLR_RANGER_HOME/scripts/solr.sh.j2 > $SOLR_RANGER_HOME/scripts/solr.sh +sed -e "s#{{SOLR_USER}}#$SOLR_USER#g" -e "s#{{SOLR_INSTALL_DIR}}#$SOLR_INSTALL_FOLDER#g" -e "s#{{SOLR_RANGER_HOME}}#$SOLR_RANGER_HOME#g" $SOLR_RANGER_HOME/scripts/start_solr.sh.j2 > $SOLR_RANGER_HOME/scripts/start_solr.sh #Let's make all ownership is given to $SOLR_USER if [ $is_root -eq 1 ]; then @@ -341,7 +346,7 @@ EOF if [ "$SOLR_REPLICATION" != "1" ]; then cat >> $SOLR_INSTALL_NOTES <&1 > /dev/null if [ $? -ne 0 ]; then - echo "curl is not fould. Please install it for creating the collection" + echo "curl is not found. Please install it for creating the collection" exit 1 fi diff --git a/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/solr.in.sh.j2 b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/solr.in.sh.j2 new file mode 100755 index 00000000000..3be0629eb7e --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/solr.in.sh.j2 @@ -0,0 +1,116 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# By default the script will use JAVA_HOME to determine which java +# to use, but you can set a specific path for Solr to use without +# affecting other Java applications on your server/workstation. +SOLR_JAVA_HOME="{{JAVA_HOME}}" + +# Increase Java Heap as needed to support your indexing / query needs +#SOLR_HEAP="512m" + +# Expert: If you want finer control over memory options, specify them directly +# Comment out SOLR_HEAP if you are using this though, that takes precedence +SOLR_JAVA_MEM="-Xms{{SOLR_MAX_MEM}} -Xmx{{SOLR_MAX_MEM}}" + +# Enable verbose GC logging +GC_LOG_OPTS="-verbose:gc -XX:+PrintHeapAtGC -XX:+PrintGCDetails \ +-XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime" + +# These GC settings have shown to work well for a number of common Solr workloads +GC_TUNE="-XX:NewRatio=3 \ +-XX:SurvivorRatio=4 \ +-XX:TargetSurvivorRatio=90 \ +-XX:MaxTenuringThreshold=8 \ +-XX:+UseConcMarkSweepGC \ +-XX:+UseParNewGC \ +-XX:ConcGCThreads=4 -XX:ParallelGCThreads=4 \ +-XX:+CMSScavengeBeforeRemark \ +-XX:PretenureSizeThreshold=64m \ +-XX:+UseCMSInitiatingOccupancyOnly \ +-XX:CMSInitiatingOccupancyFraction=50 \ +-XX:CMSMaxAbortablePrecleanTime=6000 \ +-XX:+CMSParallelRemarkEnabled \ +-XX:+ParallelRefProcEnabled" + +# Set the ZooKeeper connection string if using an external ZooKeeper ensemble +# e.g. host1:2181,host2:2181/chroot +# Leave empty if not using SolrCloud +ZK_HOST="{{SOLR_ZK}}" + +# Set the ZooKeeper client timeout (for SolrCloud mode) +#ZK_CLIENT_TIMEOUT="15000" + +# By default the start script uses "localhost"; override the hostname here +# for production SolrCloud environments to control the hostname exposed to cluster state +#SOLR_HOST="192.168.1.1" + +# By default the start script uses UTC; override the timezone if needed +#SOLR_TIMEZONE="UTC" + +# Set to true to activate the JMX RMI connector to allow remote JMX client applications +# to monitor the JVM hosting Solr; set to "false" to disable that behavior +# (false is recommended in production environments) +ENABLE_REMOTE_JMX_OPTS="false" + +# The script will use SOLR_PORT+10000 for the RMI_PORT or you can set it here +# RMI_PORT=18983 + +# Anything you add to the SOLR_OPTS variable will be included in the java +# start command line as-is, in ADDITION to other options. If you specify the +# -a option on start script, those options will be appended as well. Examples: +#SOLR_OPTS="$SOLR_OPTS -Dsolr.autoSoftCommit.maxTime=3000" +#SOLR_OPTS="$SOLR_OPTS -Dsolr.autoCommit.maxTime=60000" +#SOLR_OPTS="$SOLR_OPTS -Dsolr.clustering.enabled=true" + +# Location where the bin/solr script will save PID files for running instances +# If not set, the script will create PID files in $SOLR_TIP/bin +#SOLR_PID_DIR= + +# Path to a directory where Solr creates index files, the specified directory +# must contain a solr.xml; by default, Solr will use server/solr +SOLR_HOME={{SOLR_RANGER_HOME}} + +# Solr provides a default Log4J configuration properties file in server/resources +# however, you may want to customize the log settings and file appender location +# so you can point the script to use a different log4j.properties file +LOG4J_PROPS=$SOLR_HOME/resources/log4j.properties + +# Location where Solr should write logs to; should agree with the file appender +# settings in server/resources/log4j.properties +SOLR_LOGS_DIR={{SOLR_LOG_FOLDER}} + +# Sets the port Solr binds to, default is 8983 +SOLR_PORT={{SOLR_PORT}} + +# Uncomment to set SSL-related system properties +# Be sure to update the paths to the correct keystore for your environment +#SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks +#SOLR_SSL_KEY_STORE_PASSWORD=secret +#SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks +#SOLR_SSL_TRUST_STORE_PASSWORD=secret +#SOLR_SSL_NEED_CLIENT_AUTH=false +#SOLR_SSL_WANT_CLIENT_AUTH=false + +# Uncomment if you want to override previously defined SSL values for HTTP client +# otherwise keep them commented and the above values will automatically be set for HTTP clients +#SOLR_SSL_CLIENT_KEY_STORE= +#SOLR_SSL_CLIENT_KEY_STORE_PASSWORD= +#SOLR_SSL_CLIENT_TRUST_STORE= +#SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD= + +# Settings for authentication +#SOLR_AUTHENTICATION_CLIENT_CONFIGURER= +#SOLR_AUTHENTICATION_OPTS= diff --git a/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/solr.sh.j2 b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/solr.sh.j2 new file mode 100755 index 00000000000..783257032a6 --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/solr.sh.j2 @@ -0,0 +1,21 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +JAVA_HOME={{JAVA_HOME}} +SOLR_INSTALL_DIR={{SOLR_INSTALL_DIR}} +SOLR_RANGER_HOME={{SOLR_RANGER_HOME}} + +SOLR_INCLUDE=${SOLR_RANGER_HOME}/scripts/solr.in.sh $SOLR_INSTALL_DIR/bin/solr $* diff --git a/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/stop_solr.sh.template b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/start_solr.sh.j2 similarity index 83% rename from security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/stop_solr.sh.template rename to security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/start_solr.sh.j2 index 5b85c25c780..0d19fe05194 100755 --- a/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/stop_solr.sh.template +++ b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/start_solr.sh.j2 @@ -14,17 +14,14 @@ # See the License for the specific language governing permissions and # limitations under the License. -JAVA_HOME=__JAVA_HOME__ -SOLR_USER=__SOLR_USER__ -SOLR_INSTALL_DIR=__SOLR_INSTALL_DIR__ -SOLR_PORT=__SOLR_PORT__ - -export SOLR_LOGS_DIR=__SOLR_LOG_FOLDER__ +SOLR_USER={{SOLR_USER}} +SOLR_INSTALL_DIR={{SOLR_INSTALL_DIR}} +SOLR_RANGER_HOME={{SOLR_RANGER_HOME}} if [ "`whoami`" != "$SOLR_USER" ]; then if [ -w /etc/passwd ]; then echo "Running this script as $SOLR_USER..." - su $SOLR_USER $0 + su $SOLR_USER $0 $* else echo "ERROR: You need to run this script $0 as user $SOLR_USER. You are currently running it as `whoami`" fi @@ -32,4 +29,4 @@ if [ "`whoami`" != "$SOLR_USER" ]; then exit 1 fi -$SOLR_INSTALL_DIR/bin/solr stop -p $SOLR_PORT +SOLR_INCLUDE=${SOLR_RANGER_HOME}/scripts/solr.in.sh $SOLR_INSTALL_DIR/bin/solr start -c $* diff --git a/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/start_solr.sh.template b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/stop_solr.sh.j2 similarity index 69% rename from security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/start_solr.sh.template rename to security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/stop_solr.sh.j2 index 2a4bb385db8..81b97eac4cb 100755 --- a/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/start_solr.sh.template +++ b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/stop_solr.sh.j2 @@ -14,20 +14,15 @@ # See the License for the specific language governing permissions and # limitations under the License. -JAVA_HOME=__JAVA_HOME__ -SOLR_USER=__SOLR_USER__ -SOLR_MEMORY=__SOLR_MAX_MEM__ -SOLR_INSTALL_DIR=__SOLR_INSTALL_DIR__ -SOLR_RANGER_HOME=__SOLR_RANGER_HOME__ -SOLR_PORT=__SOLR_PORT__ -SOLR_LOG4J_FILEPATH=$SOLR_RANGER_HOME/resources/log4j.properties - -export SOLR_LOGS_DIR=__SOLR_LOG_FOLDER__ +JAVA_HOME={{JAVA_HOME}} +SOLR_USER={{SOLR_USER}} +SOLR_INSTALL_DIR={{SOLR_INSTALL_DIR}} +SOLR_RANGER_HOME={{SOLR_RANGER_HOME}} if [ "`whoami`" != "$SOLR_USER" ]; then if [ -w /etc/passwd ]; then echo "Running this script as $SOLR_USER..." - su $SOLR_USER $0 + su $SOLR_USER $0 $* else echo "ERROR: You need to run this script $0 as user $SOLR_USER. You are currently running it as `whoami`" fi @@ -35,4 +30,4 @@ if [ "`whoami`" != "$SOLR_USER" ]; then exit 1 fi -$SOLR_INSTALL_DIR/bin/solr start -p $SOLR_PORT -d $SOLR_INSTALL_DIR/server -m $SOLR_MEMORY -s $SOLR_RANGER_HOME -Dlog4j.configuration=file://$SOLR_LOG4J_FILEPATH +SOLR_INCLUDE=${SOLR_RANGER_HOME}/scripts/solr.in.sh $SOLR_INSTALL_DIR/bin/solr stop $* diff --git a/security-admin/contrib/solr_for_audit_setup/solr_cloud/solr.xml.template b/security-admin/contrib/solr_for_audit_setup/solr_cloud/solr.xml.j2 similarity index 94% rename from security-admin/contrib/solr_for_audit_setup/solr_cloud/solr.xml.template rename to security-admin/contrib/solr_for_audit_setup/solr_cloud/solr.xml.j2 index 2fab75108ab..824560bb772 100644 --- a/security-admin/contrib/solr_for_audit_setup/solr_cloud/solr.xml.template +++ b/security-admin/contrib/solr_for_audit_setup/solr_cloud/solr.xml.j2 @@ -18,7 +18,7 @@ ${host:} - ${jetty.port:__SOLR_PORT__} + ${jetty.port:{{SOLR_PORT}}} ${hostContext:solr} ${zkClientTimeout:15000} ${genericCoreNodeNames:true} diff --git a/security-admin/contrib/solr_for_audit_setup/solr_standalone/ranger_audits/core.properties.template b/security-admin/contrib/solr_for_audit_setup/solr_standalone/ranger_audits/core.properties.j2 similarity index 95% rename from security-admin/contrib/solr_for_audit_setup/solr_standalone/ranger_audits/core.properties.template rename to security-admin/contrib/solr_for_audit_setup/solr_standalone/ranger_audits/core.properties.j2 index f2d3205885b..380b2eb3bf2 100644 --- a/security-admin/contrib/solr_for_audit_setup/solr_standalone/ranger_audits/core.properties.template +++ b/security-admin/contrib/solr_for_audit_setup/solr_standalone/ranger_audits/core.properties.j2 @@ -17,4 +17,4 @@ name=ranger_audits config=solrconfig.xml schema=schema.xml -dataDir=__RANGER_AUDITS_DATA_FOLDER__ +dataDir={{RANGER_AUDITS_DATA_FOLDER}} diff --git a/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/solr.in.sh.j2 b/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/solr.in.sh.j2 new file mode 100755 index 00000000000..9f9860147ad --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/solr.in.sh.j2 @@ -0,0 +1,116 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# By default the script will use JAVA_HOME to determine which java +# to use, but you can set a specific path for Solr to use without +# affecting other Java applications on your server/workstation. +SOLR_JAVA_HOME="{{JAVA_HOME}}" + +# Increase Java Heap as needed to support your indexing / query needs +#SOLR_HEAP="512m" + +# Expert: If you want finer control over memory options, specify them directly +# Comment out SOLR_HEAP if you are using this though, that takes precedence +SOLR_JAVA_MEM="-Xms{{SOLR_MAX_MEM}} -Xmx{{SOLR_MAX_MEM}}" + +# Enable verbose GC logging +GC_LOG_OPTS="-verbose:gc -XX:+PrintHeapAtGC -XX:+PrintGCDetails \ +-XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime" + +# These GC settings have shown to work well for a number of common Solr workloads +GC_TUNE="-XX:NewRatio=3 \ +-XX:SurvivorRatio=4 \ +-XX:TargetSurvivorRatio=90 \ +-XX:MaxTenuringThreshold=8 \ +-XX:+UseConcMarkSweepGC \ +-XX:+UseParNewGC \ +-XX:ConcGCThreads=4 -XX:ParallelGCThreads=4 \ +-XX:+CMSScavengeBeforeRemark \ +-XX:PretenureSizeThreshold=64m \ +-XX:+UseCMSInitiatingOccupancyOnly \ +-XX:CMSInitiatingOccupancyFraction=50 \ +-XX:CMSMaxAbortablePrecleanTime=6000 \ +-XX:+CMSParallelRemarkEnabled \ +-XX:+ParallelRefProcEnabled" + +# Set the ZooKeeper connection string if using an external ZooKeeper ensemble +# e.g. host1:2181,host2:2181/chroot +# Leave empty if not using SolrCloud +ZK_HOST= + +# Set the ZooKeeper client timeout (for SolrCloud mode) +#ZK_CLIENT_TIMEOUT="15000" + +# By default the start script uses "localhost"; override the hostname here +# for production SolrCloud environments to control the hostname exposed to cluster state +#SOLR_HOST="192.168.1.1" + +# By default the start script uses UTC; override the timezone if needed +#SOLR_TIMEZONE="UTC" + +# Set to true to activate the JMX RMI connector to allow remote JMX client applications +# to monitor the JVM hosting Solr; set to "false" to disable that behavior +# (false is recommended in production environments) +ENABLE_REMOTE_JMX_OPTS="false" + +# The script will use SOLR_PORT+10000 for the RMI_PORT or you can set it here +# RMI_PORT=18983 + +# Anything you add to the SOLR_OPTS variable will be included in the java +# start command line as-is, in ADDITION to other options. If you specify the +# -a option on start script, those options will be appended as well. Examples: +#SOLR_OPTS="$SOLR_OPTS -Dsolr.autoSoftCommit.maxTime=3000" +#SOLR_OPTS="$SOLR_OPTS -Dsolr.autoCommit.maxTime=60000" +#SOLR_OPTS="$SOLR_OPTS -Dsolr.clustering.enabled=true" + +# Location where the bin/solr script will save PID files for running instances +# If not set, the script will create PID files in $SOLR_TIP/bin +#SOLR_PID_DIR= + +# Path to a directory where Solr creates index files, the specified directory +# must contain a solr.xml; by default, Solr will use server/solr +SOLR_HOME={{SOLR_RANGER_HOME}} + +# Solr provides a default Log4J configuration properties file in server/resources +# however, you may want to customize the log settings and file appender location +# so you can point the script to use a different log4j.properties file +LOG4J_PROPS=$SOLR_HOME/resources/log4j.properties + +# Location where Solr should write logs to; should agree with the file appender +# settings in server/resources/log4j.properties +SOLR_LOGS_DIR={{SOLR_LOG_FOLDER}} + +# Sets the port Solr binds to, default is 8983 +SOLR_PORT={{SOLR_PORT}} + +# Uncomment to set SSL-related system properties +# Be sure to update the paths to the correct keystore for your environment +#SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks +#SOLR_SSL_KEY_STORE_PASSWORD=secret +#SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks +#SOLR_SSL_TRUST_STORE_PASSWORD=secret +#SOLR_SSL_NEED_CLIENT_AUTH=false +#SOLR_SSL_WANT_CLIENT_AUTH=false + +# Uncomment if you want to override previously defined SSL values for HTTP client +# otherwise keep them commented and the above values will automatically be set for HTTP clients +#SOLR_SSL_CLIENT_KEY_STORE= +#SOLR_SSL_CLIENT_KEY_STORE_PASSWORD= +#SOLR_SSL_CLIENT_TRUST_STORE= +#SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD= + +# Settings for authentication +#SOLR_AUTHENTICATION_CLIENT_CONFIGURER= +#SOLR_AUTHENTICATION_OPTS= diff --git a/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/solr.sh.j2 b/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/solr.sh.j2 new file mode 100755 index 00000000000..783257032a6 --- /dev/null +++ b/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/solr.sh.j2 @@ -0,0 +1,21 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +JAVA_HOME={{JAVA_HOME}} +SOLR_INSTALL_DIR={{SOLR_INSTALL_DIR}} +SOLR_RANGER_HOME={{SOLR_RANGER_HOME}} + +SOLR_INCLUDE=${SOLR_RANGER_HOME}/scripts/solr.in.sh $SOLR_INSTALL_DIR/bin/solr $* diff --git a/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/stop_solr.sh.template b/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/start_solr.sh.j2 similarity index 84% rename from security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/stop_solr.sh.template rename to security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/start_solr.sh.j2 index 5b85c25c780..5b1ff92168c 100755 --- a/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/stop_solr.sh.template +++ b/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/start_solr.sh.j2 @@ -14,12 +14,9 @@ # See the License for the specific language governing permissions and # limitations under the License. -JAVA_HOME=__JAVA_HOME__ -SOLR_USER=__SOLR_USER__ -SOLR_INSTALL_DIR=__SOLR_INSTALL_DIR__ -SOLR_PORT=__SOLR_PORT__ - -export SOLR_LOGS_DIR=__SOLR_LOG_FOLDER__ +SOLR_USER={{SOLR_USER}} +SOLR_INSTALL_DIR={{SOLR_INSTALL_DIR}} +SOLR_RANGER_HOME={{SOLR_RANGER_HOME}} if [ "`whoami`" != "$SOLR_USER" ]; then if [ -w /etc/passwd ]; then @@ -32,4 +29,5 @@ if [ "`whoami`" != "$SOLR_USER" ]; then exit 1 fi -$SOLR_INSTALL_DIR/bin/solr stop -p $SOLR_PORT +SOLR_INCLUDE=${SOLR_RANGER_HOME}/scripts/solr.in.sh $SOLR_INSTALL_DIR/bin/solr start $* + diff --git a/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/start_solr.sh.template b/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/stop_solr.sh.j2 similarity index 67% rename from security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/start_solr.sh.template rename to security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/stop_solr.sh.j2 index f5a327e38fd..81b97eac4cb 100755 --- a/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/start_solr.sh.template +++ b/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/stop_solr.sh.j2 @@ -14,21 +14,15 @@ # See the License for the specific language governing permissions and # limitations under the License. -JAVA_HOME=__JAVA_HOME__ -SOLR_USER=__SOLR_USER__ -SOLR_ZK=__SOLR_ZK__ -SOLR_MEMORY=__SOLR_MAX_MEM__ -SOLR_INSTALL_DIR=__SOLR_INSTALL_DIR__ -SOLR_RANGER_HOME=__SOLR_RANGER_HOME__ -SOLR_PORT=__SOLR_PORT__ -SOLR_LOG4J_FILEPATH=$SOLR_RANGER_HOME/resources/log4j.properties - -export SOLR_LOGS_DIR=__SOLR_LOG_FOLDER__ +JAVA_HOME={{JAVA_HOME}} +SOLR_USER={{SOLR_USER}} +SOLR_INSTALL_DIR={{SOLR_INSTALL_DIR}} +SOLR_RANGER_HOME={{SOLR_RANGER_HOME}} if [ "`whoami`" != "$SOLR_USER" ]; then if [ -w /etc/passwd ]; then echo "Running this script as $SOLR_USER..." - su $SOLR_USER $0 + su $SOLR_USER $0 $* else echo "ERROR: You need to run this script $0 as user $SOLR_USER. You are currently running it as `whoami`" fi @@ -36,4 +30,4 @@ if [ "`whoami`" != "$SOLR_USER" ]; then exit 1 fi -$SOLR_INSTALL_DIR/bin/solr start -p $SOLR_PORT -d $SOLR_INSTALL_DIR/server -m $SOLR_MEMORY -s $SOLR_RANGER_HOME -Dlog4j.configuration=file://$SOLR_LOG4J_FILEPATH -c -z $SOLR_ZK +SOLR_INCLUDE=${SOLR_RANGER_HOME}/scripts/solr.in.sh $SOLR_INSTALL_DIR/bin/solr stop $* From 0b73cdfbbe3130eb881d8516ae7d92e0e237c541 Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Wed, 9 Dec 2015 18:30:07 -0800 Subject: [PATCH 138/202] RANGER-777 Kafka plugin builds against released version of kafka jars that have authorization support --- .../kafka/authorizer/RangerKafkaAuthorizer.java | 6 ++++-- pom.xml | 10 ++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java index 2adf5d5e109..bb6a33776a5 100644 --- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java +++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java @@ -27,17 +27,18 @@ import kafka.security.auth.Acl; import kafka.security.auth.Authorizer; +import org.apache.kafka.common.network.LoginType; import org.apache.kafka.common.security.auth.KafkaPrincipal; import kafka.security.auth.*; import kafka.server.KafkaConfig; -import kafka.common.security.LoginManager; import kafka.network.RequestChannel.Session; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.kafka.common.security.kerberos.LoginManager; import org.apache.ranger.audit.provider.MiscUtil; import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; @@ -81,7 +82,8 @@ public RangerKafkaAuthorizer() { public void configure(Map configs) { if (rangerPlugin == null) { try { - Subject subject = LoginManager.subject(); + LoginManager loginManager = org.apache.kafka.common.security.kerberos.LoginManager.acquireLoginManager(LoginType.SERVER, configs); + Subject subject = loginManager.subject(); UserGroupInformation ugi = MiscUtil .createUGIFromSubject(subject); if (ugi != null) { diff --git a/pom.xml b/pom.xml index 356c9cd1c47..cccdb0c3df3 100644 --- a/pom.xml +++ b/pom.xml @@ -89,6 +89,7 @@ plugin-yarn ranger_solrj security-admin + plugin-kafka plugin-solr ugsync ugsync/ldapconfigchecktool/ldapconfigcheck @@ -103,6 +104,7 @@ ranger-knox-plugin-shim ranger-yarn-plugin-shim ranger-storm-plugin-shim + ranger-kafka-plugin-shim ranger-examples @@ -157,8 +159,7 @@ 1.17.1 2.6 4.11 - 0.8.2.0 - + 0.9.0.0 1.8.4 1.3 0.6.0 @@ -229,11 +230,8 @@ + kafka-security - - plugin-kafka - ranger-kafka-plugin-shim - From 96c2b4bd25d91163349a8ce6cb27e7044598eb27 Mon Sep 17 00:00:00 2001 From: hafizmujadid Date: Fri, 1 Jan 2016 21:55:32 +0500 Subject: [PATCH 139/202] RANGER-769: placing httpcore and httpclient in ranger-hbase-plugin-impl folder Signed-off-by: rmani --- src/main/assembly/hbase-agent.xml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/main/assembly/hbase-agent.xml b/src/main/assembly/hbase-agent.xml index 122c8c7933b..97d4e958ce8 100644 --- a/src/main/assembly/hbase-agent.xml +++ b/src/main/assembly/hbase-agent.xml @@ -51,6 +51,8 @@ org.eclipse.persistence:eclipselink org.eclipse.persistence:javax.persistence org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version} + org.apache.httpcomponents:httpclient:jar:${httpcomponent.httpclient.version} + org.apache.httpcomponents:httpcore:jar:${httpcomponent.httpcore.version} org.noggit:noggit:jar:${noggit.version} false From 6bd35c607bf9f25262dd3e03a73f61194491c1b5 Mon Sep 17 00:00:00 2001 From: Madhan Neethiraj Date: Sun, 10 Jan 2016 01:04:31 -0800 Subject: [PATCH 140/202] RANGER-808: Updated LICENSE.txt --- LICENSE.txt | 190 ---------------------------------------------------- 1 file changed, 190 deletions(-) diff --git a/LICENSE.txt b/LICENSE.txt index fdc24f49f1f..7d2eff75ad5 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -282,196 +282,6 @@ This product includes Require.js Handlebars Plugin (https://github.com/SlexAxton 0. You just DO WHAT THE FUCK YOU WANT TO. ------------------------------------------------------------------------ - The MPL-1.1 License ------------------------------------------------------------------------ - -This product includes jQuery Pines Notify (pnotify) Plugin 1.2.0 (http://sciactive.com/pnotify/ - MPL-1.1), Copyright © 2009-2012 Hunter Perrin. - - -Mozilla Public License Version 1.1 - -1. Definitions. - -1.0.1. "Commercial Use" -means distribution or otherwise making the Covered Code available to a third party. -1.1. "Contributor" -means each entity that creates or contributes to the creation of Modifications. -1.2. "Contributor Version" -means the combination of the Original Code, prior Modifications used by a Contributor, and the Modifications made by that particular Contributor. -1.3. "Covered Code" -means the Original Code or Modifications or the combination of the Original Code and Modifications, in each case including portions thereof. -1.4. "Electronic Distribution Mechanism" -means a mechanism generally accepted in the software development community for the electronic transfer of data. -1.5. "Executable" -means Covered Code in any form other than Source Code. -1.6. "Initial Developer" -means the individual or entity identified as the Initial Developer in the Source Code notice required by Exhibit A. -1.7. "Larger Work" -means a work which combines Covered Code or portions thereof with code not governed by the terms of this License. -1.8. "License" -means this document. -1.8.1. "Licensable" -means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently acquired, any and all of the rights conveyed herein. -1.9. "Modifications" -means any addition to or deletion from the substance or structure of either the Original Code or any previous Modifications. When Covered Code is released as a series of files, a Modification is: -Any addition to or deletion from the contents of a file containing Original Code or previous Modifications. -Any new file that contains any part of the Original Code or previous Modifications. -1.10. "Original Code" -means Source Code of computer software code which is described in the Source Code notice required by Exhibit A as Original Code, and which, at the time of its release under this License is not already Covered Code governed by this License. -1.10.1. "Patent Claims" -means any patent claim(s), now owned or hereafter acquired, including without limitation, method, process, and apparatus claims, in any patent Licensable by grantor. -1.11. "Source Code" -means the preferred form of the Covered Code for making modifications to it, including all modules it contains, plus any associated interface definition files, scripts used to control compilation and installation of an Executable, or source code differential comparisons against either the Original Code or another well known, available Covered Code of the Contributor's choice. The Source Code can be in a compressed or archival form, provided the appropriate decompression or de-archiving software is widely available for no charge. -1.12. "You" (or "Your") -means an individual or a legal entity exercising rights under, and complying with all of the terms of, this License or a future version of this License issued under Section 6.1. For legal entities, "You" includes any entity which controls, is controlled by, or is under common control with You. For purposes of this definition, "control" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity. -2. Source Code License. - -2.1. The Initial Developer Grant. - -The Initial Developer hereby grants You a world-wide, royalty-free, non-exclusive license, subject to third party intellectual property claims: - -under intellectual property rights (other than patent or trademark) Licensable by Initial Developer to use, reproduce, modify, display, perform, sublicense and distribute the Original Code (or portions thereof) with or without Modifications, and/or as part of a Larger Work; and -under Patents Claims infringed by the making, using or selling of Original Code, to make, have made, use, practice, sell, and offer for sale, and/or otherwise dispose of the Original Code (or portions thereof). -the licenses granted in this Section 2.1 (a) and (b) are effective on the date Initial Developer first distributes Original Code under the terms of this License. -Notwithstanding Section 2.1 (b) above, no patent license is granted: 1) for code that You delete from the Original Code; 2) separate from the Original Code; or 3) for infringements caused by: i) the modification of the Original Code or ii) the combination of the Original Code with other software or devices. -2.2. Contributor Grant. - -Subject to third party intellectual property claims, each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license - -under intellectual property rights (other than patent or trademark) Licensable by Contributor, to use, reproduce, modify, display, perform, sublicense and distribute the Modifications created by such Contributor (or portions thereof) either on an unmodified basis, with other Modifications, as Covered Code and/or as part of a Larger Work; and -under Patent Claims infringed by the making, using, or selling of Modifications made by that Contributor either alone and/or in combination with its Contributor Version (or portions of such combination), to make, use, sell, offer for sale, have made, and/or otherwise dispose of: 1) Modifications made by that Contributor (or portions thereof); and 2) the combination of Modifications made by that Contributor with its Contributor Version (or portions of such combination). -the licenses granted in Sections 2.2 (a) and 2.2 (b) are effective on the date Contributor first makes Commercial Use of the Covered Code. -Notwithstanding Section 2.2 (b) above, no patent license is granted: 1) for any code that Contributor has deleted from the Contributor Version; 2) separate from the Contributor Version; 3) for infringements caused by: i) third party modifications of Contributor Version or ii) the combination of Modifications made by that Contributor with other software (except as part of the Contributor Version) or other devices; or 4) under Patent Claims infringed by Covered Code in the absence of Modifications made by that Contributor. -3. Distribution Obligations. - -3.1. Application of License. - -The Modifications which You create or to which You contribute are governed by the terms of this License, including without limitation Section 2.2. The Source Code version of Covered Code may be distributed only under the terms of this License or a future version of this License released under Section 6.1, and You must include a copy of this License with every copy of the Source Code You distribute. You may not offer or impose any terms on any Source Code version that alters or restricts the applicable version of this License or the recipients' rights hereunder. However, You may include an additional document offering the additional rights described in Section 3.5. - -3.2. Availability of Source Code. - -Any Modification which You create or to which You contribute must be made available in Source Code form under the terms of this License either on the same media as an Executable version or via an accepted Electronic Distribution Mechanism to anyone to whom you made an Executable version available; and if made available via Electronic Distribution Mechanism, must remain available for at least twelve (12) months after the date it initially became available, or at least six (6) months after a subsequent version of that particular Modification has been made available to such recipients. You are responsible for ensuring that the Source Code version remains available even if the Electronic Distribution Mechanism is maintained by a third party. - -3.3. Description of Modifications. - -You must cause all Covered Code to which You contribute to contain a file documenting the changes You made to create that Covered Code and the date of any change. You must include a prominent statement that the Modification is derived, directly or indirectly, from Original Code provided by the Initial Developer and including the name of the Initial Developer in (a) the Source Code, and (b) in any notice in an Executable version or related documentation in which You describe the origin or ownership of the Covered Code. - -3.4. Intellectual Property Matters - -(a) Third Party Claims - -If Contributor has knowledge that a license under a third party's intellectual property rights is required to exercise the rights granted by such Contributor under Sections 2.1 or 2.2, Contributor must include a text file with the Source Code distribution titled "LEGAL" which describes the claim and the party making the claim in sufficient detail that a recipient will know whom to contact. If Contributor obtains such knowledge after the Modification is made available as described in Section 3.2, Contributor shall promptly modify the LEGAL file in all copies Contributor makes available thereafter and shall take other steps (such as notifying appropriate mailing lists or newsgroups) reasonably calculated to inform those who received the Covered Code that new knowledge has been obtained. - -(b) Contributor APIs - -If Contributor's Modifications include an application programming interface and Contributor has knowledge of patent licenses which are reasonably necessary to implement that API, Contributor must also include this information in the LEGAL file. - -(c) Representations. - -Contributor represents that, except as disclosed pursuant to Section 3.4 (a) above, Contributor believes that Contributor's Modifications are Contributor's original creation(s) and/or Contributor has sufficient rights to grant the rights conveyed by this License. - -3.5. Required Notices. - -You must duplicate the notice in Exhibit A in each file of the Source Code. If it is not possible to put such notice in a particular Source Code file due to its structure, then You must include such notice in a location (such as a relevant directory) where a user would be likely to look for such a notice. If You created one or more Modification(s) You may add your name as a Contributor to the notice described in Exhibit A. You must also duplicate this License in any documentation for the Source Code where You describe recipients' rights or ownership rights relating to Covered Code. You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Code. However, You may do so only on Your own behalf, and not on behalf of the Initial Developer or any Contributor. You must make it absolutely clear than any such warranty, support, indemnity or liability obligation is offered by You alone, and You hereby agree to indemnify the Initial Developer and every Contributor for any liability incurred by the Initial Developer or such Contributor as a result of warranty, support, indemnity or liability terms You offer. - -3.6. Distribution of Executable Versions. - -You may distribute Covered Code in Executable form only if the requirements of Sections 3.1, 3.2, 3.3, 3.4 and 3.5 have been met for that Covered Code, and if You include a notice stating that the Source Code version of the Covered Code is available under the terms of this License, including a description of how and where You have fulfilled the obligations of Section 3.2. The notice must be conspicuously included in any notice in an Executable version, related documentation or collateral in which You describe recipients' rights relating to the Covered Code. You may distribute the Executable version of Covered Code or ownership rights under a license of Your choice, which may contain terms different from this License, provided that You are in compliance with the terms of this License and that the license for the Executable version does not attempt to limit or alter the recipient's rights in the Source Code version from the rights set forth in this License. If You distribute the Executable version under a different license You must make it absolutely clear that any terms which differ from this License are offered by You alone, not by the Initial Developer or any Contributor. You hereby agree to indemnify the Initial Developer and every Contributor for any liability incurred by the Initial Developer or such Contributor as a result of any such terms You offer. - -3.7. Larger Works. - -You may create a Larger Work by combining Covered Code with other code not governed by the terms of this License and distribute the Larger Work as a single product. In such a case, You must make sure the requirements of this License are fulfilled for the Covered Code. - -4. Inability to Comply Due to Statute or Regulation. - -If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Code due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be included in the LEGAL file described in Section 3.4 and must be included with all distributions of the Source Code. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it. - -5. Application of this License. - -This License applies to code to which the Initial Developer has attached the notice in Exhibit A and to related Covered Code. - -6. Versions of the License. - -6.1. New Versions - -Netscape Communications Corporation ("Netscape") may publish revised and/or new versions of the License from time to time. Each version will be given a distinguishing version number. - -6.2. Effect of New Versions - -Once Covered Code has been published under a particular version of the License, You may always continue to use it under the terms of that version. You may also choose to use such Covered Code under the terms of any subsequent version of the License published by Netscape. No one other than Netscape has the right to modify the terms applicable to Covered Code created under this License. - -6.3. Derivative Works - -If You create or use a modified version of this License (which you may only do in order to apply it to code which is not already Covered Code governed by this License), You must (a) rename Your license so that the phrases "Mozilla", "MOZILLAPL", "MOZPL", "Netscape", "MPL", "NPL" or any confusingly similar phrase do not appear in your license (except to note that your license differs from this License) and (b) otherwise make it clear that Your version of the license contains terms which differ from the Mozilla Public License and Netscape Public License. (Filling in the name of the Initial Developer, Original Code or Contributor in the notice described in Exhibit A shall not of themselves be deemed to be modifications of this License.) - -7. DISCLAIMER OF WARRANTY - -COVERED CODE IS PROVIDED UNDER THIS LICENSE ON AN "AS IS" BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT THE COVERED CODE IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE COVERED CODE IS WITH YOU. SHOULD ANY COVERED CODE PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT THE INITIAL DEVELOPER OR ANY OTHER CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS LICENSE. NO USE OF ANY COVERED CODE IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER. - -8. Termination - -8.1. This License and the rights granted hereunder will terminate automatically if You fail to comply with terms herein and fail to cure such breach within 30 days of becoming aware of the breach. All sublicenses to the Covered Code which are properly granted shall survive any termination of this License. Provisions which, by their nature, must remain in effect beyond the termination of this License shall survive. - -8.2. If You initiate litigation by asserting a patent infringement claim (excluding declatory judgment actions) against Initial Developer or a Contributor (the Initial Developer or Contributor against whom You file such action is referred to as "Participant") alleging that: - -such Participant's Contributor Version directly or indirectly infringes any patent, then any and all rights granted by such Participant to You under Sections 2.1 and/or 2.2 of this License shall, upon 60 days notice from Participant terminate prospectively, unless if within 60 days after receipt of notice You either: (i) agree in writing to pay Participant a mutually agreeable reasonable royalty for Your past and future use of Modifications made by such Participant, or (ii) withdraw Your litigation claim with respect to the Contributor Version against such Participant. If within 60 days of notice, a reasonable royalty and payment arrangement are not mutually agreed upon in writing by the parties or the litigation claim is not withdrawn, the rights granted by Participant to You under Sections 2.1 and/or 2.2 automatically terminate at the expiration of the 60 day notice period specified above. -any software, hardware, or device, other than such Participant's Contributor Version, directly or indirectly infringes any patent, then any rights granted to You by such Participant under Sections 2.1(b) and 2.2(b) are revoked effective as of the date You first made, used, sold, distributed, or had made, Modifications made by that Participant. -8.3. If You assert a patent infringement claim against Participant alleging that such Participant's Contributor Version directly or indirectly infringes any patent where such claim is resolved (such as by license or settlement) prior to the initiation of patent infringement litigation, then the reasonable value of the licenses granted by such Participant under Sections 2.1 or 2.2 shall be taken into account in determining the amount or value of any payment or license. - -8.4. In the event of termination under Sections 8.1 or 8.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or any distributor hereunder prior to termination shall survive termination. - -9. LIMITATION OF LIABILITY - -UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL YOU, THE INITIAL DEVELOPER, ANY OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF COVERED CODE, OR ANY SUPPLIER OF ANY OF SUCH PARTIES, BE LIABLE TO ANY PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. - -10. U.S. government end users - -The Covered Code is a "commercial item," as that term is defined in 48 C.F.R. 2.101 (Oct. 1995), consisting of "commercial computer software" and "commercial computer software documentation," as such terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4 (June 1995), all U.S. Government End Users acquire Covered Code with only those rights set forth herein. - -11. Miscellaneous - -This License represents the complete agreement concerning subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. This License shall be governed by California law provisions (except to the extent applicable law, if any, provides otherwise), excluding its conflict-of-law provisions. With respect to disputes in which at least one party is a citizen of, or an entity chartered or registered to do business in the United States of America, any litigation relating to this License shall be subject to the jurisdiction of the Federal Courts of the Northern District of California, with venue lying in Santa Clara County, California, with the losing party responsible for costs, including without limitation, court costs and reasonable attorneys' fees and expenses. The application of the United Nations Convention on Contracts for the International Sale of Goods is expressly excluded. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not apply to this License. - -12. Responsibility for claims - -As between Initial Developer and the Contributors, each party is responsible for claims and damages arising, directly or indirectly, out of its utilization of rights under this License and You agree to work with Initial Developer and Contributors to distribute such responsibility on an equitable basis. Nothing herein is intended or shall be deemed to constitute any admission of liability. - -13. Multiple-licensed code - -Initial Developer may designate portions of the Covered Code as "Multiple-Licensed". "Multiple-Licensed" means that the Initial Developer permits you to utilize portions of the Covered Code under Your choice of the MPL or the alternative licenses, if any, specified by the Initial Developer in the file described in Exhibit A. - -Exhibit A - Mozilla Public License. - -"The contents of this file are subject to the Mozilla Public License -Version 1.1 (the "License"); you may not use this file except in -compliance with the License. You may obtain a copy of the License at -http://www.mozilla.org/MPL/ - -Software distributed under the License is distributed on an "AS IS" -basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the -License for the specific language governing rights and limitations -under the License. - -The Original Code is ______________________________________. - -The Initial Developer of the Original Code is ________________________. -Portions created by ______________________ are Copyright (C) ______ -_______________________. All Rights Reserved. - -Contributor(s): ______________________________________. - -Alternatively, the contents of this file may be used under the terms -of the _____ license (the "[___] License"), in which case the -provisions of [______] License are applicable instead of those -above. If you wish to allow use of your version of this file only -under the terms of the [____] License and not to allow others to use -your version of this file under the MPL, indicate your decision by -deleting the provisions above and replace them with the notice and -other provisions required by the [___] License. If you do not delete -the provisions above, a recipient may use your version of this file -under either the MPL or the [___] License." -NOTE: The text of this Exhibit A may differ slightly from the text of the notices in the Source Code files of the Original Code. You should use the text of this Exhibit A rather than the text found in the Original Code Source Code for Your Modifications. ----------------------------------------------------------------------- VisualSearch License ----------------------------------------------------------------------- From b234d38b9a9b5489afd397b54e5eff0a85971552 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Mon, 28 Dec 2015 15:58:39 +0530 Subject: [PATCH 141/202] RANGER-804 : Delete groups associated with User causes Exception in UserSync --- src/main/assembly/usersync.xml | 2 ++ ugsync/pom.xml | 10 ++++++++++ 2 files changed, 12 insertions(+) diff --git a/src/main/assembly/usersync.xml b/src/main/assembly/usersync.xml index 211db7cfacc..cbbc2cf7f58 100644 --- a/src/main/assembly/usersync.xml +++ b/src/main/assembly/usersync.xml @@ -51,6 +51,8 @@ org.apache.ranger:ranger-util commons-io:commons-io:jar:${commons.io.version} org.apache.htrace:htrace-core + commons-httpclient:commons-httpclient + commons-codec:commons-codec false diff --git a/ugsync/pom.xml b/ugsync/pom.xml index d0ecb2f29ea..8a1b8ea8862 100644 --- a/ugsync/pom.xml +++ b/ugsync/pom.xml @@ -110,6 +110,16 @@ junit test + + commons-httpclient + commons-httpclient + ${commons.httpclient.version} + + + commons-codec + commons-codec + ${commons.codec.version} + From 13ad496558b5d364e5484101cd920a2d3f4318a0 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Tue, 12 Jan 2016 17:49:10 +0530 Subject: [PATCH 142/202] RANGER-810 : Audit page should show most recent audit log at the top Signed-off-by: Madhan Neethiraj --- security-admin/src/main/webapp/scripts/controllers/Controller.js | 1 + 1 file changed, 1 insertion(+) diff --git a/security-admin/src/main/webapp/scripts/controllers/Controller.js b/security-admin/src/main/webapp/scripts/controllers/Controller.js index 0819f9e1701..edbc5b903a0 100755 --- a/security-admin/src/main/webapp/scripts/controllers/Controller.js +++ b/security-admin/src/main/webapp/scripts/controllers/Controller.js @@ -94,6 +94,7 @@ define(function(require) { var view = require('views/reports/AuditLayout'); var VXAccessAuditList = require('collections/VXAccessAuditList'); var accessAuditList = new VXAccessAuditList(); + _.extend(accessAuditList.queryParams,{ 'sortBy' : 'eventTime' }); App.rContent.show(new view({ accessAuditList : accessAuditList, tab :tab From 43274cafe1a700852b10e2eaaf295da68375e5cc Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Mon, 25 Jan 2016 15:33:44 -0800 Subject: [PATCH 143/202] RANGER-777 Remove the mavn profile that was added for building kafka plugin --- pom.xml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/pom.xml b/pom.xml index cccdb0c3df3..d360b2ed441 100644 --- a/pom.xml +++ b/pom.xml @@ -229,10 +229,6 @@ unixauthnative - - - kafka-security - From 10970b36646e80e06ef9540da9035231a7450ec6 Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Wed, 20 Jan 2016 17:43:05 -0800 Subject: [PATCH 144/202] RANGER-821 Ranger shutdown hook should not only do its processing asynchronously but also terminate itself if it runs more than a configurable amount of time. --- .../audit/provider/AuditProviderFactory.java | 79 ++++++++++++++++--- 1 file changed, 68 insertions(+), 11 deletions(-) diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java index 723b5285ee5..cb998cd0161 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java @@ -21,6 +21,8 @@ import java.util.ArrayList; import java.util.List; import java.util.Properties; +import java.util.concurrent.Semaphore; +import java.util.concurrent.TimeUnit; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -56,6 +58,8 @@ public class AuditProviderFactory { public static final String AUDIT_SOLR_IS_ENABLED_PROP = "xasecure.audit.solr.is.enabled"; public static final String AUDIT_DEST_BASE = "xasecure.audit.destination"; + public static final String AUDIT_SHUTDOWN_HOOK_MAX_WAIT_SEC = "xasecure.audit.shutdown.hook.max.wait.seconds"; + public static final int AUDIT_SHUTDOWN_HOOK_MAX_WAIT_SEC_DEFAULT = 30; public static final int AUDIT_ASYNC_MAX_QUEUE_SIZE_DEFAULT = 10 * 1024; public static final int AUDIT_ASYNC_MAX_FLUSH_INTERVAL_DEFAULT = 5 * 1000; @@ -381,9 +385,7 @@ public synchronized void init(Properties props, String appType) { mProvider.start(); } - JVMShutdownHook jvmShutdownHook = new JVMShutdownHook(mProvider); - - Runtime.getRuntime().addShutdownHook(jvmShutdownHook); + installJvmSutdownHook(props); } private AuditHandler getProviderFromConfig(Properties props, @@ -443,21 +445,76 @@ private AuditHandler getDefaultProvider() { return new DummyAuditProvider(); } - private static class JVMShutdownHook extends Thread { - AuditHandler mProvider; + private void installJvmSutdownHook(Properties props) { + int shutdownHookMaxWaitSeconds = MiscUtil.getIntProperty(props, AUDIT_SHUTDOWN_HOOK_MAX_WAIT_SEC, AUDIT_SHUTDOWN_HOOK_MAX_WAIT_SEC_DEFAULT); + JVMShutdownHook jvmShutdownHook = new JVMShutdownHook(mProvider, shutdownHookMaxWaitSeconds); + Runtime.getRuntime().addShutdownHook(jvmShutdownHook); + } + + private static class RangerAsyncAuditCleanup implements Runnable { - public JVMShutdownHook(AuditHandler provider) { - mProvider = provider; + final Semaphore startCleanup; + final Semaphore doneCleanup; + final AuditHandler mProvider; + + RangerAsyncAuditCleanup(AuditHandler provider, Semaphore startCleanup, Semaphore doneCleanup) { + this.startCleanup = startCleanup; + this.doneCleanup = doneCleanup; + this.mProvider = provider; } + @Override public void run() { - LOG.info("==> JVMShutdownHook.run()"); - try { + while (true) { + LOG.info("RangerAsyncAuditCleanup: Waiting to audit cleanup start signal"); + try { + startCleanup.acquire(); + } catch (InterruptedException e) { + LOG.info("RangerAsyncAuditCleanup: Interrupted while waiting for audit startCleanup signal! Exiting the thread...", e); + break; + } + LOG.info("RangerAsyncAuditCleanup: Starting cleanup"); mProvider.waitToComplete(); mProvider.stop(); - } finally { - LOG.info("<== JVMShutdownHook.run()"); + doneCleanup.release(); + LOG.info("RangerAsyncAuditCleanup: Done cleanup"); + } + } + } + + private static class JVMShutdownHook extends Thread { + final Semaphore startCleanup = new Semaphore(0); + final Semaphore doneCleanup = new Semaphore(0); + final Thread cleanupThread; + final int maxWait; + + public JVMShutdownHook(AuditHandler provider, int maxWait) { + this.maxWait = maxWait; + Runnable runnable = new RangerAsyncAuditCleanup(provider, startCleanup, doneCleanup); + cleanupThread = new Thread(runnable, "Ranger async Audit cleanup"); + cleanupThread.setDaemon(true); + cleanupThread.start(); + } + + public void run() { + LOG.info("==> JVMShutdownHook.run()"); + LOG.info("JVMShutdownHook: Signalling async audit cleanup to start."); + startCleanup.release(); + try { + Long start = System.currentTimeMillis(); + LOG.info("JVMShutdownHook: Waiting up to " + maxWait + " seconds for audit cleanup to finish."); + boolean cleanupFinishedInTime = doneCleanup.tryAcquire(maxWait, TimeUnit.SECONDS); + if (cleanupFinishedInTime) { + LOG.info("JVMShutdownHook: Audit cleanup finished after " + (System.currentTimeMillis() - start) + " milli seconds"); + } else { + LOG.warn("JVMShutdownHook: could not detect finishing of audit cleanup even after waiting for " + maxWait + " seconds!"); + } + } catch (InterruptedException e) { + LOG.info("JVMShutdownHook: Interrupted while waiting for completion of Async executor!", e); } + LOG.info("JVMShutdownHook: Interrupting ranger async audit cleanup thread"); + cleanupThread.interrupt(); + LOG.info("<== JVMShutdownHook.run()"); } } } From 291215dce962d105feee0ec08ece017d92009442 Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Wed, 27 Jan 2016 18:27:12 -0800 Subject: [PATCH 145/202] RANGER-825 groupId in ranger's child poms should be consistent and follow convention. Signed-off-by: Alok Lal --- agents-audit/pom.xml | 3 +-- agents-common/pom.xml | 3 +-- agents-cred/pom.xml | 1 - agents-installer/pom.xml | 1 - credentialbuilder/pom.xml | 1 - embeddedwebserver/pom.xml | 1 - hbase-agent/pom.xml | 7 +++---- hdfs-agent/pom.xml | 5 ++--- hive-agent/pom.xml | 5 ++--- jisql/pom.xml | 1 - kms/pom.xml | 1 + knox-agent/pom.xml | 5 ++--- plugin-kafka/pom.xml | 5 ++--- plugin-kms/pom.xml | 5 ++--- plugin-solr/pom.xml | 5 ++--- plugin-yarn/pom.xml | 5 ++--- ranger-examples/pom.xml | 3 ++- ranger-hbase-plugin-shim/pom.xml | 7 +++---- ranger-hdfs-plugin-shim/pom.xml | 7 +++---- ranger-hive-plugin-shim/pom.xml | 7 +++---- ranger-kafka-plugin-shim/pom.xml | 7 +++---- ranger-knox-plugin-shim/pom.xml | 7 +++---- ranger-plugin-classloader/pom.xml | 1 - ranger-storm-plugin-shim/pom.xml | 7 +++---- ranger-yarn-plugin-shim/pom.xml | 7 +++---- ranger_solrj/pom.xml | 2 +- security-admin/pom.xml | 2 +- src/main/assembly/admin-web.xml | 22 +++++++++++----------- src/main/assembly/hbase-agent.xml | 15 +++++++-------- src/main/assembly/hdfs-agent.xml | 15 +++++++-------- src/main/assembly/hive-agent.xml | 15 +++++++-------- src/main/assembly/kms.xml | 13 ++++++------- src/main/assembly/knox-agent.xml | 15 +++++++-------- src/main/assembly/plugin-kafka.xml | 16 ++++++++-------- src/main/assembly/plugin-kms.xml | 13 ++++++------- src/main/assembly/plugin-solr.xml | 16 +++++++--------- src/main/assembly/plugin-yarn.xml | 17 ++++++++--------- src/main/assembly/storm-agent.xml | 17 ++++++++--------- src/main/assembly/usersync.xml | 2 +- storm-agent/pom.xml | 5 ++--- 40 files changed, 130 insertions(+), 162 deletions(-) diff --git a/agents-audit/pom.xml b/agents-audit/pom.xml index 498dfd85865..0b6abfb5535 100644 --- a/agents-audit/pom.xml +++ b/agents-audit/pom.xml @@ -17,7 +17,6 @@ --> 4.0.0 - security_plugins.ranger-plugins-audit ranger-plugins-audit Audit Component Auth Audit @@ -33,7 +32,7 @@ - security_plugins.ranger-plugins-cred + org.apache.ranger ranger-plugins-cred ${project.version} diff --git a/agents-common/pom.xml b/agents-common/pom.xml index 8acdf80c4b9..293aaeccaee 100644 --- a/agents-common/pom.xml +++ b/agents-common/pom.xml @@ -17,7 +17,6 @@ --> 4.0.0 - security_plugins.ranger-plugins-common ranger-plugins-common Common library for Plugins Plugins Common @@ -66,7 +65,7 @@ ${codehaus.jackson.version} - security_plugins.ranger-plugins-audit + org.apache.ranger ranger-plugins-audit ${project.version} diff --git a/agents-cred/pom.xml b/agents-cred/pom.xml index 2063187544e..0fd569cd99d 100644 --- a/agents-cred/pom.xml +++ b/agents-cred/pom.xml @@ -17,7 +17,6 @@ --> 4.0.0 - security_plugins.ranger-plugins-cred ranger-plugins-cred Credential Support Plugins Common diff --git a/agents-installer/pom.xml b/agents-installer/pom.xml index 633da6deec4..a50978e9062 100644 --- a/agents-installer/pom.xml +++ b/agents-installer/pom.xml @@ -17,7 +17,6 @@ --> 4.0.0 - security_plugins.ranger-plugins-installer ranger-plugins-installer Installer Support Component Security Plugins Installer diff --git a/credentialbuilder/pom.xml b/credentialbuilder/pom.xml index b4f9c106cba..c0926201698 100644 --- a/credentialbuilder/pom.xml +++ b/credentialbuilder/pom.xml @@ -18,7 +18,6 @@ 4.0.0 credentialbuilder - 0.5.0 Credential Builder Credential Builder for non-hadoop java codebase jar diff --git a/embeddedwebserver/pom.xml b/embeddedwebserver/pom.xml index 40e482dd74f..191dc1a527c 100644 --- a/embeddedwebserver/pom.xml +++ b/embeddedwebserver/pom.xml @@ -18,7 +18,6 @@ 4.0.0 embeddedwebserver - 0.5.0 Embedded Web Server Invoker Embedded Web Server Invoker jar diff --git a/hbase-agent/pom.xml b/hbase-agent/pom.xml index edad495bbcf..d4df33570c5 100644 --- a/hbase-agent/pom.xml +++ b/hbase-agent/pom.xml @@ -17,7 +17,6 @@ --> 4.0.0 - security_plugins.ranger-hbase-plugin ranger-hbase-plugin HBase Security Plugin HBase Security Plugins @@ -43,17 +42,17 @@ ${hadoop.version} - security_plugins.ranger-plugins-common + org.apache.ranger ranger-plugins-common ${project.version} - security_plugins.ranger-hbase-plugin-shim + org.apache.ranger ranger-hbase-plugin-shim ${project.version} - security_plugins.ranger-plugins-audit + org.apache.ranger ranger-plugins-audit ${project.version} diff --git a/hdfs-agent/pom.xml b/hdfs-agent/pom.xml index d1f42a764cc..17a66922907 100644 --- a/hdfs-agent/pom.xml +++ b/hdfs-agent/pom.xml @@ -17,7 +17,6 @@ --> 4.0.0 - security_plugins.ranger-hdfs-plugin ranger-hdfs-plugin Hdfs Security Plugin Hdfs Security Plugins @@ -111,12 +110,12 @@ ${javassist.version} - security_plugins.ranger-plugins-audit + org.apache.ranger ranger-plugins-audit ${project.version} - security_plugins.ranger-plugins-common + org.apache.ranger ranger-plugins-common ${project.version} diff --git a/hive-agent/pom.xml b/hive-agent/pom.xml index 2f2e7f83fd6..cd9e632e484 100644 --- a/hive-agent/pom.xml +++ b/hive-agent/pom.xml @@ -17,7 +17,6 @@ --> 4.0.0 - security_plugins.ranger-hive-plugin ranger-hive-plugin Hive Security Plugin Hive Security Plugins @@ -113,12 +112,12 @@ ${hadoop.version} - security_plugins.ranger-plugins-common + org.apache.ranger ranger-plugins-common ${project.version} - security_plugins.ranger-plugins-audit + org.apache.ranger ranger-plugins-audit ${project.version} diff --git a/jisql/pom.xml b/jisql/pom.xml index 9b7e056691d..1aeed037a92 100644 --- a/jisql/pom.xml +++ b/jisql/pom.xml @@ -18,7 +18,6 @@ 4.0.0 jisql - 0.1.0 Jdbc SQL Connector Jdbc SQL Connector to execute sql statement in any db jar diff --git a/kms/pom.xml b/kms/pom.xml index b89837dcae9..95195761a6b 100644 --- a/kms/pom.xml +++ b/kms/pom.xml @@ -25,6 +25,7 @@ org.apache.ranger ranger 0.5.0 + .. diff --git a/knox-agent/pom.xml b/knox-agent/pom.xml index 9e85527e261..9cfcb74a9a3 100644 --- a/knox-agent/pom.xml +++ b/knox-agent/pom.xml @@ -17,7 +17,6 @@ --> 4.0.0 - security_plugins.ranger-knox-plugin ranger-knox-plugin Knox Security Plugin Knox Security Plugins @@ -74,7 +73,7 @@ ${codehaus.jackson.version} - security_plugins.ranger-plugins-common + org.apache.ranger ranger-plugins-common ${project.version} - security_plugins.ranger-plugins-audit + org.apache.ranger ranger-plugins-audit ${project.version} 4.0.0 - security_plugins.ranger-kms-plugin ranger-kms-plugin KMS Security Plugin KMS Security Plugin @@ -33,12 +32,12 @@ - security_plugins.ranger-plugins-common + org.apache.ranger ranger-plugins-common ${project.version} - security_plugins.ranger-plugins-audit + org.apache.ranger ranger-plugins-audit ${project.version} diff --git a/plugin-solr/pom.xml b/plugin-solr/pom.xml index 922aa47e077..22a06974f71 100644 --- a/plugin-solr/pom.xml +++ b/plugin-solr/pom.xml @@ -12,7 +12,6 @@ 4.0.0 - security_plugins.ranger-solr-plugin ranger-solr-plugin SOLR Security Plugin SOLR Security Plugin @@ -28,12 +27,12 @@ - security_plugins.ranger-plugins-common + org.apache.ranger ranger-plugins-common ${project.version} - security_plugins.ranger-plugins-audit + org.apache.ranger ranger-plugins-audit ${project.version} diff --git a/plugin-yarn/pom.xml b/plugin-yarn/pom.xml index b6fb37989c7..85cccd0e82e 100644 --- a/plugin-yarn/pom.xml +++ b/plugin-yarn/pom.xml @@ -17,7 +17,6 @@ --> 4.0.0 - security_plugins.ranger-yarn-plugin ranger-yarn-plugin YARN Security Plugin YARN Security Plugin @@ -33,12 +32,12 @@ - security_plugins.ranger-plugins-common + org.apache.ranger ranger-plugins-common ${project.version} - security_plugins.ranger-plugins-audit + org.apache.ranger ranger-plugins-audit ${project.version} diff --git a/ranger-examples/pom.xml b/ranger-examples/pom.xml index 8090170d3e8..53c3ae11095 100644 --- a/ranger-examples/pom.xml +++ b/ranger-examples/pom.xml @@ -22,6 +22,7 @@ ranger org.apache.ranger 0.5.0 + .. 4.0.0 @@ -37,7 +38,7 @@ mockito-core - security_plugins.ranger-plugins-common + org.apache.ranger ranger-plugins-common ${project.version} diff --git a/ranger-hbase-plugin-shim/pom.xml b/ranger-hbase-plugin-shim/pom.xml index 39fa139aae8..db96907480a 100644 --- a/ranger-hbase-plugin-shim/pom.xml +++ b/ranger-hbase-plugin-shim/pom.xml @@ -17,7 +17,6 @@ --> 4.0.0 - security_plugins.ranger-hbase-plugin-shim ranger-hbase-plugin-shim HBase Security Plugin Shim HBase Security Plugins Shim @@ -43,17 +42,17 @@ ${hadoop.version} - security_plugins.ranger-plugins-common + org.apache.ranger ranger-plugins-common ${project.version} - security_plugins.ranger-plugins-audit + org.apache.ranger ranger-plugins-audit ${project.version} - security_plugins.ranger-plugin-classloader + org.apache.ranger ranger-plugin-classloader ${project.version} diff --git a/ranger-hdfs-plugin-shim/pom.xml b/ranger-hdfs-plugin-shim/pom.xml index a44abb3595f..794cbaecf89 100644 --- a/ranger-hdfs-plugin-shim/pom.xml +++ b/ranger-hdfs-plugin-shim/pom.xml @@ -17,7 +17,6 @@ --> 4.0.0 - security_plugins.ranger-hdfs-plugin-shim ranger-hdfs-plugin-shim Hdfs Security Plugin Shim Hdfs Security Plugins Shim @@ -56,17 +55,17 @@ mockito-core - security_plugins.ranger-plugins-audit + org.apache.ranger ranger-plugins-audit ${project.version} - security_plugins.ranger-plugins-common + org.apache.ranger ranger-plugins-common ${project.version} - security_plugins.ranger-plugin-classloader + org.apache.ranger ranger-plugin-classloader ${project.version} diff --git a/ranger-hive-plugin-shim/pom.xml b/ranger-hive-plugin-shim/pom.xml index 1ff8349a559..3ce0684e4ca 100644 --- a/ranger-hive-plugin-shim/pom.xml +++ b/ranger-hive-plugin-shim/pom.xml @@ -17,7 +17,6 @@ --> 4.0.0 - security_plugins.ranger-hive-plugin-shim ranger-hive-plugin-shim Hive Security Plugin Shim Hive Security Plugins Shim @@ -79,17 +78,17 @@ standalone - security_plugins.ranger-plugins-audit + org.apache.ranger ranger-plugins-audit ${project.version} - security_plugins.ranger-plugins-common + org.apache.ranger ranger-plugins-common ${project.version} - security_plugins.ranger-plugin-classloader + org.apache.ranger ranger-plugin-classloader ${project.version} diff --git a/ranger-kafka-plugin-shim/pom.xml b/ranger-kafka-plugin-shim/pom.xml index 2d298687132..fb948ba0384 100644 --- a/ranger-kafka-plugin-shim/pom.xml +++ b/ranger-kafka-plugin-shim/pom.xml @@ -12,7 +12,6 @@ 4.0.0 - security_plugins.ranger-kafka-plugin-shim ranger-kafka-plugin-shim KAFKA Security Plugin Shim KAFKA Security Plugin shim @@ -28,17 +27,17 @@ - security_plugins.ranger-plugins-common + org.apache.ranger ranger-plugins-common ${project.version} - security_plugins.ranger-plugins-audit + org.apache.ranger ranger-plugins-audit ${project.version} - security_plugins.ranger-plugin-classloader + org.apache.ranger ranger-plugin-classloader ${project.version} diff --git a/ranger-knox-plugin-shim/pom.xml b/ranger-knox-plugin-shim/pom.xml index eef7913c7f9..66da19f771d 100644 --- a/ranger-knox-plugin-shim/pom.xml +++ b/ranger-knox-plugin-shim/pom.xml @@ -17,7 +17,6 @@ --> 4.0.0 - security_plugins.ranger-knox-plugin-shim ranger-knox-plugin-shim Knox Security Plugin Shim Knox Security Plugins Shim @@ -73,17 +72,17 @@ ${codehaus.jackson.version} - security_plugins.ranger-plugins-common + org.apache.ranger ranger-plugins-common ${project.version} - security_plugins.ranger-plugin-classloader + org.apache.ranger ranger-plugin-classloader ${project.version} - security_plugins.ranger-plugins-audit + org.apache.ranger ranger-plugins-audit ${project.version} diff --git a/ranger-plugin-classloader/pom.xml b/ranger-plugin-classloader/pom.xml index d8504e6950a..a1238dbe9af 100644 --- a/ranger-plugin-classloader/pom.xml +++ b/ranger-plugin-classloader/pom.xml @@ -18,7 +18,6 @@ 4.0.0 - security_plugins.ranger-plugin-classloader ranger-plugin-classloader 0.5.0 ranger-plugin-classloader diff --git a/ranger-storm-plugin-shim/pom.xml b/ranger-storm-plugin-shim/pom.xml index 397bb2fc9da..8b59796449b 100644 --- a/ranger-storm-plugin-shim/pom.xml +++ b/ranger-storm-plugin-shim/pom.xml @@ -17,7 +17,6 @@ --> 4.0.0 - security_plugins.ranger-storm-plugin-shim ranger-storm-plugin-shim Storm Security Plugin shim Storm Security Plugins shim @@ -38,12 +37,12 @@ ${storm.version} - security_plugins.ranger-plugins-common + org.apache.ranger ranger-plugins-common ${project.version} - security_plugins.ranger-plugins-audit + org.apache.ranger ranger-plugins-audit ${project.version} @@ -68,7 +67,7 @@ ${htrace-core.version} - security_plugins.ranger-plugin-classloader + org.apache.ranger ranger-plugin-classloader ${project.version} diff --git a/ranger-yarn-plugin-shim/pom.xml b/ranger-yarn-plugin-shim/pom.xml index d461ca580be..479628dfdd8 100644 --- a/ranger-yarn-plugin-shim/pom.xml +++ b/ranger-yarn-plugin-shim/pom.xml @@ -17,7 +17,6 @@ --> 4.0.0 - security_plugins.ranger-yarn-plugin-shim ranger-yarn-plugin-shim YARN Security Plugin Shim YARN Security Plugin Shim @@ -33,12 +32,12 @@ - security_plugins.ranger-plugins-common + org.apache.ranger ranger-plugins-common ${project.version} - security_plugins.ranger-plugins-audit + org.apache.ranger ranger-plugins-audit ${project.version} @@ -58,7 +57,7 @@ ${hadoop.version} - security_plugins.ranger-plugin-classloader + org.apache.ranger ranger-plugin-classloader ${project.version} diff --git a/ranger_solrj/pom.xml b/ranger_solrj/pom.xml index c1b5985306e..d031fb446d2 100644 --- a/ranger_solrj/pom.xml +++ b/ranger_solrj/pom.xml @@ -23,9 +23,9 @@ org.apache.ranger ranger 0.5.0 + .. ranger_solrj - 0.5.0 ranger_solrj http://maven.apache.org diff --git a/security-admin/pom.xml b/security-admin/pom.xml index 3c26837efde..4b7c10dcd28 100644 --- a/security-admin/pom.xml +++ b/security-admin/pom.xml @@ -398,7 +398,7 @@ ${project.version} - security_plugins.ranger-plugins-common + org.apache.ranger ranger-plugins-common ${project.version} diff --git a/src/main/assembly/admin-web.xml b/src/main/assembly/admin-web.xml index 7a8dca024e3..41ebdddef88 100644 --- a/src/main/assembly/admin-web.xml +++ b/src/main/assembly/admin-web.xml @@ -56,7 +56,7 @@ 644 - security_plugins.ranger-hdfs-plugin:ranger-hdfs-plugin + org.apache.ranger:ranger-hdfs-plugin @@ -81,7 +81,7 @@ - security_plugins.ranger-hive-plugin:ranger-hive-plugin + org.apache.ranger:ranger-hive-plugin @@ -106,7 +106,7 @@ - security_plugins.ranger-hbase-plugin:ranger-hbase-plugin + org.apache.ranger:ranger-hbase-plugin @@ -129,7 +129,7 @@ - security_plugins.ranger-knox-plugin:ranger-knox-plugin + org.apache.ranger:ranger-knox-plugin @@ -149,7 +149,7 @@ - security_plugins.ranger-storm-plugin:ranger-storm-plugin + org.apache.ranger:ranger-storm-plugin @@ -170,7 +170,7 @@ - security_plugins.ranger-yarn-plugin:ranger-yarn-plugin + org.apache.ranger:ranger-yarn-plugin @@ -183,7 +183,7 @@ 644 - security_plugins.ranger-kms-plugin:ranger-kms-plugin + org.apache.ranger:ranger-kms-plugin @@ -276,7 +276,7 @@ 644 - security_plugins.ranger-kafka-plugin:ranger-kafka-plugin + org.apache.ranger:ranger-kafka-plugin @@ -289,7 +289,7 @@ 644 - security_plugins.ranger-solr-plugin:ranger-solr-plugin + org.apache.ranger:ranger-solr-plugin @@ -308,7 +308,7 @@ 644 - security_plugins.ranger-kafka-plugin:ranger-kafka-plugin + org.apache.ranger:ranger-kafka-plugin @@ -325,7 +325,7 @@ 644 - security_plugins.ranger-solr-plugin:ranger-solr-plugin + org.apache.ranger:ranger-solr-plugin diff --git a/src/main/assembly/hbase-agent.xml b/src/main/assembly/hbase-agent.xml index 97d4e958ce8..9e69ff2ae07 100644 --- a/src/main/assembly/hbase-agent.xml +++ b/src/main/assembly/hbase-agent.xml @@ -33,8 +33,8 @@ /lib - security_plugins.ranger-hbase-plugin-shim:ranger-hbase-plugin-shim - security_plugins.ranger-plugin-classloader:ranger-plugin-classloader + org.apache.ranger:ranger-hbase-plugin-shim + org.apache.ranger:ranger-plugin-classloader @@ -62,11 +62,10 @@ org.apache.ranger:ranger_solrj - security_plugins.ranger-plugins-audit:ranger-plugins-audit - security_plugins.ranger-plugins-cred:ranger-plugins-cred - security_plugins.ranger-plugins-impl:ranger-plugins-impl - security_plugins.ranger-plugins-common:ranger-plugins-common - security_plugins.ranger-hbase-plugin:ranger-hbase-plugin + org.apache.ranger:ranger-plugins-audit + org.apache.ranger:ranger-plugins-cred + org.apache.ranger:ranger-plugins-common + org.apache.ranger:ranger-hbase-plugin @@ -96,7 +95,7 @@ false - security_plugins.ranger-plugins-installer:ranger-plugins-installer + org.apache.ranger:ranger-plugins-installer org.apache.ranger:credentialbuilder diff --git a/src/main/assembly/hdfs-agent.xml b/src/main/assembly/hdfs-agent.xml index deec461f52b..c71bd67fc97 100644 --- a/src/main/assembly/hdfs-agent.xml +++ b/src/main/assembly/hdfs-agent.xml @@ -34,8 +34,8 @@ /lib - security_plugins.ranger-hdfs-plugin-shim:ranger-hdfs-plugin-shim - security_plugins.ranger-plugin-classloader:ranger-plugin-classloader + org.apache.ranger:ranger-hdfs-plugin-shim + org.apache.ranger:ranger-plugin-classloader @@ -66,7 +66,7 @@ false - security_plugins.ranger-plugins-installer:ranger-plugins-installer + org.apache.ranger:ranger-plugins-installer org.apache.ranger:credentialbuilder @@ -94,11 +94,10 @@ org.apache.ranger:ranger_solrj - security_plugins.ranger-plugins-audit:ranger-plugins-audit - security_plugins.ranger-plugins-cred:ranger-plugins-cred - security_plugins.ranger-plugins-impl:ranger-plugins-impl - security_plugins.ranger-plugins-common:ranger-plugins-common - security_plugins.ranger-hdfs-plugin:ranger-hdfs-plugin + org.apache.ranger:ranger-plugins-audit + org.apache.ranger:ranger-plugins-cred + org.apache.ranger:ranger-plugins-common + org.apache.ranger:ranger-hdfs-plugin diff --git a/src/main/assembly/hive-agent.xml b/src/main/assembly/hive-agent.xml index 91225472c52..8d91bacc2d2 100644 --- a/src/main/assembly/hive-agent.xml +++ b/src/main/assembly/hive-agent.xml @@ -33,8 +33,8 @@ /lib - security_plugins.ranger-hive-plugin-shim:ranger-hive-plugin-shim - security_plugins.ranger-plugin-classloader:ranger-plugin-classloader + org.apache.ranger:ranger-hive-plugin-shim + org.apache.ranger:ranger-plugin-classloader @@ -60,11 +60,10 @@ org.apache.ranger:ranger_solrj - security_plugins.ranger-plugins-audit:ranger-plugins-audit - security_plugins.ranger-plugins-cred:ranger-plugins-cred - security_plugins.ranger-plugins-impl:ranger-plugins-impl - security_plugins.ranger-plugins-common:ranger-plugins-common - security_plugins.ranger-hive-plugin:ranger-hive-plugin + org.apache.ranger:ranger-plugins-audit + org.apache.ranger:ranger-plugins-cred + org.apache.ranger:ranger-plugins-common + org.apache.ranger:ranger-hive-plugin @@ -94,7 +93,7 @@ false - security_plugins.ranger-plugins-installer:ranger-plugins-installer + org.apache.ranger:ranger-plugins-installer org.apache.ranger:credentialbuilder diff --git a/src/main/assembly/kms.xml b/src/main/assembly/kms.xml index 5c9e11be217..e2676871377 100755 --- a/src/main/assembly/kms.xml +++ b/src/main/assembly/kms.xml @@ -216,7 +216,7 @@ org.slf4j:slf4j-api:jar:${slf4j-api.version} org.apache.hadoop:hadoop-common:jar:${hadoop-common.version} org.apache.hadoop:hadoop-auth:jar:${hadoop-common.version} - security_plugins.ranger-plugins-cred:ranger-plugins-cred + org.apache.ranger:ranger-plugins-cred org.apache.ranger:credentialbuilder @@ -225,11 +225,10 @@ org.apache.ranger:ranger_solrj - security_plugins.ranger-plugins-audit:ranger-plugins-audit - security_plugins.ranger-plugins-cred:ranger-plugins-cred - security_plugins.ranger-plugins-impl:ranger-plugins-impl - security_plugins.ranger-plugins-common:ranger-plugins-common - security_plugins.ranger-kms-plugin:ranger-kms-plugin + org.apache.ranger:ranger-plugins-audit + org.apache.ranger:ranger-plugins-cred + org.apache.ranger:ranger-plugins-common + org.apache.ranger:ranger-kms-plugin org.apache.ranger:credentialbuilder @@ -240,7 +239,7 @@ false - security_plugins.ranger-plugins-installer:ranger-plugins-installer + org.apache.ranger:ranger-plugins-installer org.apache.ranger:credentialbuilder diff --git a/src/main/assembly/knox-agent.xml b/src/main/assembly/knox-agent.xml index 8975c1deb85..aeae77953a7 100644 --- a/src/main/assembly/knox-agent.xml +++ b/src/main/assembly/knox-agent.xml @@ -34,8 +34,8 @@ /lib - security_plugins.ranger-knox-plugin-shim:ranger-knox-plugin-shim - security_plugins.ranger-plugin-classloader:ranger-plugin-classloader + org.apache.ranger:ranger-knox-plugin-shim + org.apache.ranger:ranger-plugin-classloader @@ -65,11 +65,10 @@ org.apache.ranger:ranger_solrj - security_plugins.ranger-plugins-audit:ranger-plugins-audit - security_plugins.ranger-plugins-cred:ranger-plugins-cred - security_plugins.ranger-plugins-impl:ranger-plugins-impl - security_plugins.ranger-plugins-common:ranger-plugins-common - security_plugins.ranger-knox-plugin:ranger-knox-plugin + org.apache.ranger:ranger-plugins-audit + org.apache.ranger:ranger-plugins-cred + org.apache.ranger:ranger-plugins-common + org.apache.ranger:ranger-knox-plugin @@ -99,7 +98,7 @@ - security_plugins.ranger-plugins-installer:ranger-plugins-installer + org.apache.ranger:ranger-plugins-installer org.apache.ranger:credentialbuilder diff --git a/src/main/assembly/plugin-kafka.xml b/src/main/assembly/plugin-kafka.xml index 31498e5f377..26d810098b7 100644 --- a/src/main/assembly/plugin-kafka.xml +++ b/src/main/assembly/plugin-kafka.xml @@ -28,8 +28,8 @@ /lib - security_plugins.ranger-kafka-plugin-shim:ranger-kafka-plugin-shim - security_plugins.ranger-plugin-classloader:ranger-plugin-classloader + org.apache.ranger:ranger-kafka-plugin-shim + org.apache.ranger:ranger-plugin-classloader @@ -99,7 +99,7 @@ org.apache.hadoop:hadoop-auth:jar:${hadoop-common.version} - security_plugins.ranger-plugins-cred:ranger-plugins-cred + org.apache.ranger:ranger-plugins-cred org.apache.ranger:credentialbuilder @@ -108,11 +108,11 @@ lib/ranger-kafka-plugin-impl - security_plugins.ranger-kafka-plugin:ranger-kafka-plugin + org.apache.ranger:ranger-kafka-plugin org.apache.ranger:ranger_solrj - security_plugins.ranger-plugins-audit:ranger-plugins-audit - security_plugins.ranger-plugins-cred:ranger-plugins-cred - security_plugins.ranger-plugins-common:ranger-plugins-common + org.apache.ranger:ranger-plugins-audit + org.apache.ranger:ranger-plugins-cred + org.apache.ranger:ranger-plugins-common @@ -122,7 +122,7 @@ false - security_plugins.ranger-plugins-installer:ranger-plugins-installer + org.apache.ranger:ranger-plugins-installer org.apache.ranger:credentialbuilder diff --git a/src/main/assembly/plugin-kms.xml b/src/main/assembly/plugin-kms.xml index fc2670b63f4..d3e79b6b00b 100755 --- a/src/main/assembly/plugin-kms.xml +++ b/src/main/assembly/plugin-kms.xml @@ -68,7 +68,7 @@ org.slf4j:slf4j-api:jar:${slf4j-api.version} org.apache.hadoop:hadoop-common:jar:${hadoop-common.version} org.apache.hadoop:hadoop-auth:jar:${hadoop-common.version} - security_plugins.ranger-plugins-cred:ranger-plugins-cred + org.apache.ranger:ranger-plugins-cred org.apache.ranger:credentialbuilder @@ -77,11 +77,10 @@ org.apache.ranger:ranger_solrj - security_plugins.ranger-plugins-audit:ranger-plugins-audit - security_plugins.ranger-plugins-cred:ranger-plugins-cred - security_plugins.ranger-plugins-impl:ranger-plugins-impl - security_plugins.ranger-plugins-common:ranger-plugins-common - security_plugins.ranger-kms-plugin:ranger-kms-plugin + org.apache.ranger:ranger-plugins-audit + org.apache.ranger:ranger-plugins-cred + org.apache.ranger:ranger-plugins-common + org.apache.ranger:ranger-kms-plugin @@ -91,7 +90,7 @@ false - security_plugins.ranger-plugins-installer:ranger-plugins-installer + org.apache.ranger:ranger-plugins-installer org.apache.ranger:credentialbuilder diff --git a/src/main/assembly/plugin-solr.xml b/src/main/assembly/plugin-solr.xml index 5276cc4d76b..31ebd6b11bd 100644 --- a/src/main/assembly/plugin-solr.xml +++ b/src/main/assembly/plugin-solr.xml @@ -65,10 +65,10 @@ org.apache.hadoop:hadoop-auth:jar:${hadoop-common.version} - security_plugins.ranger-plugins-cred:ranger-plugins-cred + org.apache.ranger:ranger-plugins-cred org.apache.ranger:credentialbuilder - security_plugins.ranger-solr-plugin:ranger-solr-plugin + org.apache.ranger:ranger-solr-plugin @@ -77,15 +77,13 @@ /lib - security_plugins.ranger-plugins-audit:ranger-plugins-audit + org.apache.ranger:ranger-plugins-audit - security_plugins.ranger-plugins-cred:ranger-plugins-cred + org.apache.ranger:ranger-plugins-cred - security_plugins.ranger-plugins-impl:ranger-plugins-impl + org.apache.ranger:ranger-plugins-common - security_plugins.ranger-plugins-common:ranger-plugins-common - - security_plugins.ranger-solr-plugin:ranger-solr-plugin + org.apache.ranger:ranger-solr-plugin @@ -96,7 +94,7 @@ false - security_plugins.ranger-plugins-installer:ranger-plugins-installer + org.apache.ranger:ranger-plugins-installer org.apache.ranger:credentialbuilder diff --git a/src/main/assembly/plugin-yarn.xml b/src/main/assembly/plugin-yarn.xml index 35508818ba4..57a75baf900 100644 --- a/src/main/assembly/plugin-yarn.xml +++ b/src/main/assembly/plugin-yarn.xml @@ -33,8 +33,8 @@ /lib - security_plugins.ranger-yarn-plugin-shim:ranger-yarn-plugin-shim - security_plugins.ranger-plugin-classloader:ranger-plugin-classloader + org.apache.ranger:ranger-yarn-plugin-shim + org.apache.ranger:ranger-plugin-classloader @@ -73,7 +73,7 @@ org.slf4j:slf4j-api:jar:${slf4j-api.version} org.apache.hadoop:hadoop-common:jar:${hadoop-common.version} org.apache.hadoop:hadoop-auth:jar:${hadoop-common.version} - security_plugins.ranger-plugins-cred:ranger-plugins-cred + org.apache.ranger:ranger-plugins-cred org.apache.ranger:credentialbuilder @@ -82,11 +82,10 @@ org.apache.ranger:ranger_solrj - security_plugins.ranger-plugins-audit:ranger-plugins-audit - security_plugins.ranger-plugins-cred:ranger-plugins-cred - security_plugins.ranger-plugins-impl:ranger-plugins-impl - security_plugins.ranger-plugins-common:ranger-plugins-common - security_plugins.ranger-yarn-plugin:ranger-yarn-plugin + org.apache.ranger:ranger-plugins-audit + org.apache.ranger:ranger-plugins-cred + org.apache.ranger:ranger-plugins-common + org.apache.ranger:ranger-yarn-plugin @@ -96,7 +95,7 @@ false - security_plugins.ranger-plugins-installer:ranger-plugins-installer + org.apache.ranger:ranger-plugins-installer org.apache.ranger:credentialbuilder diff --git a/src/main/assembly/storm-agent.xml b/src/main/assembly/storm-agent.xml index a5f4b2c817b..99a847b8c9b 100644 --- a/src/main/assembly/storm-agent.xml +++ b/src/main/assembly/storm-agent.xml @@ -33,8 +33,8 @@ /lib - security_plugins.ranger-storm-plugin-shim:ranger-storm-plugin-shim - security_plugins.ranger-plugin-classloader:ranger-plugin-classloader + org.apache.ranger:ranger-storm-plugin-shim + org.apache.ranger:ranger-plugin-classloader @@ -91,7 +91,7 @@ org.slf4j:slf4j-api:jar:${slf4j-api.version} org.apache.hadoop:hadoop-common:jar:${hadoop-common.version} org.apache.hadoop:hadoop-auth:jar:${hadoop-common.version} - security_plugins.ranger-plugins-cred:ranger-plugins-cred + org.apache.ranger:ranger-plugins-cred org.apache.ranger:credentialbuilder @@ -100,11 +100,10 @@ org.apache.ranger:ranger_solrj - security_plugins.ranger-plugins-audit:ranger-plugins-audit - security_plugins.ranger-plugins-cred:ranger-plugins-cred - security_plugins.ranger-plugins-impl:ranger-plugins-impl - security_plugins.ranger-plugins-common:ranger-plugins-common - security_plugins.ranger-storm-plugin:ranger-storm-plugin + org.apache.ranger:ranger-plugins-audit + org.apache.ranger:ranger-plugins-cred + org.apache.ranger:ranger-plugins-common + org.apache.ranger:ranger-storm-plugin @@ -114,7 +113,7 @@ false - security_plugins.ranger-plugins-installer:ranger-plugins-installer + org.apache.ranger:ranger-plugins-installer org.apache.ranger:credentialbuilder diff --git a/src/main/assembly/usersync.xml b/src/main/assembly/usersync.xml index cbbc2cf7f58..b032a1d8f2d 100644 --- a/src/main/assembly/usersync.xml +++ b/src/main/assembly/usersync.xml @@ -71,7 +71,7 @@ false - security_plugins.ranger-plugins-installer:ranger-plugins-installer + org.apache.ranger:ranger-plugins-installer diff --git a/storm-agent/pom.xml b/storm-agent/pom.xml index 5fd0aa35133..f99350bd5fa 100644 --- a/storm-agent/pom.xml +++ b/storm-agent/pom.xml @@ -17,7 +17,6 @@ --> 4.0.0 - security_plugins.ranger-storm-plugin ranger-storm-plugin Storm Security Plugin Storm Security Plugins @@ -38,12 +37,12 @@ ${storm.version} - security_plugins.ranger-plugins-common + org.apache.ranger ranger-plugins-common ${project.version} - security_plugins.ranger-plugins-audit + org.apache.ranger ranger-plugins-audit ${project.version} From 04daba455c9ca091feeab342771539780ec10c3a Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Mon, 1 Feb 2016 18:03:49 +0530 Subject: [PATCH 146/202] RANGER-798 : Handle different timezone issue while saving audit logs to Solr --- .../audit/entity/AuthzAuditEventDbObj.java | 9 ++++++-- .../ranger/audit/provider/MiscUtil.java | 22 +++++++++++++++++++ .../policyengine/RangerAccessRequestImpl.java | 2 +- .../hadoop/RangerHdfsAuthorizer.java | 3 ++- .../authorizer/RangerHiveAccessRequest.java | 3 ++- .../authorizer/RangerHiveAuditHandler.java | 3 ++- .../authorizer/RangerKafkaAuthorizer.java | 2 +- .../kms/authorizer/RangerKmsAuthorizer.java | 3 ++- .../solr/authorizer/RangerSolrAuthorizer.java | 2 +- .../yarn/authorizer/RangerYarnAuthorizer.java | 3 ++- 10 files changed, 42 insertions(+), 10 deletions(-) diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/entity/AuthzAuditEventDbObj.java b/agents-audit/src/main/java/org/apache/ranger/audit/entity/AuthzAuditEventDbObj.java index d52a60ae1e2..0bef9eaeed7 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/entity/AuthzAuditEventDbObj.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/entity/AuthzAuditEventDbObj.java @@ -145,11 +145,16 @@ public AuthzAuditEventDbObj() { public AuthzAuditEventDbObj(AuthzAuditEvent event) { super(); - + Date utcDate=null; + if(event.getEventTime()!=null){ + utcDate=MiscUtil.getUTCDateForLocalDate(event.getEventTime()); + }else{ + utcDate=MiscUtil.getUTCDate(); + } this.repositoryType = event.getRepositoryType(); this.repositoryName = event.getRepositoryName(); this.user = event.getUser(); - this.timeStamp = event.getEventTime(); + this.timeStamp = utcDate; this.accessType = event.getAccessType(); this.resourcePath = event.getResourcePath(); this.resourceType = event.getResourceType(); diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java index 9586f732947..7399a48c73d 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java @@ -23,6 +23,9 @@ import java.security.Principal; import java.text.SimpleDateFormat; import java.util.ArrayList; +import java.util.Calendar; +import java.util.Date; +import java.util.GregorianCalendar; import java.util.HashMap; import java.util.Hashtable; import java.util.List; @@ -30,6 +33,7 @@ import java.util.Properties; import java.util.Set; import java.util.StringTokenizer; +import java.util.TimeZone; import java.util.UUID; import java.util.regex.Pattern; @@ -761,4 +765,22 @@ public AppConfigurationEntry[] getAppConfigurationEntry(String name) { } } + public static Date getUTCDateForLocalDate(Date date) { + TimeZone gmtTimeZone = TimeZone.getTimeZone("GMT+0"); + Calendar local = Calendar.getInstance(); + int offset = local.getTimeZone().getOffset(local.getTimeInMillis()); + GregorianCalendar utc = new GregorianCalendar(gmtTimeZone); + utc.setTimeInMillis(date.getTime()); + utc.add(Calendar.MILLISECOND, -offset); + return utc.getTime(); + } + public static Date getUTCDate() { + TimeZone gmtTimeZone = TimeZone.getTimeZone("GMT+0"); + Calendar local = Calendar.getInstance(); + int offset = local.getTimeZone().getOffset(local.getTimeInMillis()); + GregorianCalendar utc = new GregorianCalendar(gmtTimeZone); + utc.setTimeInMillis(local.getTimeInMillis()); + utc.add(Calendar.MILLISECOND, -offset); + return utc.getTime(); + } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java index fe50ca6de2b..22c6dacf678 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java @@ -159,7 +159,7 @@ public void setUserGroups(Set userGroups) { } public void setAccessTime(Date accessTime) { - this.accessTime = (accessTime == null) ? StringUtil.getUTCDate() : accessTime; + this.accessTime = (accessTime == null) ? new Date(): accessTime; } public void setClientIPAddress(String clientIPAddress) { diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java index 5125af7367a..225f9fd91c6 100644 --- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java +++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java @@ -24,6 +24,7 @@ import static org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants.WRITE_ACCCESS_TYPE; import java.net.InetAddress; +import java.util.Date; import java.util.HashMap; import java.util.HashSet; import java.util.Map; @@ -452,7 +453,7 @@ public RangerHdfsAccessRequest(String path, String pathOwner, FsAction access, S super.setAccessType(accessType); super.setUser(user); super.setUserGroups(groups); - super.setAccessTime(StringUtil.getUTCDate()); + super.setAccessTime(new Date()); super.setClientIPAddress(getRemoteIp()); super.setAction(access.toString()); } diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java index 2ae41490735..11328c46aea 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java @@ -19,6 +19,7 @@ package org.apache.ranger.authorization.hive.authorizer; +import java.util.Date; import java.util.Set; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; @@ -46,7 +47,7 @@ public RangerHiveAccessRequest(RangerHiveResource resource, this.setResource(resource); this.setUser(user); this.setUserGroups(userGroups); - this.setAccessTime(StringUtil.getUTCDate()); + this.setAccessTime(new Date()); this.setAction(hiveOpTypeName); if(context != null) { diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java index 0f13577b0f9..c22e9d83707 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java @@ -21,6 +21,7 @@ import java.util.ArrayList; import java.util.Collection; +import java.util.Date; import java.util.HashMap; import java.util.Iterator; import java.util.List; @@ -159,7 +160,7 @@ public void logAuditEventForDfs(String userName, String dfsCommand, boolean acce auditEvent.setAction("DFS"); auditEvent.setUser(userName); auditEvent.setAccessResult((short)(accessGranted ? 1 : 0)); - auditEvent.setEventTime(StringUtil.getUTCDate()); + auditEvent.setEventTime(new Date()); auditEvent.setRepositoryType(repositoryType); auditEvent.setRepositoryName(repositoryName) ; auditEvent.setRequestData(dfsCommand); diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java index bb6a33776a5..47bd24e0d43 100644 --- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java +++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java @@ -148,7 +148,7 @@ public boolean authorize(Session session, Operation operation, ip = ip.substring(1); } - Date eventTime = StringUtil.getUTCDate(); + Date eventTime =new Date(); String accessType = mapToRangerAccessType(operation); boolean validationFailed = false; String validationStr = ""; diff --git a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java index 04b8b916251..2324f8dece1 100755 --- a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java +++ b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java @@ -21,6 +21,7 @@ import java.net.InetAddress; import java.net.UnknownHostException; +import java.util.Date; import java.util.HashMap; import java.util.Map; import java.util.concurrent.Executors; @@ -377,7 +378,7 @@ public RangerKMSAccessRequest(String keyName, String accessType, UserGroupInform super.setAccessType(accessType); super.setUser(ugi.getShortUserName()); super.setUserGroups(Sets.newHashSet(ugi.getGroupNames())); - super.setAccessTime(StringUtil.getUTCDate()); + super.setAccessTime(new Date()); super.setClientIPAddress(clientIp); super.setAction(accessType); } diff --git a/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java b/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java index a8ecf15bf13..e52493a5de7 100644 --- a/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java +++ b/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java @@ -167,7 +167,7 @@ public AuthorizationResponse authorize(AuthorizationContext context) { String userName = getUserName(context); Set userGroups = getGroupsForUser(userName); String ip = null; - Date eventTime = StringUtil.getUTCDate(); + Date eventTime = new Date(); // // Set the IP if (useProxyIP) { diff --git a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java index ab9b7a93091..a48e1a25876 100644 --- a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java +++ b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java @@ -21,6 +21,7 @@ package org.apache.ranger.authorization.yarn.authorizer; import java.net.InetAddress; +import java.util.Date; import java.util.HashMap; import java.util.Map; @@ -279,7 +280,7 @@ public RangerYarnAccessRequest(PrivilegedEntity entity, String accessType, Strin super.setAccessType(accessType); super.setUser(ugi.getShortUserName()); super.setUserGroups(Sets.newHashSet(ugi.getGroupNames())); - super.setAccessTime(StringUtil.getUTCDate()); + super.setAccessTime(new Date()); super.setClientIPAddress(getRemoteIp()); super.setAction(accessType); } From 0b09a8717b4db832da720d30193781eaa327b6ca Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Mon, 18 Jan 2016 16:54:41 +0530 Subject: [PATCH 147/202] RANGER-789 : Fix incorrect policy list paging for non-admin users --- .../plugin/store/AbstractPredicateUtil.java | 150 +++++++++++++++++- .../ranger/plugin/util/SearchFilter.java | 2 +- .../org/apache/ranger/biz/ServiceDBStore.java | 23 +-- .../ranger/common/RangerSearchUtil.java | 2 +- .../org/apache/ranger/rest/ServiceREST.java | 143 +++++++++++++---- .../apache/ranger/rest/TestServiceREST.java | 19 +-- 6 files changed, 285 insertions(+), 54 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java index 772c2d76c8e..b63c1d72749 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java @@ -79,6 +79,7 @@ public Predicate getPredicate(SearchFilter filter) { } public void addPredicates(SearchFilter filter, List predicates) { + addPredicateForServiceType(filter.getParam(SearchFilter.SERVICE_TYPE), predicates); addPredicateForServiceTypeId(filter.getParam(SearchFilter.SERVICE_TYPE_ID), predicates); addPredicateForServiceName(filter.getParam(SearchFilter.SERVICE_NAME), predicates); addPredicateForPolicyName(filter.getParam(SearchFilter.POLICY_NAME), predicates); @@ -89,6 +90,10 @@ public void addPredicates(SearchFilter filter, List predicates) { addPredicateForGroupName(filter.getParam(SearchFilter.GROUP), predicates); addPredicateForResourceSignature(filter.getParam(SearchFilter.RESOURCE_SIGNATURE), predicates); addPredicateForResources(filter.getParamsWithPrefix(SearchFilter.RESOURCE_PREFIX, true), predicates); + addPredicateForPolicyResource(filter.getParam(SearchFilter.POL_RESOURCE), predicates); + addPredicateForPartialPolicyName(filter.getParam(SearchFilter.POLICY_NAME_PARTIAL), predicates); + addPredicateForResourceSignature(filter.getParam(SearchFilter.RESOURCE_SIGNATURE), predicates); + addPredicateForPolicyType(filter.getParam(SearchFilter.POLICY_TYPE), predicates); } public Comparator getSorter(SearchFilter filter) { @@ -216,6 +221,38 @@ public int compare(RangerResourceDef o1, RangerResourceDef o2) { sorterMap.put(SearchFilter.UPDATE_TIME, updateTimeComparator); } + private Predicate addPredicateForServiceType(final String serviceType, List predicates) { + if (StringUtils.isEmpty(serviceType)) { + return null; + } + + Predicate ret = new Predicate() { + @Override + public boolean evaluate(Object object) { + if (object == null) { + return false; + } + + boolean ret = false; + + if (object instanceof RangerServiceDef) { + RangerServiceDef serviceDef = (RangerServiceDef) object; + String svcType = serviceDef.getName(); + + ret = StringUtils.equals(svcType, serviceType); + } else { + ret = true; + } + + return ret; + } + }; + if(predicates != null) { + predicates.add(ret); + } + return ret; + } + private Predicate addPredicateForServiceTypeId(final String serviceTypeId, List predicates) { if(StringUtils.isEmpty(serviceTypeId)) { return null; @@ -248,7 +285,7 @@ public boolean evaluate(Object object) { if(predicates != null) { predicates.add(ret); } - + return ret; } @@ -322,6 +359,32 @@ public boolean evaluate(Object object) { return ret; } + private Predicate addPredicateForPartialPolicyName(final String policyName, List predicates) { + if(StringUtils.isEmpty(policyName)) { + return null; + } + Predicate ret = new Predicate() { + @Override + public boolean evaluate(Object object) { + if(object == null) { + return false; + } + boolean ret = false; + if(object instanceof RangerPolicy) { + RangerPolicy policy = (RangerPolicy)object; + ret = StringUtils.containsIgnoreCase(policy.getName(), policyName); + } else { + ret = true; + } + return ret; + } + }; + if(predicates != null) { + predicates.add(ret); + } + return ret; + } + private Predicate addPredicateForPolicyId(final String policyId, List predicates) { if(StringUtils.isEmpty(policyId)) { return null; @@ -535,6 +598,57 @@ public boolean evaluate(Object object) { return ret; } + private Predicate addPredicateForPolicyResource(final String resourceValue, List predicates) { + if (StringUtils.isEmpty(resourceValue)) { + return null; + } + Predicate ret = new Predicate() { + @Override + public boolean evaluate(Object object) { + if (object == null) { + return false; + } + + boolean ret = false; + + if (object instanceof RangerPolicy) { + RangerPolicy policy = (RangerPolicy) object; + Map policyResources = policy.getResources(); + + if (MapUtils.isNotEmpty(policyResources)) { + for (String resourceName : policyResources.keySet()) { + RangerPolicyResource policyResource = policyResources.get(resourceName); + + if (policyResource != null && CollectionUtils.isNotEmpty(policyResource.getValues())) { + for (String policyResourceVal : policyResource.getValues()) { + if (StringUtils.containsIgnoreCase(policyResourceVal, resourceValue)) { + ret = true; + + break; + } + } + } + + if (ret) { + break; + } + } + } + } else { + ret = true; + } + + return ret; + } + }; + + if (predicates != null) { + predicates.add(ret); + } + + return ret; + } + private Predicate addPredicateForIsRecursive(final String isRecursiveStr, List predicates) { if(StringUtils.isEmpty(isRecursiveStr)) { return null; @@ -592,7 +706,39 @@ private Predicate addPredicateForResourceSignature(String signature, List predicates) { + if (StringUtils.isEmpty(policyType)) { + return null; + } + + Predicate ret = new Predicate() { + @Override + public boolean evaluate(Object object) { + if (object == null) { + return false; + } + + boolean ret = true; + + if (object instanceof RangerPolicy) { + RangerPolicy policy = (RangerPolicy) object; + + if (policy.getPolicyType() != null) { + ret = StringUtils.equalsIgnoreCase(policyType, policy.getPolicyType().toString()); + } + } + + return ret; + } + }; + + if (predicates != null) { + predicates.add(ret); + } + + return ret; + } /** * @param policySignature * @return diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java index 17738be2182..7171cb1afc3 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java @@ -47,7 +47,7 @@ public class SearchFilter { public static final String PAGE_SIZE = "pageSize"; public static final String SORT_BY = "sortBy"; public static final String RESOURCE_SIGNATURE = "resourceSignature:"; // search - + public static final String POLICY_TYPE = "policyType"; private Map params = null; private int startIndex = 0; private int maxRows = Integer.MAX_VALUE; diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 278ebc004c9..199d041b587 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -1553,9 +1553,11 @@ public List getServicePolicies(Long serviceId, SearchFilter filter if (service == null) { throw new Exception("service does not exist - id='" + serviceId); } - - List ret = getServicePolicies(service.getName(), filter); - + RangerPolicyRetriever policyRetriever = new RangerPolicyRetriever(daoMgr); + List ret = policyRetriever.getServicePolicies(service); + if(filter != null) { + predicateUtil.applyFilter(ret, filter); + } return ret; } @@ -1600,14 +1602,15 @@ public List getServicePolicies(String serviceName, SearchFilter fi if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceDBStore.getServicePolicies(" + serviceName + ")"); } - - if(filter == null) { - filter = new SearchFilter(); + XXService service = daoMgr.getXXService().findByName(serviceName); + if (service == null) { + throw new Exception("service does not exist - name='" + serviceName); + } + RangerPolicyRetriever policyRetriever = new RangerPolicyRetriever(daoMgr); + List ret = policyRetriever.getServicePolicies(service); + if(filter != null) { + predicateUtil.applyFilter(ret, filter); } - - filter.setParam(SearchFilter.SERVICE_NAME, serviceName); - - List ret = getPolicies(filter); if(LOG.isDebugEnabled()) { LOG.debug("<== ServiceDBStore.getServicePolicies(" + serviceName + "): count=" + ((ret == null) ? 0 : ret.size())); diff --git a/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java b/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java index 897ed5dc98e..8469d65786c 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java @@ -158,7 +158,7 @@ public SearchFilter extractCommonCriteriasForFilter(HttpServletRequest request, int pageSize = restErrorUtil.parseInt(request.getParameter(SearchFilter.PAGE_SIZE), configUtil.getDefaultMaxRows(), "Invalid value for parameter pageSize", MessageEnums.INVALID_INPUT_DATA, null, SearchFilter.PAGE_SIZE); - ret.setMaxRows(pageSize); + ret.setMaxRows(validatePageSize(pageSize)); ret.setGetCount(restErrorUtil.parseBoolean(request.getParameter("getCount"), true)); String sortBy = restErrorUtil.validateString(request.getParameter(SearchFilter.SORT_BY), diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 7718078b548..8129124e757 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -39,6 +39,7 @@ import javax.ws.rs.core.Context; import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.collections.MapUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -1245,19 +1246,39 @@ public RangerPolicyList getPolicies(@Context HttpServletRequest request) { LOG.debug("==> ServiceREST.getPolicies()"); } - RangerPolicyList ret = null; + RangerPolicyList ret = new RangerPolicyList(); RangerPerfTracer perf = null; + SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); + try { if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicies()"); } + if(isAdminUserWithNoFilterParams(filter)) { + ret = svcStore.getPaginatedPolicies(filter); + } + else { + // get all policies from the store; pick the page to return after applying filter + int savedStartIndex = filter == null ? 0 : filter.getStartIndex(); + int savedMaxRows = filter == null ? Integer.MAX_VALUE : filter.getMaxRows(); - SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); + if(filter != null) { + filter.setStartIndex(0); + filter.setMaxRows(Integer.MAX_VALUE); + } - try { - ret = svcStore.getPaginatedPolicies(filter); + List policies = svcStore.getPolicies(filter); + + if(filter != null) { + filter.setStartIndex(savedStartIndex); + filter.setMaxRows(savedMaxRows); + } + + applyAdminAccessFilter(policies); + + ret = toRangerPolicyList(policies, filter); + } - applyAdminAccessFilter(ret); } catch(WebApplicationException excp) { throw excp; } catch (Throwable excp) { @@ -1354,19 +1375,38 @@ public RangerPolicyList getServicePolicies(@PathParam("id") Long serviceId, LOG.debug("==> ServiceREST.getServicePolicies(" + serviceId + ")"); } - RangerPolicyList ret = null; + RangerPolicyList ret = new RangerPolicyList(); RangerPerfTracer perf = null; - - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePolicies(serviceId=" + serviceId + ")"); - } - SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); try { - ret = svcStore.getPaginatedServicePolicies(serviceId, filter); + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePolicies(serviceId=" + serviceId + ")"); + } + if(isAdminUserWithNoFilterParams(filter)) { + ret = svcStore.getPaginatedServicePolicies(serviceId, filter); + } else { + // get all policies from the store; pick the page to return after applying filter + int savedStartIndex = filter == null ? 0 : filter.getStartIndex(); + int savedMaxRows = filter == null ? Integer.MAX_VALUE : filter.getMaxRows(); + + if(filter != null) { + filter.setStartIndex(0); + filter.setMaxRows(Integer.MAX_VALUE); + } + + List servicePolicies = svcStore.getServicePolicies(serviceId, filter); + + if(filter != null) { + filter.setStartIndex(savedStartIndex); + filter.setMaxRows(savedMaxRows); + } + + applyAdminAccessFilter(servicePolicies); + + ret = toRangerPolicyList(servicePolicies, filter); + } - applyAdminAccessFilter(ret); } catch(WebApplicationException excp) { throw excp; } catch (Throwable excp) { @@ -1377,10 +1417,6 @@ public RangerPolicyList getServicePolicies(@PathParam("id") Long serviceId, RangerPerfTracer.log(perf); } - if (ret == null) { - LOG.info("No Policies found for given service id: " + serviceId); - } - if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceREST.getServicePolicies(" + serviceId + "): count=" + ret.getListSize()); @@ -1397,19 +1433,41 @@ public RangerPolicyList getServicePoliciesByName(@PathParam("name") String servi LOG.debug("==> ServiceREST.getServicePolicies(" + serviceName + ")"); } - RangerPolicyList ret = null; + RangerPolicyList ret = new RangerPolicyList();; RangerPerfTracer perf = null; + SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); + + try { + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePolicies(serviceName=" + serviceName + ")"); } - SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); - - try { + if(isAdminUserWithNoFilterParams(filter)) { ret = svcStore.getPaginatedServicePolicies(serviceName, filter); + } else { + // get all policies from the store; pick the page to return after applying filter + int savedStartIndex = filter == null ? 0 : filter.getStartIndex(); + int savedMaxRows = filter == null ? Integer.MAX_VALUE : filter.getMaxRows(); + + if(filter != null) { + filter.setStartIndex(0); + filter.setMaxRows(Integer.MAX_VALUE); + } + + List servicePolicies = svcStore.getServicePolicies(serviceName, filter); + + if(filter != null) { + filter.setStartIndex(savedStartIndex); + filter.setMaxRows(savedMaxRows); + } + + applyAdminAccessFilter(servicePolicies); + + ret = toRangerPolicyList(servicePolicies, filter); + } - applyAdminAccessFilter(ret); } catch(WebApplicationException excp) { throw excp; } catch (Throwable excp) { @@ -1714,11 +1772,6 @@ public RangerPolicy getPolicyForVersionNumber(@PathParam("policyId") Long policy return svcStore.getPolicyForVersionNumber(policyId, versionNo); } - private void applyAdminAccessFilter(RangerPolicyList policies) { - if(policies != null && !CollectionUtils.isEmpty(policies.getList())) { - applyAdminAccessFilter(policies.getPolicies()); - } - } private void applyAdminAccessFilter(List policies) { boolean isAdmin = bizUtil.isAdmin(); @@ -1845,4 +1898,38 @@ private RangerPolicyEngine getPolicyEngine(String serviceName) { return ret; } -} + boolean isAdminUserWithNoFilterParams(SearchFilter filter) { + return (filter == null || MapUtils.isEmpty(filter.getParams())) && + (bizUtil.isAdmin() || bizUtil.isKeyAdmin()); + } + + private RangerPolicyList toRangerPolicyList(List policyList, SearchFilter filter) { + RangerPolicyList ret = new RangerPolicyList(); + + if(CollectionUtils.isNotEmpty(policyList)) { + int totalCount = policyList.size(); + int startIndex = filter == null ? 0 : filter.getStartIndex(); + int pageSize = filter == null ? totalCount : filter.getMaxRows(); + int toIndex = Math.min(startIndex + pageSize, totalCount); + String sortType = filter == null ? null : filter.getSortType(); + String sortBy = filter == null ? null : filter.getSortBy(); + + List retList = new ArrayList(); + for(int i = startIndex; i < toIndex; i++) { + retList.add(policyList.get(i)); + } + + ret.setPolicies(retList); + ret.setPageSize(pageSize); + ret.setResultSize(retList.size()); + ret.setStartIndex(startIndex); + ret.setTotalCount(totalCount); + ret.setSortBy(sortBy); + ret.setSortType(sortType); + } + + return ret; + } + + +} \ No newline at end of file diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java index 8b3e34815dc..6f4f702941e 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java @@ -860,7 +860,8 @@ public void test20getPolicies() throws Exception { searchUtil.getSearchFilter(request, policyService.sortFields)) .thenReturn(filter); RangerPolicyList dbRangerPolicy = serviceREST.getPolicies(request); - Assert.assertNull(dbRangerPolicy); + Assert.assertNotNull(dbRangerPolicy); + Assert.assertEquals(dbRangerPolicy.getListSize(), 0); Mockito.verify(searchUtil).getSearchFilter(request, policyService.sortFields); } @@ -874,15 +875,12 @@ public void test21countPolicies() throws Exception { filter.setParam(SearchFilter.SERVICE_NAME, "serviceName"); Mockito.when( searchUtil.getSearchFilter(request, policyService.sortFields)) - .thenReturn(filter); - - Mockito.when(svcStore.getPaginatedPolicies(filter)).thenReturn(ret); + .thenReturn(filter); Long data = serviceREST.countPolicies(request); Assert.assertNotNull(data); Mockito.verify(searchUtil).getSearchFilter(request, - policyService.sortFields); - Mockito.verify(svcStore).getPaginatedPolicies(filter); + policyService.sortFields); } @Test @@ -898,22 +896,19 @@ public void test22getServicePoliciesById() throws Exception { searchUtil.getSearchFilter(request, policyService.sortFields)) .thenReturn(filter); - Mockito.when(svcStore.getPaginatedServicePolicies(Id, filter)) - .thenReturn(ret); - RangerPolicyList dbRangerPolicy = serviceREST.getServicePolicies( rangerPolicy.getId(), request); Assert.assertNotNull(dbRangerPolicy); Mockito.verify(searchUtil).getSearchFilter(request, policyService.sortFields); - Mockito.verify(svcStore).getPaginatedServicePolicies(Id, filter); } @Test public void test23getServicePoliciesByName() throws Exception { HttpServletRequest request = Mockito.mock(HttpServletRequest.class); RangerPolicy rangerPolicy = rangerPolicy(); - RangerPolicyList ret = Mockito.mock(RangerPolicyList.class); + List ret = new ArrayList(); + ret.add(rangerPolicy); SearchFilter filter = new SearchFilter(); filter.setParam(SearchFilter.POLICY_NAME, "policyName"); filter.setParam(SearchFilter.SERVICE_NAME, "serviceName"); @@ -922,7 +917,7 @@ public void test23getServicePoliciesByName() throws Exception { .thenReturn(filter); Mockito.when( - svcStore.getPaginatedServicePolicies(rangerPolicy.getName(), + svcStore.getServicePolicies(rangerPolicy.getName(), filter)).thenReturn(ret); RangerPolicyList dbRangerPolicy = serviceREST.getServicePoliciesByName( From 24406a046f4140425a1193d86d55ef06845725ed Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Thu, 28 Jan 2016 17:11:42 +0530 Subject: [PATCH 148/202] RANGER-771 : Fix 4+ Log entries upon login in in X_AUTH_SESS --- .../org/apache/ranger/biz/SessionMgr.java | 13 +++++++++-- .../org/apache/ranger/rest/ServiceREST.java | 22 +++++++++++++++++- .../RangerSecurityContextFormationFilter.java | 2 +- .../apache/ranger/rest/TestServiceREST.java | 23 ++++++++++++++++--- 4 files changed, 53 insertions(+), 7 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java index adae1d643d7..c9750b16c29 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java @@ -142,8 +142,17 @@ public UserSessionBase processSuccessLogin(int authType, String userAgent, gjAuthSession.setRequestUserAgent(userAgent); } gjAuthSession.setDeviceType(httpUtil.getDeviceType(userAgent)); - gjAuthSession = storeAuthSession(gjAuthSession); - + HttpSession session = httpRequest.getSession(); + if (session != null) { + if (session.getAttribute("auditLoginId") == null) { + synchronized (session) { + if (session.getAttribute("auditLoginId") == null) { + gjAuthSession = storeAuthSession(gjAuthSession); + session.setAttribute("auditLoginId", gjAuthSession.getId()); + } + } + } + } userSession = new UserSessionBase(); userSession.setXXPortalUser(gjUser); userSession.setXXAuthSession(gjAuthSession); diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 8129124e757..f744684c5aa 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -1747,7 +1747,27 @@ public RangerPolicy getPolicyFromEventTime(@Context HttpServletRequest request) Long policyId = Long.parseLong(policyIdStr); - RangerPolicy policy = svcStore.getPolicyFromEventTime(eventTimeStr, policyId); + RangerPolicy policy=null; + try { + policy = svcStore.getPolicyFromEventTime(eventTimeStr, policyId); + if(policy != null) { + ensureAdminAccess(policy.getService(), policy.getResources()); + } + } catch(WebApplicationException excp) { + throw excp; + } catch(Throwable excp) { + LOG.error("getPolicy(" + policyId + ") failed", excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } + + if(policy == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== ServiceREST.getPolicy(" + policyId + "): " + policy); + } if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceREST.getPolicyFromEventTime()"); diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java index d92fcbb4206..8ed1f9545c6 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java @@ -126,7 +126,7 @@ public void doFilter(ServletRequest request, ServletResponse response, RangerContextHolder.setSecurityContext(context); UserSessionBase userSession = sessionMgr.processSuccessLogin( - XXAuthSession.AUTH_TYPE_PASSWORD, userAgent); + XXAuthSession.AUTH_TYPE_PASSWORD, userAgent, httpRequest); if(userSession!=null && userSession.getClientTimeOffsetInMinute()==0){ userSession.setClientTimeOffsetInMinute(clientTimeOffset); diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java index 6f4f702941e..dff37534b74 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java @@ -169,7 +169,7 @@ public class TestServiceREST { @Mock StringUtils stringUtils; - + @Rule public ExpectedException thrown = ExpectedException.none(); @@ -968,10 +968,27 @@ public void test26getServices() throws Exception { public void test30getPolicyFromEventTime() throws Exception { HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - Mockito.when(request.getParameter("eventTime")).thenReturn( - new Date().toString()); + String strdt = new Date().toString(); + String userName="Admin"; + Set userGroupsList = new HashSet(); + userGroupsList.add("group1"); + userGroupsList.add("group2"); + Mockito.when(request.getParameter("eventTime")).thenReturn(strdt); Mockito.when(request.getParameter("policyId")).thenReturn("1"); + RangerPolicy policy=new RangerPolicy(); + Map resources=new HashMap(); + policy.setService("services"); + policy.setResources(resources); + Mockito.when(svcStore.getPolicyFromEventTime(strdt, 1l)).thenReturn(policy); + Mockito.when(bizUtil.isAdmin()).thenReturn(false); + Mockito.when(bizUtil.getCurrentUserLoginId()).thenReturn(userName); + Mockito.when(userMgr.getGroupsForUser(userName)).thenReturn( + userGroupsList); + Mockito.when(restErrorUtil.createRESTException((String)null)) + .thenThrow(new WebApplicationException()); + thrown.expect(WebApplicationException.class); + RangerPolicy dbRangerPolicy = serviceREST .getPolicyFromEventTime(request); Assert.assertNull(dbRangerPolicy); From 0c9418cf8465e5757440eef9c8a706c4b0584538 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Fri, 15 Jan 2016 14:23:17 -0800 Subject: [PATCH 149/202] RANGER-831: policy version incremented twice when resources are updated --- .../service/RangerBaseModelService.java | 112 +++++++----------- 1 file changed, 42 insertions(+), 70 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java index 4a1f27cbe25..26fe4396071 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java @@ -160,80 +160,49 @@ protected V populateViewBean(T entityObj) { return mapEntityToViewBean(vObj, entityObj); } - protected T populateEntityBean(V vObj, int operationContext) { - T entityObj; - - Date createTime = null; - Date updTime = null; - Long createdById = null; - Long updById = null; - - if (operationContext == OPERATION_CREATE_CONTEXT) { - entityObj = createEntityObject(); - - if(!populateExistingBaseFields) { - createTime = DateUtil.getUTCDate(); - updTime = DateUtil.getUTCDate(); - createdById = ContextUtil.getCurrentUserId(); - updById = ContextUtil.getCurrentUserId(); - } else if(populateExistingBaseFields) { - createTime = vObj.getCreateTime() != null ? vObj.getCreateTime() : DateUtil.getUTCDate(); - updTime = vObj.getUpdateTime() != null ? vObj.getUpdateTime() : DateUtil.getUTCDate(); - - // If this is the case then vObj.createdBy and vObj.updatedBy must be loginId of user. - XXPortalUser createdByUser = daoMgr.getXXPortalUser().findByLoginId(vObj.getCreatedBy()); - XXPortalUser updByUser = daoMgr.getXXPortalUser().findByLoginId(vObj.getUpdatedBy()); - - if(createdByUser != null) { - createdById = createdByUser.getId(); - } else { - createdById = ContextUtil.getCurrentUserId(); - } + protected T populateEntityBeanForCreate(T entityObj, V vObj) { + if(!populateExistingBaseFields) { + entityObj.setCreateTime(DateUtil.getUTCDate()); + entityObj.setUpdateTime(entityObj.getCreateTime()); + entityObj.setAddedByUserId(ContextUtil.getCurrentUserId()); + entityObj.setUpdatedByUserId(entityObj.getAddedByUserId()); + } else if(populateExistingBaseFields) { + XXPortalUser createdByUser = daoMgr.getXXPortalUser().findByLoginId(vObj.getCreatedBy()); + XXPortalUser updByUser = daoMgr.getXXPortalUser().findByLoginId(vObj.getUpdatedBy()); + + entityObj.setId(vObj.getId()); + entityObj.setCreateTime(vObj.getCreateTime() != null ? vObj.getCreateTime() : DateUtil.getUTCDate()); + entityObj.setUpdateTime(vObj.getUpdateTime() != null ? vObj.getUpdateTime() : DateUtil.getUTCDate()); + entityObj.setAddedByUserId(createdByUser != null ? createdByUser.getId() : ContextUtil.getCurrentUserId()); + entityObj.setUpdatedByUserId(updByUser != null ? updByUser.getId() : ContextUtil.getCurrentUserId()); + } - if(updByUser != null) { - updById = updByUser.getId(); - } else { - updById = ContextUtil.getCurrentUserId(); - } - entityObj.setId(vObj.getId()); - } - } else if (operationContext == OPERATION_UPDATE_CONTEXT) { - entityObj = getDao().getById(vObj.getId()); + return mapViewToEntityBean(vObj, entityObj, OPERATION_CREATE_CONTEXT); + } - if (entityObj == null) { - throw restErrorUtil.createRESTException( - "No Object found to update.", - MessageEnums.DATA_NOT_FOUND); - } + protected T populateEntityBeanForUpdate(T entityObj, V vObj) { + if (entityObj == null) { + throw restErrorUtil.createRESTException( + "No Object found to update.", + MessageEnums.DATA_NOT_FOUND); + } - createTime = entityObj.getCreateTime(); - if (createTime == null) { - createTime = DateUtil.getUTCDate(); - } + T ret = mapViewToEntityBean(vObj, entityObj, OPERATION_UPDATE_CONTEXT); - createdById = entityObj.getAddedByUserId(); - if (createdById == null) { - createdById = ContextUtil.getCurrentUserId(); - } - - if(populateExistingBaseFields) { - updTime = entityObj.getUpdateTime(); - updById = entityObj.getUpdatedByUserId(); - } else { - updTime = DateUtil.getUTCDate(); - updById = ContextUtil.getCurrentUserId(); - } - } else { - throw restErrorUtil.createRESTException( - "Error while populating EntityBean", - MessageEnums.INVALID_INPUT_DATA); + if (ret.getCreateTime() == null) { + ret.setCreateTime(DateUtil.getUTCDate()); + } + + if (ret.getAddedByUserId() == null) { + ret.setAddedByUserId(ContextUtil.getCurrentUserId()); } - entityObj.setAddedByUserId(createdById); - entityObj.setUpdatedByUserId(updById); - entityObj.setCreateTime(createTime); - entityObj.setUpdateTime(updTime); - return mapViewToEntityBean(vObj, entityObj, operationContext); + if(!populateExistingBaseFields) { + ret.setUpdateTime(DateUtil.getUTCDate()); + ret.setUpdatedByUserId(ContextUtil.getCurrentUserId()); + } + + return ret; } protected abstract void validateForCreate(V vObj); @@ -242,7 +211,10 @@ protected T populateEntityBean(V vObj, int operationContext) { public T preCreate(V vObj) { validateForCreate(vObj); - return populateEntityBean(vObj, OPERATION_CREATE_CONTEXT); + + T entityObj = createEntityObject(); + + return populateEntityBeanForCreate(entityObj, vObj); } public V postCreate(T xObj) { @@ -286,7 +258,7 @@ public T preUpdate(V viewBaseBean) { viewBaseBean.getId(), null, "preUpdate: id not found."); } validateForUpdate(viewBaseBean, resource); - return populateEntityBean(viewBaseBean, OPERATION_UPDATE_CONTEXT); + return populateEntityBeanForUpdate(resource, viewBaseBean); } public boolean delete(V vObj) { From 56d1a03357dcc77ca94f2c6895ef06a6e5c7601b Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Thu, 28 Jan 2016 09:13:58 +0530 Subject: [PATCH 150/202] RANGER-833 : Add support for usernames containing a plus + symbol --- security-admin/src/main/webapp/scripts/views/users/UserForm.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-admin/src/main/webapp/scripts/views/users/UserForm.js b/security-admin/src/main/webapp/scripts/views/users/UserForm.js index 52a278d2fae..04f7cc64315 100644 --- a/security-admin/src/main/webapp/scripts/views/users/UserForm.js +++ b/security-admin/src/main/webapp/scripts/views/users/UserForm.js @@ -63,7 +63,7 @@ define(function(require){ name : { type : 'Text', title : localization.tt("lbl.userName") +' *', - validators : ['required',{type:'regexp',regexp:/^[a-z0-9][a-z0-9,._'-]+$/i,message :"Name should start with alpha/numeric letters and can have special characters ,._'-"}], + validators : ['required',{type:'regexp',regexp:/^[a-z0-9][a-z0-9,._'-+]+$/i,message :"Name should start with alpha/numeric letters and can have special characters ,.+_'-"}], editorAttrs :{'maxlength': 32} }, password : { From c829f26bd8b0ad31cbd97a4641c232e34c3ce738 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Tue, 2 Feb 2016 12:31:10 +0530 Subject: [PATCH 151/202] RANGER-218 : LDAP Groups incorrectly labelled internal --- .../ranger/service/XGroupServiceBase.java | 2 ++ .../ranger/unixusersync/model/XGroupInfo.java | 8 ++++++- .../process/PolicyMgrUserGroupBuilder.java | 22 ++++++++++++++++--- 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/service/XGroupServiceBase.java b/security-admin/src/main/java/org/apache/ranger/service/XGroupServiceBase.java index 68df9198d0e..8ac97cecde2 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XGroupServiceBase.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XGroupServiceBase.java @@ -47,6 +47,7 @@ protected XXGroup mapViewToEntityBean(VXGroup vObj, XXGroup mObj, int OPERATION_ mObj.setDescription( vObj.getDescription()); mObj.setGroupType( vObj.getGroupType()); mObj.setCredStoreId( vObj.getCredStoreId()); + mObj.setGroupSource(vObj.getGroupSource()); return mObj; } @@ -58,6 +59,7 @@ protected VXGroup mapEntityToViewBean(VXGroup vObj, XXGroup mObj) { vObj.setDescription( mObj.getDescription()); vObj.setGroupType( mObj.getGroupType()); vObj.setCredStoreId( mObj.getCredStoreId()); + vObj.setGroupSource(mObj.getGroupSource()); return vObj; } diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/model/XGroupInfo.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/model/XGroupInfo.java index 1b8b0b87c4e..a351d357059 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/model/XGroupInfo.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/model/XGroupInfo.java @@ -25,7 +25,7 @@ public class XGroupInfo { private String name ; private String description ; private String groupType ; - + private String groupSource; public String getId() { return id; } @@ -51,6 +51,12 @@ public String getGroupType() { public void setGroupType(String groupType) { this.groupType = groupType; } + public String getGroupSource() { + return groupSource; + } + public void setGroupSource(String groupSource) { + this.groupSource = groupSource; + } } diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java index 3e4deaec7e2..67379d5bdc1 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java @@ -83,7 +83,7 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { private static final String PM_DEL_USER_GROUP_LINK_URI = "/service/xusers/group/${groupName}/user/${userName}" ; // DELETE private static final String PM_ADD_LOGIN_USER_URI = "/service/users/default" ; // POST - + private static final String GROUP_SOURCE_EXTERNAL ="1"; private static String LOCAL_HOSTNAME = "unknown" ; private String recordsToPullPerCall = "1000" ; private boolean isMockRun = false ; @@ -293,10 +293,16 @@ public void addOrUpdateUser(String userName, List groups) { List oldGroups = user.getGroups() ; List addGroups = new ArrayList() ; List delGroups = new ArrayList() ; - + List updateGroups = new ArrayList() ; + XGroupInfo tempXGroupInfo=null; for(String group : groups) { if (! oldGroups.contains(group)) { addGroups.add(group) ; + }else{ + tempXGroupInfo=groupName2XGroupInfoMap.get(group); + if(tempXGroupInfo!=null && ! GROUP_SOURCE_EXTERNAL.equals(tempXGroupInfo.getGroupSource())){ + updateGroups.add(group); + } } } @@ -325,7 +331,13 @@ public void addOrUpdateUser(String userName, List groups) { if (! isMockRun ) { delXUserGroupInfo(user, delGroups) ; } - + if (! isMockRun) { + if (!updateGroups.isEmpty()){ + ugInfo.setXuserInfo(addXUserInfo(userName)); + ugInfo.setXgroupInfo(getXGroupInfoList(updateGroups)); + addUserGroupInfo(ugInfo); + } + } } } @@ -543,6 +555,8 @@ private XGroupInfo addXGroupInfo(String aGroupName) { addGroup.setGroupType("1") ; + addGroup.setGroupSource(GROUP_SOURCE_EXTERNAL); + return addGroup ; } @@ -570,6 +584,8 @@ private List getXGroupInfoList(List aGroupList) { XGroupInfo group = groupName2XGroupInfoMap.get(groupName) ; if (group == null) { group = addXGroupInfo(groupName) ; + }else if(!GROUP_SOURCE_EXTERNAL.equals(group.getGroupSource())){ + group.setGroupSource(GROUP_SOURCE_EXTERNAL); } xGroupInfoList.add(group); } From 18f216d0201eab93daea0b57035f7e6e3280bcfd Mon Sep 17 00:00:00 2001 From: Alok Lal Date: Sun, 31 Jan 2016 17:39:14 -0800 Subject: [PATCH 152/202] RANGER-834 Correct the excludes flag's treatment when resource value denotes everything --- .../RangerAbstractResourceMatcher.java | 28 +++++++++ .../RangerDefaultResourceMatcher.java | 7 +-- .../RangerPathResourceMatcher.java | 7 +-- .../RangerAbstractResourceMatcherTest.java | 32 ++++++++++ .../RangerDefaultResourceMatcherTest.java | 58 +++++++++++++++++++ 5 files changed, 124 insertions(+), 8 deletions(-) create mode 100644 agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java create mode 100644 agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcherTest.java diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java index 9e547f1682a..213d3082a41 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java @@ -222,4 +222,32 @@ public StringBuilder toString(StringBuilder sb) { return sb; } + + /** + * Is resource asking to authorize all possible values at this level? + * @param resource + * @return + */ + boolean isAllValuesRequested(String resource) { + boolean result = StringUtils.isEmpty(resource) || WILDCARD_ASTERISK.equals(resource); + if (LOG.isDebugEnabled()) { + LOG.debug("isAllValuesRequested(" + resource + "): " + result); + } + return result; + } + + /** + * The only case where excludes flag does NOT change the result is the following: + * - Resource denotes all possible values (i.e. resource in (null, "", "*") + * - where as policy does not allow all possible values (i.e. policy.values().contains("*") + * + * @param allValuesRequested + * @param resultWithoutExcludes + * @return + */ + public boolean applyExcludes(boolean allValuesRequested, boolean resultWithoutExcludes) { + if (!policyIsExcludes) return resultWithoutExcludes; // not an excludes policy! + if (allValuesRequested && !isMatchAny) return resultWithoutExcludes; // one case where excludes has no effect + return !resultWithoutExcludes; // all other cases flip it + } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java index 79c388540f6..8efadbe0d80 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java @@ -37,8 +37,9 @@ public boolean isMatch(String resource) { } boolean ret = false; + boolean allValuesRequested = isAllValuesRequested(resource); - if(resource == null || isMatchAny) { + if(allValuesRequested || isMatchAny) { ret = isMatchAny; } else { for(String policyValue : policyValues) { @@ -56,9 +57,7 @@ public boolean isMatch(String resource) { } } - if(policyIsExcludes) { - ret = !ret; - } + ret = applyExcludes(allValuesRequested, ret); if(LOG.isDebugEnabled()) { LOG.debug("<== RangerDefaultResourceMatcher.isMatch(" + resource + "): " + ret); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java index 79ab394ec11..5c555eb9e46 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java @@ -78,8 +78,9 @@ public boolean isMatch(String resource) { } boolean ret = false; + boolean allValuesRequested = isAllValuesRequested(resource); - if(resource == null || isMatchAny) { + if(allValuesRequested || isMatchAny) { ret = isMatchAny; } else { IOCase caseSensitivity = optIgnoreCase ? IOCase.INSENSITIVE : IOCase.SENSITIVE; @@ -103,9 +104,7 @@ public boolean isMatch(String resource) { } } - if(policyIsExcludes) { - ret = !ret; - } + ret = applyExcludes(allValuesRequested, ret); if(LOG.isDebugEnabled()) { LOG.debug("<== RangerPathResourceMatcher.isMatch(" + resource + "): " + ret); diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java new file mode 100644 index 00000000000..7f0915fff90 --- /dev/null +++ b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java @@ -0,0 +1,32 @@ +package org.apache.ranger.plugin.resourcematcher; + +import org.junit.Test; + +import static org.junit.Assert.*; + +/** + * Created by alal on 1/29/16. + */ +public class RangerAbstractResourceMatcherTest { + + @Test + public void test_isAllPossibleValues() { + RangerAbstractResourceMatcher matcher = new AbstractMatcherWrapper(); + for (String resource : new String[] { null, "", "*"}) { + assertTrue(matcher.isAllValuesRequested(resource)); + } + + for (String resource : new String[] { " ", "\t", "\n", "foo"}) { + assertFalse(matcher.isAllValuesRequested(resource)); + } + } + + static class AbstractMatcherWrapper extends RangerAbstractResourceMatcher { + + @Override + public boolean isMatch(String resource) { + fail("This method is not expected to be used by test!"); + return false; + } + } +} \ No newline at end of file diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcherTest.java b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcherTest.java new file mode 100644 index 00000000000..94b7b82804f --- /dev/null +++ b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcherTest.java @@ -0,0 +1,58 @@ +package org.apache.ranger.plugin.resourcematcher; + +import com.google.common.collect.Lists; +import org.junit.Test; + +import static org.junit.Assert.*; + +/** + * Created by alal on 2/1/16. + */ +public class RangerDefaultResourceMatcherTest { + + Object[][] data = { + // { resource, policy, excludes, result + { "*", "*", false, true }, // resource is all values + { "*", "*", true, false }, + { "*", "a*", false, false }, // but, policy is not match any + { "*", "a*", true, false }, // ==> compare with above: exclude flag has no effect here + { "a*", "a", false, false }, // resource has regex marker! + { "a*", "a", true, true }, + { "a", "a", false, true }, // exact match + { "a", "a", true, false }, + { "a1", "a*", false, true }, // trivial regex match + { "a1", "a*", true, false }, + }; + + @Test + public void testIsMatch() throws Exception { + for (Object[] row : data) { + String resource = (String)row[0]; + String policyValue = (String)row[1]; + boolean excludes = (boolean)row[2]; + boolean result = (boolean)row[3]; + + MatcherWrapper matcher = new MatcherWrapper(policyValue, excludes); + assertEquals(getMessage(row), result, matcher.isMatch(resource)); + } + } + + String getMessage(Object[] row) { + return String.format("Resource=%s, Policy=%s, excludes=%s, result=%s", + (String)row[0], (String)row[1], (boolean)row[2], (boolean)row[3]); + } + + static class MatcherWrapper extends RangerDefaultResourceMatcher { + MatcherWrapper(String policyValue, boolean exclude) { + this.policyValues = Lists.newArrayList(policyValue); + if (WILDCARD_ASTERISK.equals(policyValue)) { + this.isMatchAny = true; + } + if (policyValue.contains(WILDCARD_ASTERISK)) { + this.optWildCard = true; + } + this.policyIsExcludes = exclude; + } + } + +} \ No newline at end of file From 4290d588925a612785d859eb717f2ed391f9396c Mon Sep 17 00:00:00 2001 From: sneethiraj Date: Thu, 4 Feb 2016 04:22:59 -0500 Subject: [PATCH 153/202] RANGER-834: fixed apache2 copyright headers for the java source code Signed-off-by: sneethiraj --- .../RangerAbstractResourceMatcherTest.java | 22 ++++++++++++++++--- .../RangerDefaultResourceMatcherTest.java | 22 ++++++++++++++++--- 2 files changed, 38 insertions(+), 6 deletions(-) diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java index 7f0915fff90..48bc6ee2af4 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java @@ -1,12 +1,28 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + package org.apache.ranger.plugin.resourcematcher; import org.junit.Test; import static org.junit.Assert.*; -/** - * Created by alal on 1/29/16. - */ public class RangerAbstractResourceMatcherTest { @Test diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcherTest.java b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcherTest.java index 94b7b82804f..5576a098f25 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcherTest.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcherTest.java @@ -1,3 +1,22 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + package org.apache.ranger.plugin.resourcematcher; import com.google.common.collect.Lists; @@ -5,9 +24,6 @@ import static org.junit.Assert.*; -/** - * Created by alal on 2/1/16. - */ public class RangerDefaultResourceMatcherTest { Object[][] data = { From 3c11aee929ebc6953f6ded74a457f67d373af262 Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Wed, 10 Feb 2016 16:27:46 +0530 Subject: [PATCH 154/202] RANGER-204: Not able to delete user or group if user/group has any policy defined --- .../java/org/apache/ranger/biz/XUserMgr.java | 387 +++++++++++++++--- .../org/apache/ranger/common/db/BaseDao.java | 14 + .../apache/ranger/db/XXAuthSessionDao.java | 12 + .../org/apache/ranger/db/XXGroupGroupDao.java | 18 + .../org/apache/ranger/db/XXPolicyDao.java | 25 +- .../org/apache/ranger/rest/XUserREST.java | 56 +-- .../ranger/service/XAuditMapService.java | 4 + .../ranger/service/XPortalUserService.java | 75 ++++ .../resources/META-INF/jpa_named_queries.xml | 16 + .../org/apache/ranger/biz/TestXUserMgr.java | 208 ++++++++-- unixauthservice/scripts/setup.py | 4 +- 11 files changed, 712 insertions(+), 107 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index 3784439ca6b..2e287076463 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -33,6 +33,9 @@ import org.apache.ranger.entity.XXGroupPermission; import org.apache.ranger.entity.XXModuleDef; import org.apache.ranger.entity.XXUserPermission; +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.service.RangerPolicyService; import org.apache.ranger.service.XGroupPermissionService; import org.apache.ranger.service.XModuleDefService; import org.apache.ranger.service.XPortalUserService; @@ -42,6 +45,7 @@ import org.apache.ranger.view.VXModuleDef; import org.apache.ranger.view.VXUserPermission; import org.apache.log4j.Logger; +import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.common.AppConstants; import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.PropertiesUtil; @@ -49,11 +53,25 @@ import org.apache.ranger.common.SearchCriteria; import org.apache.ranger.common.UserSessionBase; import org.apache.ranger.db.RangerDaoManager; +import org.apache.ranger.db.XXAuditMapDao; +import org.apache.ranger.db.XXAuthSessionDao; +import org.apache.ranger.db.XXGroupDao; +import org.apache.ranger.db.XXGroupGroupDao; import org.apache.ranger.db.XXGroupUserDao; +import org.apache.ranger.db.XXPermMapDao; +import org.apache.ranger.db.XXPolicyDao; +import org.apache.ranger.db.XXPortalUserDao; +import org.apache.ranger.db.XXPortalUserRoleDao; +import org.apache.ranger.db.XXResourceDao; +import org.apache.ranger.db.XXUserDao; +import org.apache.ranger.db.XXUserPermissionDao; import org.apache.ranger.entity.XXAuditMap; +import org.apache.ranger.entity.XXAuthSession; import org.apache.ranger.entity.XXGroup; +import org.apache.ranger.entity.XXGroupGroup; import org.apache.ranger.entity.XXGroupUser; import org.apache.ranger.entity.XXPermMap; +import org.apache.ranger.entity.XXPolicy; import org.apache.ranger.entity.XXPortalUser; import org.apache.ranger.entity.XXResource; import org.apache.ranger.entity.XXTrxLog; @@ -81,7 +99,6 @@ import org.apache.ranger.view.VXResponse; import org.apache.ranger.entity.XXPortalUserRole; -import javax.servlet.http.HttpServletResponse; import org.apache.ranger.view.VXString; import org.apache.ranger.view.VXStringList; @Component @@ -123,56 +140,15 @@ public class XUserMgr extends XUserMgrBase { @Autowired SessionMgr sessionMgr; - static final Logger logger = Logger.getLogger(XUserMgr.class); + @Autowired + RangerPolicyService policyService; - public void deleteXGroup(Long id, boolean force) { - checkAdminAccess(); - if (force) { - SearchCriteria searchCriteria = new SearchCriteria(); - searchCriteria.addParam("xGroupId", id); - VXGroupUserList vxGroupUserList = searchXGroupUsers(searchCriteria); - for (VXGroupUser groupUser : vxGroupUserList.getList()) { - daoManager.getXXGroupUser().remove(groupUser.getId()); - } - XXGroup xGroup = daoManager.getXXGroup().getById(id); - daoManager.getXXGroup().remove(id); - List trxLogList = xGroupService.getTransactionLog( - xGroupService.populateViewBean(xGroup), "delete"); - xaBizUtil.createTrxLog(trxLogList); - } else { - throw restErrorUtil.createRESTException( - "serverMsg.modelMgrBaseDeleteModel", - MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); - } - } + @Autowired + ServiceDBStore svcStore; + + static final Logger logger = Logger.getLogger(XUserMgr.class); - public void deleteXUser(Long id, boolean force) { - checkAdminAccess(); - if (force) { - SearchCriteria searchCriteria = new SearchCriteria(); - searchCriteria.addParam("xUserId", id); - VXGroupUserList vxGroupUserList = searchXGroupUsers(searchCriteria); - XXGroupUserDao xGroupUserDao = daoManager.getXXGroupUser(); - for (VXGroupUser groupUser : vxGroupUserList.getList()) { - xGroupUserDao.remove(groupUser.getId()); - } - // TODO : Need to discuss, why we were not removing user from the - // system. - - // XXUser xUser = daoManager.getXXUser().getById(id); - daoManager.getXXUser().remove(id); - // applicationCache.removeUserID(id); - // Not Supported So Far - // List trxLogList = xUserService.getTransactionLog( - // xUserService.populateViewBean(xUser), "delete"); - // xaBizUtil.createTrxLog(trxLogList); - } else { - throw restErrorUtil.createRESTException( - "serverMsg.modelMgrBaseDeleteModel", - MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); - } - } public VXUser getXUserByUserName(String userName) { VXUser vXUser=null; @@ -1446,4 +1422,319 @@ public boolean hasAccessToModule(String moduleName){ } return false; } + + public void deleteXGroup(Long id, boolean force) { + checkAdminAccess(); + XXGroupDao xXGroupDao = daoManager.getXXGroup(); + XXGroup xXGroup = xXGroupDao.getById(id); + VXGroup vXGroup = xGroupService.populateViewBean(xXGroup); + if (vXGroup == null || StringUtil.isEmpty(vXGroup.getName())) { + throw restErrorUtil.createRESTException("Group ID doesn't exist.", MessageEnums.INVALID_INPUT_DATA); + } + if(logger.isDebugEnabled()){ + logger.info("Force delete status="+force+" for group="+vXGroup.getName()); + } + + SearchCriteria searchCriteria = new SearchCriteria(); + searchCriteria.addParam("xGroupId", id); + VXGroupUserList vxGroupUserList = searchXGroupUsers(searchCriteria); + + searchCriteria = new SearchCriteria(); + searchCriteria.addParam("groupId", id); + VXPermMapList vXPermMapList = searchXPermMaps(searchCriteria); + + searchCriteria = new SearchCriteria(); + searchCriteria.addParam("groupId", id); + VXAuditMapList vXAuditMapList = searchXAuditMaps(searchCriteria); + + XXGroupGroupDao xXGroupGroupDao = daoManager.getXXGroupGroup(); + List xXGroupGroups = xXGroupGroupDao.findByGroupId(id); + + XXPolicyDao xXPolicyDao = daoManager.getXXPolicy(); + List xXPolicyList = xXPolicyDao.findByGroupId(id); + logger.warn("Deleting GROUP : "+vXGroup.getName()); + if (force) { + //delete XXGroupUser records of matching group + XXGroupUserDao xGroupUserDao = daoManager.getXXGroupUser(); + XXUserDao xXUserDao = daoManager.getXXUser(); + XXUser xXUser =null; + for (VXGroupUser groupUser : vxGroupUserList.getList()) { + if(groupUser!=null){ + xXUser=xXUserDao.getById(groupUser.getUserId()); + if(xXUser!=null){ + logger.warn("Removing user '" + xXUser.getName() + "' from group '" + groupUser.getName() + "'"); + } + xGroupUserDao.remove(groupUser.getId()); + } + } + //delete XXPermMap records of matching group + XXPermMapDao xXPermMapDao = daoManager.getXXPermMap(); + XXResourceDao xXResourceDao = daoManager.getXXResource(); + XXResource xXResource =null; + for (VXPermMap vXPermMap : vXPermMapList.getList()) { + if(vXPermMap!=null){ + xXResource=xXResourceDao.getById(vXPermMap.getResourceId()); + if(xXResource!=null){ + logger.warn("Deleting '" + AppConstants.getLabelFor_XAPermType(vXPermMap.getPermType()) + "' permission from policy ID='" + vXPermMap.getResourceId() + "' for group '" + vXPermMap.getGroupName() + "'"); + } + xXPermMapDao.remove(vXPermMap.getId()); + } + } + //delete XXAuditMap records of matching group + XXAuditMapDao xXAuditMapDao = daoManager.getXXAuditMap(); + for (VXAuditMap vXAuditMap : vXAuditMapList.getList()) { + if(vXAuditMap!=null){ + xXResource=xXResourceDao.getById(vXAuditMap.getResourceId()); + xXAuditMapDao.remove(vXAuditMap.getId()); + } + } + //delete XXGroupGroupDao records of group-group mapping + for (XXGroupGroup xXGroupGroup : xXGroupGroups) { + if(xXGroupGroup!=null){ + XXGroup xXGroupParent=xXGroupDao.getById(xXGroupGroup.getParentGroupId()); + XXGroup xXGroupChild=xXGroupDao.getById(xXGroupGroup.getGroupId()); + if(xXGroupParent!=null && xXGroupChild!=null){ + logger.warn("Removing group '" + xXGroupChild.getName() + "' from group '" + xXGroupParent.getName() + "'"); + } + xXGroupGroupDao.remove(xXGroupGroup.getId()); + } + } + //delete XXPolicyItemGroupPerm records of group + for (XXPolicy xXPolicy : xXPolicyList) { + RangerPolicy rangerPolicy = policyService.getPopulatedViewObject(xXPolicy); + List policyItems = rangerPolicy.getPolicyItems(); + removeUserGroupReferences(policyItems,null,vXGroup.getName()); + rangerPolicy.setPolicyItems(policyItems); + try { + svcStore.updatePolicy(rangerPolicy); + } catch (Throwable excp) { + logger.error("updatePolicy(" + rangerPolicy + ") failed", excp); + restErrorUtil.createRESTException(excp.getMessage()); + } + } + //delete XXGroup + xXGroupDao.remove(id); + //Create XXTrxLog + List xXTrxLogsXXGroup = xGroupService.getTransactionLog(xGroupService.populateViewBean(xXGroup), + "delete"); + xaBizUtil.createTrxLog(xXTrxLogsXXGroup); + } else { + boolean hasReferences=false; + + if(vxGroupUserList!=null && vxGroupUserList.getListSize()>0){ + hasReferences=true; + } + if(hasReferences==false && xXPolicyList!=null && xXPolicyList.size()>0){ + hasReferences=true; + } + if(hasReferences==false && vXPermMapList!=null && vXPermMapList.getListSize()>0){ + hasReferences=true; + } + if(hasReferences==false && vXAuditMapList!=null && vXAuditMapList.getListSize()>0){ + hasReferences=true; + } + if(hasReferences==false && xXGroupGroups!=null && xXGroupGroups.size()>0){ + hasReferences=true; + } + + if(hasReferences){ //change visibility to Hidden + if(vXGroup.getIsVisible()==RangerCommonEnums.IS_VISIBLE){ + vXGroup.setIsVisible(RangerCommonEnums.IS_HIDDEN); + xGroupService.updateResource(vXGroup); + } + }else{ + //delete XXGroup + xXGroupDao.remove(id); + //Create XXTrxLog + List xXTrxLogsXXGroup = xGroupService.getTransactionLog(xGroupService.populateViewBean(xXGroup), + "delete"); + xaBizUtil.createTrxLog(xXTrxLogsXXGroup); + } + } + } + + public void deleteXUser(Long id, boolean force) { + checkAdminAccess(); + XXUserDao xXUserDao = daoManager.getXXUser(); + XXUser xXUser = xXUserDao.getById(id); + VXUser vXUser = xUserService.populateViewBean(xXUser); + if(vXUser==null ||StringUtil.isEmpty(vXUser.getName())){ + throw restErrorUtil.createRESTException("No user found with id=" + id); + } + XXPortalUserDao xXPortalUserDao=daoManager.getXXPortalUser(); + XXPortalUser xXPortalUser=xXPortalUserDao.findByLoginId(vXUser.getName().trim()); + VXPortalUser vXPortalUser=xPortalUserService.populateViewBean(xXPortalUser); + if(vXPortalUser==null ||StringUtil.isEmpty(vXPortalUser.getLoginId())){ + throw restErrorUtil.createRESTException("No user found with id=" + id); + } + if (logger.isDebugEnabled()) { + logger.debug("Force delete status="+force+" for user="+vXUser.getName()); + } + + SearchCriteria searchCriteria = new SearchCriteria(); + searchCriteria.addParam("xUserId", id); + VXGroupUserList vxGroupUserList = searchXGroupUsers(searchCriteria); + + searchCriteria = new SearchCriteria(); + searchCriteria.addParam("userId", id); + VXPermMapList vXPermMapList = searchXPermMaps(searchCriteria); + + searchCriteria = new SearchCriteria(); + searchCriteria.addParam("userId", id); + VXAuditMapList vXAuditMapList = searchXAuditMaps(searchCriteria); + + long xXPortalUserId=0; + xXPortalUserId=vXPortalUser.getId(); + XXAuthSessionDao xXAuthSessionDao=daoManager.getXXAuthSession(); + XXUserPermissionDao xXUserPermissionDao=daoManager.getXXUserPermission(); + XXPortalUserRoleDao xXPortalUserRoleDao=daoManager.getXXPortalUserRole(); + List xXAuthSessions=xXAuthSessionDao.getAuthSessionByUserId(xXPortalUserId); + List xXUserPermissions=xXUserPermissionDao.findByUserPermissionId(xXPortalUserId); + List xXPortalUserRoles=xXPortalUserRoleDao.findByUserId(xXPortalUserId); + + XXPolicyDao xXPolicyDao = daoManager.getXXPolicy(); + List xXPolicyList=xXPolicyDao.findByUserId(id); + logger.warn("Deleting User : "+vXUser.getName()); + if (force) { + //delete XXGroupUser mapping + XXGroupUserDao xGroupUserDao = daoManager.getXXGroupUser(); + for (VXGroupUser groupUser : vxGroupUserList.getList()) { + if(groupUser!=null){ + logger.warn("Removing user '" + vXUser.getName() + "' from group '" + groupUser.getName() + "'"); + xGroupUserDao.remove(groupUser.getId()); + } + } + //delete XXPermMap records of user + XXPermMapDao xXPermMapDao = daoManager.getXXPermMap(); + for (VXPermMap vXPermMap : vXPermMapList.getList()) { + if(vXPermMap!=null){ + logger.warn("Deleting '" + AppConstants.getLabelFor_XAPermType(vXPermMap.getPermType()) + "' permission from policy ID='" + vXPermMap.getResourceId() + "' for user '" + vXPermMap.getUserName() + "'"); + xXPermMapDao.remove(vXPermMap.getId()); + } + } + //delete XXAuditMap records of user + XXAuditMapDao xXAuditMapDao = daoManager.getXXAuditMap(); + for (VXAuditMap vXAuditMap : vXAuditMapList.getList()) { + if(vXAuditMap!=null){ + xXAuditMapDao.remove(vXAuditMap.getId()); + } + } + //delete XXPortalUser references + if(vXPortalUser!=null){ + xPortalUserService.updateXXPortalUserReferences(xXPortalUserId); + if(xXAuthSessions!=null && xXAuthSessions.size()>0){ + logger.warn("Deleting " + xXAuthSessions.size() + " login session records for user '" + vXPortalUser.getLoginId() + "'"); + } + for (XXAuthSession xXAuthSession : xXAuthSessions) { + xXAuthSessionDao.remove(xXAuthSession.getId()); + } + for (XXUserPermission xXUserPermission : xXUserPermissions) { + if(xXUserPermission!=null){ + XXModuleDef xXModuleDef=daoManager.getXXModuleDef().findByModuleId(xXUserPermission.getModuleId()); + if(xXModuleDef!=null){ + logger.warn("Deleting '" + xXModuleDef.getModule() + "' module permission for user '" + vXPortalUser.getLoginId() + "'"); + } + xXUserPermissionDao.remove(xXUserPermission.getId()); + } + } + for (XXPortalUserRole xXPortalUserRole : xXPortalUserRoles) { + if(xXPortalUserRole!=null){ + logger.warn("Deleting '" + xXPortalUserRole.getUserRole() + "' role for user '" + vXPortalUser.getLoginId() + "'"); + xXPortalUserRoleDao.remove(xXPortalUserRole.getId()); + } + } + } + //delete XXPolicyItemUserPerm records of user + for(XXPolicy xXPolicy:xXPolicyList){ + RangerPolicy rangerPolicy = policyService.getPopulatedViewObject(xXPolicy); + List policyItems = rangerPolicy.getPolicyItems(); + removeUserGroupReferences(policyItems,vXUser.getName(),null); + rangerPolicy.setPolicyItems(policyItems); + try{ + svcStore.updatePolicy(rangerPolicy); + }catch(Throwable excp) { + logger.error("updatePolicy(" + rangerPolicy + ") failed", excp); + throw restErrorUtil.createRESTException(excp.getMessage()); + } + } + //delete XXUser entry of user + xXUserDao.remove(id); + //delete XXPortal entry of user + logger.warn("Deleting Portal User : "+vXPortalUser.getLoginId()); + xXPortalUserDao.remove(xXPortalUserId); + List trxLogList =xUserService.getTransactionLog(xUserService.populateViewBean(xXUser), "delete"); + xaBizUtil.createTrxLog(trxLogList); + if (xXPortalUser != null) { + trxLogList=xPortalUserService + .getTransactionLog(xPortalUserService.populateViewBean(xXPortalUser), "delete"); + xaBizUtil.createTrxLog(trxLogList); + } + } else { + boolean hasReferences=false; + + if(vxGroupUserList!=null && vxGroupUserList.getListSize()>0){ + hasReferences=true; + } + if(hasReferences==false && xXPolicyList!=null && xXPolicyList.size()>0){ + hasReferences=true; + } + if(hasReferences==false && vXPermMapList!=null && vXPermMapList.getListSize()>0){ + hasReferences=true; + } + if(hasReferences==false && vXAuditMapList!=null && vXAuditMapList.getListSize()>0){ + hasReferences=true; + } + if(hasReferences==false && xXAuthSessions!=null && xXAuthSessions.size()>0){ + hasReferences=true; + } + if(hasReferences==false && xXUserPermissions!=null && xXUserPermissions.size()>0){ + hasReferences=true; + } + if(hasReferences==false && xXPortalUserRoles!=null && xXPortalUserRoles.size()>0){ + hasReferences=true; + } + if(hasReferences){ + if(vXUser.getIsVisible()!=RangerCommonEnums.IS_HIDDEN){ + logger.info("Updating visibility of user '"+vXUser.getName()+"' to Hidden!"); + vXUser.setIsVisible(RangerCommonEnums.IS_HIDDEN); + xUserService.updateResource(vXUser); + } + }else{ + xPortalUserService.updateXXPortalUserReferences(xXPortalUserId); + //delete XXUser entry of user + xXUserDao.remove(id); + //delete XXPortal entry of user + logger.warn("Deleting Portal User : "+vXPortalUser.getLoginId()); + xXPortalUserDao.remove(xXPortalUserId); + List trxLogList =xUserService.getTransactionLog(xUserService.populateViewBean(xXUser), "delete"); + xaBizUtil.createTrxLog(trxLogList); + if (xXPortalUser != null) { + trxLogList=xPortalUserService + .getTransactionLog(xPortalUserService.populateViewBean(xXPortalUser), "delete"); + xaBizUtil.createTrxLog(trxLogList); + } + } + } + } + + private void removeUserGroupReferences(List policyItems, String user, String group) { + List itemsToRemove = null; + for(RangerPolicyItem policyItem : policyItems) { + if(!StringUtil.isEmpty(user)) { + policyItem.getUsers().remove(user); + } + if(!StringUtil.isEmpty(group)) { + policyItem.getGroups().remove(group); + } + if(policyItem.getUsers().isEmpty() && policyItem.getGroups().isEmpty()) { + if(itemsToRemove == null) { + itemsToRemove = new ArrayList(); + } + itemsToRemove.add(policyItem); + } + } + if(CollectionUtils.isNotEmpty(itemsToRemove)) { + policyItems.removeAll(itemsToRemove); + } + } } diff --git a/security-admin/src/main/java/org/apache/ranger/common/db/BaseDao.java b/security-admin/src/main/java/org/apache/ranger/common/db/BaseDao.java index aaa4fa59e31..514a63e03dc 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/db/BaseDao.java +++ b/security-admin/src/main/java/org/apache/ranger/common/db/BaseDao.java @@ -265,4 +265,18 @@ public void setIdentityInsert(boolean identityInsert) { } } + public void updateUserIDReference(String paramName,long oldID) { + Table table = tClass.getAnnotation(Table.class); + if(table == null) { + logger.warn("Required annotation `Table` not found"); + } + String tableName = table.name(); + String query = "update " + tableName + " set " + tableName + "."+paramName+"=null" + + " where " + tableName + "."+paramName+"=" + oldID; + int count=getEntityManager().createNativeQuery(query).executeUpdate(); + if(count>0){ + logger.warn(count + " records updated in table '" + tableName + "' with: set " + paramName + "=null where " + paramName + "=" + oldID); + } + } + } diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXAuthSessionDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXAuthSessionDao.java index 4c9bdc511ed..c05546fadff 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXAuthSessionDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXAuthSessionDao.java @@ -49,5 +49,17 @@ public XXAuthSession getAuthSessionBySessionId(String sessionId){ return null; } } + + @SuppressWarnings("unchecked") + public List getAuthSessionByUserId(Long userId){ + try{ + return getEntityManager() + .createNamedQuery("XXAuthSession.getAuthSessionByUserId") + .setParameter("userId", userId) + .getResultList(); + } catch(NoResultException ignoreNoResultFound) { + return null; + } + } } diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXGroupGroupDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXGroupGroupDao.java index df2796cd70a..0e0783d1edd 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXGroupGroupDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXGroupGroupDao.java @@ -19,6 +19,11 @@ package org.apache.ranger.db; +import java.util.ArrayList; +import java.util.List; + +import javax.persistence.NoResultException; + import org.apache.ranger.common.db.BaseDao; import org.apache.ranger.entity.XXGroupGroup; @@ -27,5 +32,18 @@ public class XXGroupGroupDao extends BaseDao { public XXGroupGroupDao( RangerDaoManagerBase daoManager ) { super(daoManager); } + public List findByGroupId(Long groupId) { + if (groupId == null) { + return new ArrayList(); + } + try { + return getEntityManager().createNamedQuery("XXGroupGroup.findByGroupId", tClass) + .setParameter("groupId", groupId) + .setParameter("parentGroupId", groupId) + .getResultList(); + } catch (NoResultException e) { + return new ArrayList(); + } + } } diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java index 006964cbbb9..e25540b55d2 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java @@ -122,5 +122,28 @@ public void updateSequence() { updateSequence("X_POLICY_SEQ", maxId + 1); } - + public List findByUserId(Long userId) { + if(userId == null || userId.equals(0)) { + return new ArrayList(); + } + try { + return getEntityManager() + .createNamedQuery("XXPolicy.findByUserId", tClass) + .setParameter("userId", userId).getResultList(); + } catch (NoResultException e) { + return new ArrayList(); + } + } + public List findByGroupId(Long groupId) { + if(groupId == null || groupId.equals(0)) { + return new ArrayList(); + } + try { + return getEntityManager() + .createNamedQuery("XXPolicy.findByGroupId", tClass) + .setParameter("groupId", groupId).getResultList(); + } catch (NoResultException e) { + return new ArrayList(); + } + } } \ No newline at end of file diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java index 448a60a2afe..0f5a4625c49 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java @@ -20,7 +20,6 @@ package org.apache.ranger.rest; import java.util.HashMap; -import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.ws.rs.DELETE; @@ -32,6 +31,7 @@ import javax.ws.rs.Produces; import javax.ws.rs.core.Context; +import org.apache.commons.lang.StringUtils; import org.apache.log4j.Logger; import org.apache.ranger.biz.RangerBizUtil; import org.apache.ranger.biz.SessionMgr; @@ -45,8 +45,6 @@ import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.security.context.RangerAPIList; -import org.apache.ranger.security.context.RangerAPIMapping; -import org.apache.ranger.security.context.RangerPreAuthSecurityHandler; import org.apache.ranger.service.AuthSessionService; import org.apache.ranger.service.XAuditMapService; import org.apache.ranger.service.XGroupGroupService; @@ -75,8 +73,6 @@ import org.apache.ranger.view.VXModuleDefList; import org.apache.ranger.view.VXPermMap; import org.apache.ranger.view.VXPermMapList; -import org.apache.ranger.view.VXPortalUser; -import org.apache.ranger.view.VXResponse; import org.apache.ranger.view.VXStringList; import org.apache.ranger.view.VXUser; import org.apache.ranger.view.VXUserGroupInfo; @@ -211,8 +207,12 @@ public void modifyGroupsVisibility(HashMap groupVisibilityMap){ @RangerAnnotationClassName(class_name = VXGroup.class) public void deleteXGroup(@PathParam("id") Long id, @Context HttpServletRequest request) { - boolean force = true; - xUserMgr.deleteXGroup(id, force); + String forceDeleteStr = request.getParameter("forceDelete"); + boolean forceDelete = false; + if(!StringUtils.isEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr.trim())) { + forceDelete = true; + } + xUserMgr.deleteXGroup(id, forceDelete); } /** @@ -318,8 +318,12 @@ public void modifyUserVisibility(HashMap visibilityMap){ @RangerAnnotationClassName(class_name = VXUser.class) public void deleteXUser(@PathParam("id") Long id, @Context HttpServletRequest request) { - boolean force = true; - xUserMgr.deleteXUser(id, force); + String forceDeleteStr = request.getParameter("forceDelete"); + boolean forceDelete = false; + if(!StringUtils.isEmpty(forceDeleteStr) && forceDeleteStr.equalsIgnoreCase("true")) { + forceDelete = true; + } + xUserMgr.deleteXUser(id, forceDelete); } /** @@ -671,33 +675,33 @@ public VXGroup getXGroupByGroupName(@Context HttpServletRequest request, @DELETE @Path("/users/userName/{userName}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public void deleteXUserByUserName(@PathParam("userName") String userName, @Context HttpServletRequest request) { - boolean force = true; + String forceDeleteStr = request.getParameter("forceDelete"); + boolean forceDelete = false; + if(!StringUtils.isEmpty(forceDeleteStr) && forceDeleteStr.equalsIgnoreCase("true")) { + forceDelete = true; + } VXUser vxUser = xUserService.getXUserByUserName(userName); - xUserMgr.deleteXUser(vxUser.getId(), force); + xUserMgr.deleteXUser(vxUser.getId(), forceDelete); } @DELETE @Path("/groups/groupName/{groupName}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public void deleteXGroupByGroupName( @PathParam("groupName") String groupName, @Context HttpServletRequest request) { - boolean force = true; + String forceDeleteStr = request.getParameter("forceDelete"); + boolean forceDelete = false; + if(!StringUtils.isEmpty(forceDeleteStr) && forceDeleteStr.equalsIgnoreCase("true")) { + forceDelete = true; + } VXGroup vxGroup = xGroupService.getGroupByGroupName(groupName); - xUserMgr.deleteXGroup(vxGroup.getId(), force); - } - - // @POST - // @Path("/group/{groupName}/user/{userName}") - // @Produces({ "application/xml", "application/json" }) - // public void createXGroupAndXUser(@PathParam("groupName") String - // groupName, - // @PathParam("userName") String userName, - // @Context HttpServletRequest request) { - // xUserMgr.createXGroupAndXUser(groupName, userName); - // } - // + xUserMgr.deleteXGroup(vxGroup.getId(), forceDelete); + } + @DELETE @Path("/group/{groupName}/user/{userName}") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") @@ -731,7 +735,7 @@ public VXUserList getXGroupUsers(@Context HttpServletRequest request, @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_AUTH_SESSIONS + "\")") public VXAuthSessionList getAuthSessions(@Context HttpServletRequest request){ SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, authSessionService.AUTH_SESSION_SORT_FLDS); + request, AuthSessionService.AUTH_SESSION_SORT_FLDS); searchUtil.extractLong(request, searchCriteria, "id", "Auth Session Id"); searchUtil.extractLong(request, searchCriteria, "userId", "User Id"); searchUtil.extractInt(request, searchCriteria, "authStatus", "Auth Status"); diff --git a/security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java b/security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java index 462b81acc17..a6ba2e27d72 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java @@ -72,6 +72,10 @@ public class XAuditMapService extends public XAuditMapService() { searchFields.add(new SearchField("resourceId", "obj.resourceId", SearchField.DATA_TYPE.INTEGER, SearchField.SEARCH_TYPE.FULL)); + searchFields.add(new SearchField("userId", "obj.userId", + SearchField.DATA_TYPE.INTEGER, SearchField.SEARCH_TYPE.FULL)); + searchFields.add(new SearchField("groupId", "obj.groupId", + SearchField.DATA_TYPE.INTEGER, SearchField.SEARCH_TYPE.FULL)); } @Override diff --git a/security-admin/src/main/java/org/apache/ranger/service/XPortalUserService.java b/security-admin/src/main/java/org/apache/ranger/service/XPortalUserService.java index 41c455273a3..18dcdbaf4e8 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XPortalUserService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XPortalUserService.java @@ -192,4 +192,79 @@ public List getTransactionLog(VXPortalUser vObj, return trxLogList; } + public void updateXXPortalUserReferences(long xXPortalUserId){ + daoManager.getXXAsset().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXAsset().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXAuditMap().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXAuditMap().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXAuthSession().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXAuthSession().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXCredentialStore().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXCredentialStore().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXGroup().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXGroup().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXGroupGroup().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXGroupGroup().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXGroupUser().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXGroupUser().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXPermMap().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXPermMap().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXPolicyExportAudit().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXPolicyExportAudit().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXPortalUser().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXPortalUser().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXPortalUserRole().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXPortalUserRole().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXResource().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXResource().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXTrxLog().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXTrxLog().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXUser().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXUser().updateUserIDReference("upd_by_id", xXPortalUserId); + //0.5 + daoManager.getXXServiceDef().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXServiceDef().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXService().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXService().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXPolicy().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXPolicy().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXServiceConfigDef().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXServiceConfigDef().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXResourceDef().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXResourceDef().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXAccessTypeDef().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXAccessTypeDef().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXAccessTypeDefGrants().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXAccessTypeDefGrants().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXPolicyConditionDef().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXPolicyConditionDef().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXContextEnricherDef().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXContextEnricherDef().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXEnumDef().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXEnumDef().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXEnumElementDef().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXEnumElementDef().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXServiceConfigMap().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXServiceConfigMap().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXPolicyResource().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXPolicyResource().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXPolicyResourceMap().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXPolicyResourceMap().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXPolicyItem().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXPolicyItem().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXPolicyItemAccess().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXPolicyItemAccess().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXPolicyItemCondition().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXPolicyItemCondition().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXPolicyItemUserPerm().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXPolicyItemUserPerm().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXPolicyItemGroupPerm().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXPolicyItemGroupPerm().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXModuleDef().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXModuleDef().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXUserPermission().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXUserPermission().updateUserIDReference("upd_by_id", xXPortalUserId); + daoManager.getXXGroupPermission().updateUserIDReference("added_by_id", xXPortalUserId); + daoManager.getXXGroupPermission().updateUserIDReference("upd_by_id", xXPortalUserId); + } } diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml index 55c4f1c8bc6..f55923b2dea 100644 --- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml +++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml @@ -667,4 +667,20 @@ AND obj.attributeName = :attrName + + SELECT obj FROM XXAuthSession obj WHERE obj.userId = :userId + + + + SELECT obj FROM XXGroupGroup obj WHERE obj.groupId = :groupId or obj.parentGroupId = :parentGroupId + + + + select obj from XXPolicy obj, XXPolicyItem polItem,XXPolicyItemUserPerm polItemUserPerm where + obj.id = polItem.policyId and polItem.id = polItemUserPerm.policyItemId and polItemUserPerm.userId = :userId + + + select obj from XXPolicy obj, XXPolicyItem polItem,XXPolicyItemGroupPerm polItemGroupPerm where + obj.id = polItem.policyId and polItem.id = polItemGroupPerm.policyItemId and polItemGroupPerm.groupId = :groupId + diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java index 8ace44b4d1c..a7b6bb9b6e1 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java @@ -22,6 +22,7 @@ import java.util.HashMap; import java.util.HashSet; import java.util.List; +import java.util.Map; import java.util.Set; import org.apache.ranger.common.ContextUtil; @@ -30,36 +31,57 @@ import org.apache.ranger.common.StringUtil; import org.apache.ranger.common.UserSessionBase; import org.apache.ranger.db.RangerDaoManager; +import org.apache.ranger.db.XXAuditMapDao; +import org.apache.ranger.db.XXAuthSessionDao; import org.apache.ranger.db.XXGroupDao; +import org.apache.ranger.db.XXGroupGroupDao; import org.apache.ranger.db.XXGroupPermissionDao; import org.apache.ranger.db.XXGroupUserDao; import org.apache.ranger.db.XXModuleDefDao; +import org.apache.ranger.db.XXPermMapDao; +import org.apache.ranger.db.XXPolicyDao; import org.apache.ranger.db.XXPortalUserDao; import org.apache.ranger.db.XXPortalUserRoleDao; import org.apache.ranger.db.XXUserDao; import org.apache.ranger.db.XXUserPermissionDao; +import org.apache.ranger.entity.XXAuthSession; import org.apache.ranger.entity.XXGroup; +import org.apache.ranger.entity.XXGroupGroup; import org.apache.ranger.entity.XXGroupPermission; import org.apache.ranger.entity.XXModuleDef; +import org.apache.ranger.entity.XXPolicy; import org.apache.ranger.entity.XXPortalUser; import org.apache.ranger.entity.XXPortalUserRole; +import org.apache.ranger.entity.XXTrxLog; import org.apache.ranger.entity.XXUser; import org.apache.ranger.entity.XXUserPermission; +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.security.context.RangerContextHolder; import org.apache.ranger.security.context.RangerSecurityContext; +import org.apache.ranger.service.RangerPolicyService; +import org.apache.ranger.service.XAuditMapService; import org.apache.ranger.service.XGroupPermissionService; import org.apache.ranger.service.XGroupService; import org.apache.ranger.service.XGroupUserService; import org.apache.ranger.service.XModuleDefService; +import org.apache.ranger.service.XPermMapService; import org.apache.ranger.service.XPortalUserService; import org.apache.ranger.service.XUserPermissionService; import org.apache.ranger.service.XUserService; +import org.apache.ranger.view.VXAuditMap; +import org.apache.ranger.view.VXAuditMapList; import org.apache.ranger.view.VXGroup; import org.apache.ranger.view.VXGroupList; import org.apache.ranger.view.VXGroupPermission; import org.apache.ranger.view.VXGroupUser; import org.apache.ranger.view.VXGroupUserList; import org.apache.ranger.view.VXModuleDef; +import org.apache.ranger.view.VXPermMap; +import org.apache.ranger.view.VXPermMapList; import org.apache.ranger.view.VXPortalUser; import org.apache.ranger.view.VXStringList; import org.apache.ranger.view.VXUser; @@ -136,6 +158,17 @@ public class TestXUserMgr { @Mock SessionMgr sessionMgr; + @Mock + XPermMapService xPermMapService; + + @Mock + XAuditMapService xAuditMapService; + + @Mock + RangerPolicyService policyService; + + @Mock + ServiceDBStore svcStore; @Rule public ExpectedException thrown = ExpectedException.none(); @@ -226,6 +259,43 @@ private VXPortalUser userProfile() { return userProfile; } + private RangerPolicy rangerPolicy() { + List accesses = new ArrayList(); + List users = new ArrayList(); + List groups = new ArrayList(); + List conditions = new ArrayList(); + List policyItems = new ArrayList(); + RangerPolicyItem rangerPolicyItem = new RangerPolicyItem(); + rangerPolicyItem.setAccesses(accesses); + rangerPolicyItem.setConditions(conditions); + rangerPolicyItem.setGroups(groups); + rangerPolicyItem.setUsers(users); + rangerPolicyItem.setDelegateAdmin(false); + + policyItems.add(rangerPolicyItem); + + Map policyResource = new HashMap(); + RangerPolicyResource rangerPolicyResource = new RangerPolicyResource(); + rangerPolicyResource.setIsExcludes(true); + rangerPolicyResource.setIsRecursive(true); + rangerPolicyResource.setValue("1"); + rangerPolicyResource.setValues(users); + RangerPolicy policy = new RangerPolicy(); + policy.setId(userId); + policy.setCreateTime(new Date()); + policy.setDescription("policy"); + policy.setGuid("policyguid"); + policy.setIsEnabled(true); + policy.setName("HDFS_1-1-20150316062453"); + policy.setUpdatedBy("Admin"); + policy.setUpdateTime(new Date()); + policy.setService("HDFS_1-1-20150316062453"); + policy.setIsAuditEnabled(true); + policy.setPolicyItems(policyItems); + policy.setResources(policyResource); + + return policy; + } @Test public void test11CreateXUser() { setup(); @@ -615,43 +685,121 @@ public void test26CreateXGroupWithoutLogin() { @Test public void test27DeleteXGroup() { setup(); - XXGroupDao xxGroupDao = Mockito.mock(XXGroupDao.class); - - VXGroupUserList vxGroupUserList = new VXGroupUserList(); - XXGroup xxGroup = new XXGroup(); boolean force = true; - Mockito.when( - xGroupUserService.searchXGroupUsers((SearchCriteria) Mockito - .anyObject())).thenReturn(vxGroupUserList); - - Mockito.when(daoManager.getXXGroup()).thenReturn(xxGroupDao); - Mockito.when(xxGroupDao.getById(userId)).thenReturn(xxGroup); - - xUserMgr.deleteXGroup(userId, force); - Mockito.verify(xGroupUserService).searchXGroupUsers( - (SearchCriteria) Mockito.anyObject()); + VXGroup vXGroup = new VXGroup(); + vXGroup.setId(userId); + vXGroup.setDescription("group test"); + vXGroup.setName("grouptest"); + // XXGroup + XXGroupDao xXGroupDao = Mockito.mock(XXGroupDao.class); + XXGroup xXGroup = new XXGroup(); + Mockito.when(daoManager.getXXGroup()).thenReturn(xXGroupDao); + Mockito.when(xXGroupDao.getById(vXGroup.getId())).thenReturn(xXGroup); + Mockito.when(xGroupService.populateViewBean(xXGroup)).thenReturn(vXGroup); + // VXGroupUser + VXGroupUserList vxGroupUserList = new VXGroupUserList(); + XXGroupUserDao xGroupUserDao = Mockito.mock(XXGroupUserDao.class); + VXGroupUser vxGroupUser = new VXGroupUser(); + vxGroupUser.setId(userId); + vxGroupUser.setName("group user test"); + vxGroupUser.setOwner("Admin"); + vxGroupUser.setUserId(userId); + vxGroupUser.setUpdatedBy("User"); + Mockito.when(xGroupUserService.searchXGroupUsers((SearchCriteria) Mockito.anyObject())) + .thenReturn(vxGroupUserList); + Mockito.when(daoManager.getXXGroupUser()).thenReturn(xGroupUserDao); + // VXPermMap + VXPermMapList vXPermMapList = new VXPermMapList(); + XXPermMapDao xXPermMapDao = Mockito.mock(XXPermMapDao.class); + Mockito.when(xPermMapService.searchXPermMaps((SearchCriteria) Mockito.anyObject())).thenReturn(vXPermMapList); + Mockito.when(daoManager.getXXPermMap()).thenReturn(xXPermMapDao); + // VXAuditMap + VXAuditMapList vXAuditMapList = new VXAuditMapList(); + XXAuditMapDao xXAuditMapDao = Mockito.mock(XXAuditMapDao.class); + Mockito.when(xAuditMapService.searchXAuditMaps((SearchCriteria) Mockito.anyObject())) + .thenReturn(vXAuditMapList); + Mockito.when(daoManager.getXXAuditMap()).thenReturn(xXAuditMapDao); + //XXGroupGroup + XXGroupGroupDao xXGroupGroupDao = Mockito.mock(XXGroupGroupDao.class); + List xXGroupGroups = new ArrayList(); + Mockito.when(daoManager.getXXGroupGroup()).thenReturn(xXGroupGroupDao); + Mockito.when(xXGroupGroupDao.findByGroupId(userId)).thenReturn(xXGroupGroups); + //update XXPolicyItemUserPerm + XXPolicyDao xXPolicyDao = Mockito.mock(XXPolicyDao.class); + List xXPolicyList = new ArrayList(); + XXPolicy xXPolicy = Mockito.mock(XXPolicy.class); + RangerPolicy rangerPolicy = rangerPolicy(); + Mockito.when(daoManager.getXXPolicy()).thenReturn(xXPolicyDao); + Mockito.when(xXPolicyDao.findByGroupId(userId)).thenReturn(xXPolicyList); + Mockito.when(policyService.getPopulatedViewObject(xXPolicy)).thenReturn(rangerPolicy); + xUserMgr.deleteXGroup(vXGroup.getId(), force); + Mockito.verify(xGroupUserService).searchXGroupUsers((SearchCriteria) Mockito.anyObject()); } @Test public void test28DeleteXUser() { setup(); - XXGroupUserDao xxGroupDao = Mockito.mock(XXGroupUserDao.class); - XXUserDao xxUserDao = Mockito.mock(XXUserDao.class); - VXGroupUserList vxGroupUserList = new VXGroupUserList(); boolean force = true; - - Mockito.when( - xGroupUserService.searchXGroupUsers((SearchCriteria) Mockito - .anyObject())).thenReturn(vxGroupUserList); - Mockito.when(daoManager.getXXGroupUser()).thenReturn(xxGroupDao); - Mockito.when(daoManager.getXXUser()).thenReturn(xxUserDao); - Mockito.when(xxUserDao.remove(userId)).thenReturn(true); - - xUserMgr.deleteXUser(userId, force); - Mockito.verify(xGroupUserService).searchXGroupUsers( - (SearchCriteria) Mockito.anyObject()); - Mockito.verify(daoManager).getXXGroupUser(); - Mockito.verify(daoManager).getXXUser(); + VXUser vXUser = vxUser(); + // XXUser + XXUser xXUser = new XXUser(); + XXUserDao xXUserDao = Mockito.mock(XXUserDao.class); + Mockito.when(daoManager.getXXUser()).thenReturn(xXUserDao); + Mockito.when(xXUserDao.getById(vXUser.getId())).thenReturn(xXUser); + Mockito.when(xUserService.populateViewBean(xXUser)).thenReturn(vXUser); + // VXGroupUser + VXGroupUserList vxGroupUserList = new VXGroupUserList(); + XXGroupUserDao xGroupUserDao = Mockito.mock(XXGroupUserDao.class); + VXGroupUser vxGroupUser = new VXGroupUser(); + vxGroupUser.setId(userId); + vxGroupUser.setName("group user test"); + vxGroupUser.setOwner("Admin"); + vxGroupUser.setUserId(vXUser.getId()); + vxGroupUser.setUpdatedBy("User"); + Mockito.when(xGroupUserService.searchXGroupUsers((SearchCriteria) Mockito.anyObject())) + .thenReturn(vxGroupUserList); + Mockito.when(daoManager.getXXGroupUser()).thenReturn(xGroupUserDao); + // VXPermMap + VXPermMapList vXPermMapList = new VXPermMapList(); + XXPermMapDao xXPermMapDao = Mockito.mock(XXPermMapDao.class); + Mockito.when(xPermMapService.searchXPermMaps((SearchCriteria) Mockito.anyObject())).thenReturn(vXPermMapList); + Mockito.when(daoManager.getXXPermMap()).thenReturn(xXPermMapDao); + // VXAuditMap + VXAuditMapList vXAuditMapList = new VXAuditMapList(); + XXAuditMapDao xXAuditMapDao = Mockito.mock(XXAuditMapDao.class); + Mockito.when(xAuditMapService.searchXAuditMaps((SearchCriteria) Mockito.anyObject())) + .thenReturn(vXAuditMapList); + Mockito.when(daoManager.getXXAuditMap()).thenReturn(xXAuditMapDao); + //XXPortalUser + VXPortalUser vXPortalUser = userProfile(); + XXPortalUser xXPortalUser = new XXPortalUser(); + XXPortalUserDao xXPortalUserDao = Mockito.mock(XXPortalUserDao.class); + Mockito.when(daoManager.getXXPortalUser()).thenReturn(xXPortalUserDao); + Mockito.when(xXPortalUserDao.findByLoginId(vXUser.getName().trim())).thenReturn(xXPortalUser); + Mockito.when(xPortalUserService.populateViewBean(xXPortalUser)).thenReturn(vXPortalUser); + + XXAuthSessionDao xXAuthSessionDao= Mockito.mock(XXAuthSessionDao.class); + XXUserPermissionDao xXUserPermissionDao= Mockito.mock(XXUserPermissionDao.class); + XXPortalUserRoleDao xXPortalUserRoleDao= Mockito.mock(XXPortalUserRoleDao.class); + Mockito.when(daoManager.getXXAuthSession()).thenReturn(xXAuthSessionDao); + Mockito.when(daoManager.getXXUserPermission()).thenReturn(xXUserPermissionDao); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xXPortalUserRoleDao); + List xXAuthSessions=new ArrayList(); + List xXUserPermissions=new ArrayList(); + List xXPortalUserRoles=new ArrayList(); + Mockito.when(xXAuthSessionDao.getAuthSessionByUserId(vXPortalUser.getId())).thenReturn(xXAuthSessions); + Mockito.when(xXUserPermissionDao.findByUserPermissionId(vXPortalUser.getId())).thenReturn(xXUserPermissions); + Mockito.when(xXPortalUserRoleDao.findByUserId(vXPortalUser.getId())).thenReturn(xXPortalUserRoles); + //update XXPolicyItemUserPerm + XXPolicyDao xXPolicyDao = Mockito.mock(XXPolicyDao.class); + List xXPolicyList = new ArrayList(); + XXPolicy xXPolicy = Mockito.mock(XXPolicy.class); + RangerPolicy rangerPolicy = rangerPolicy(); + Mockito.when(daoManager.getXXPolicy()).thenReturn(xXPolicyDao); + Mockito.when(xXPolicyDao.findByUserId(vXUser.getId())).thenReturn(xXPolicyList); + Mockito.when(policyService.getPopulatedViewObject(xXPolicy)).thenReturn(rangerPolicy); + xUserMgr.deleteXUser(vXUser.getId(), force); + Mockito.verify(xGroupUserService).searchXGroupUsers((SearchCriteria) Mockito.anyObject()); } @Test diff --git a/unixauthservice/scripts/setup.py b/unixauthservice/scripts/setup.py index b35a2617215..fface2558d2 100755 --- a/unixauthservice/scripts/setup.py +++ b/unixauthservice/scripts/setup.py @@ -267,13 +267,13 @@ def initializeInitD(ownerName): for prefix in initPrefixList: scriptFn = prefix + initdProgramName scriptName = join(rcDir, scriptFn) - if isfile(scriptName): + if isfile(scriptName) or os.path.islink(scriptName): os.remove(scriptName) os.symlink(initdFn,scriptName) userSyncScriptName = "ranger-usersync-services.sh" localScriptName = os.path.abspath(join(installPropDirName,userSyncScriptName)) ubinScriptName = join("/usr/bin",initdProgramName) - if isfile(ubinScriptName): + if isfile(ubinScriptName) or os.path.islink(ubinScriptName): os.remove(ubinScriptName) os.symlink(localScriptName,ubinScriptName) From 4b6b641008feca7834d5f2a97cd954aa31065298 Mon Sep 17 00:00:00 2001 From: Colm O hEigeartaigh Date: Thu, 11 Feb 2016 10:53:31 -0800 Subject: [PATCH 155/202] RANGER-841 Remove deprecated junit.framework dependencies Signed-off-by: Alok Lal --- .../plugin/errors/TestValidationErrorCode.java | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/errors/TestValidationErrorCode.java b/agents-common/src/test/java/org/apache/ranger/plugin/errors/TestValidationErrorCode.java index 46b19660924..9336377d545 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/errors/TestValidationErrorCode.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/errors/TestValidationErrorCode.java @@ -20,8 +20,9 @@ package org.apache.ranger.plugin.errors; import com.google.common.collect.ImmutableSet; -import junit.framework.TestCase; import org.apache.ranger.plugin.model.validation.ValidationFailureDetails; +import org.junit.Assert; +import org.junit.Test; import java.util.HashSet; import java.util.Set; @@ -29,14 +30,14 @@ /** * Created by alal on 7/30/15. */ -public class TestValidationErrorCode extends TestCase { - +public class TestValidationErrorCode { + @Test public void testUserMessage() throws Exception { ValidationErrorCode errorCode = ValidationErrorCode.SERVICE_VALIDATION_ERR_UNSUPPORTED_ACTION; String aParameter = "FOO"; String expected = errorCode._template.replace("{0}", aParameter); - assertEquals(expected, errorCode.getMessage(aParameter)); + Assert.assertEquals(expected, errorCode.getMessage(aParameter)); } /** @@ -46,6 +47,7 @@ public void testUserMessage() throws Exception { * This check is far from perfect. It may give false alarms if the message itself contains strings of the form {1} * which have been escaped using single quotes. If that happens we would have to make this test smarter. */ + @Test public void testTemplates() { // we check up to 5 substitution variables. If there are more than 5 then you probably have a different set of problems @@ -65,7 +67,7 @@ public void testTemplates() { } // check for incorrectly numbers substition variable placeholders for (ValidationErrorCode anEnum : mustNot) { - assertFalse(anEnum.toString() + ": contains " + token + ". Check for wongly numberd substition variable placeholders.", + Assert.assertFalse(anEnum.toString() + ": contains " + token + ". Check for wongly numberd substition variable placeholders.", anEnum._template.contains(token)); } } @@ -74,12 +76,13 @@ public void testTemplates() { /** * Test if the values assigned to the validation error code are unique or not. */ + @Test public void testValidationErrorCodesUnique() { Set errorCodes = new HashSet<>(); for (ValidationErrorCode anEnum : ValidationErrorCode.values()) { int errorCode = anEnum.getErrorCode(); // errorCode that we see must not have been seen so far. - assertFalse("ValidationErrorCode: error code [" + errorCode + "] used multiple times!", errorCodes.contains(errorCode)); + Assert.assertFalse("ValidationErrorCode: error code [" + errorCode + "] used multiple times!", errorCodes.contains(errorCode)); errorCodes.add(errorCode); } } From 082d0f282885eee9fa3c2f13f1e763e77d425f2e Mon Sep 17 00:00:00 2001 From: Gautam Borad Date: Fri, 12 Feb 2016 15:55:30 +0530 Subject: [PATCH 156/202] RANGER-799 : Ranger UI fixes - partial search not working on Policy listing page --- .../apache/ranger/util/RangerRestUtil.java | 14 - .../src/main/webapp/ajax_failure.jsp | 31 -- .../src/main/webapp/ajax_success.html | 26 -- .../src/main/webapp/images/data-grey.png | Bin 1468 -> 0 bytes .../main/webapp/images/database_table_32.png | Bin 1329 -> 0 bytes .../src/main/webapp/images/folder.png | Bin 920 -> 0 bytes .../src/main/webapp/images/folder2.png | Bin 946 -> 0 bytes .../src/main/webapp/images/hbase.jpg | Bin 4575 -> 0 bytes .../src/main/webapp/images/hdfs.jpg | Bin 5232 -> 0 bytes .../src/main/webapp/images/hive.png | Bin 20483 -> 0 bytes .../src/main/webapp/images/hline.png | Bin 99 -> 0 bytes .../src/main/webapp/images/knox.gif | Bin 2347 -> 0 bytes .../src/main/webapp/images/knox1.png | Bin 34126 -> 0 bytes .../src/main/webapp/images/router-grey.png | Bin 1533 -> 0 bytes .../src/main/webapp/images/storm.png | Bin 6174 -> 0 bytes .../src/main/webapp/images/storm1.png | Bin 19620 -> 0 bytes .../src/main/webapp/images/task-grey.png | Bin 1187 -> 0 bytes security-admin/src/main/webapp/index.html | 5 - security-admin/src/main/webapp/login.jsp | 17 - .../collection_bases/VXAuditRecordListBase.js | 60 --- .../scripts/collections/VXAuditRecordList.js | 36 -- .../webapp/scripts/controllers/Controller.js | 38 +- .../main/webapp/scripts/mgrs/SessionMgr.js | 3 +- .../scripts/model_bases/VXAuditRecordBase.js | 106 ----- .../webapp/scripts/models/VXAuditRecord.js | 80 ---- .../src/main/webapp/scripts/models/VXGroup.js | 13 +- .../webapp/scripts/models/VXPortalUser.js | 4 +- .../main/webapp/scripts/modules/XALinks.js | 8 +- .../scripts/modules/globalize/message/en.js | 11 +- .../src/main/webapp/scripts/utils/XAUtils.js | 5 +- .../scripts/views/accounts/AccountCreate.js | 133 ------ .../views/accounts/AccountDetailLayout.js | 90 ---- .../scripts/views/accounts/AccountForm.js | 86 ---- .../views/accounts/AccountTableLayout.js | 194 -------- .../webapp/scripts/views/common/AddGroup.js | 80 ++-- .../scripts/views/common/BreadCrumbs.js | 2 +- .../scripts/views/common/FormInputItemList.js | 426 ------------------ .../webapp/scripts/views/common/TopNav.js | 2 +- .../views/common/UserPermissionList.js | 124 ++--- .../webapp/scripts/views/common/XABackgrid.js | 20 +- .../scripts/views/common/XATableLayout.js | 10 +- .../scripts/views/folders/FolderInfo.js | 173 ------- .../scripts/views/kms/KMSTableLayout.js | 44 +- .../webapp/scripts/views/kms/KmsKeyCreate.js | 13 +- .../permissions/ModulePermissionCreate.js | 93 ++-- .../views/permissions/ModulePermissionForm.js | 51 ++- .../permissions/ModulePermsTableLayout.js | 50 +- .../scripts/views/policies/PermissionList.js | 15 +- .../views/policies/RangerPolicyTableLayout.js | 11 +- .../views/policymanager/ServiceLayout.js | 7 +- .../scripts/views/reports/AuditLayout.js | 244 +++++----- .../views/reports/LoginSessionDetail.js | 3 - .../views/reports/OperationDiffDetail.js | 67 +-- .../reports/PlugableServiceDiffDetail.js | 4 - .../scripts/views/reports/UserAccessLayout.js | 43 +- .../views/service/ConfigurationList.js | 8 +- .../scripts/views/service/ServiceCreate.js | 23 +- .../scripts/views/service/ServiceForm.js | 26 +- .../views/service/ServiceTableLayout.js | 164 ------- .../webapp/scripts/views/user/UserProfile.js | 24 +- .../scripts/views/user/UserProfileForm.js | 21 +- .../webapp/scripts/views/users/GroupCreate.js | 20 +- .../webapp/scripts/views/users/UserCreate.js | 38 +- .../webapp/scripts/views/users/UserForm.js | 23 +- .../scripts/views/users/UserTableLayout.js | 24 +- .../accounts/AccountCreate_tmpl.html | 28 -- .../accounts/AccountDetailLayout_tmpl.html | 88 ---- .../templates/accounts/AccountForm_tmpl.html | 23 - .../accounts/AccountTableLayout_tmpl.html | 31 -- .../templates/asset/AssetCreate_tmpl.html | 36 -- .../templates/asset/AssetForm_tmpl.html | 69 --- .../asset/AssetTableLayout_tmpl.html | 29 -- .../webapp/templates/common/Footer_tmpl.html | 14 - .../common/PolicyManagerLayout_tmpl.html | 274 ----------- .../templates/common/ProfileBar_tmpl.html | 37 -- .../webapp/templates/common/TopNav_tmpl.html | 1 - .../templates/common/UserPermissionList.html | 1 - .../webapp/templates/common/breadcrumbs.html | 16 - .../templates/common/formInputItem.html | 54 --- .../templates/common/formInputItemList.html | 42 -- .../templates/folders/FolderInfo_tmpl.html | 134 ------ .../hbase/HbasePolicyCreate_tmpl.html | 48 -- .../templates/hbase/HbasePolicyForm_tmpl.html | 56 --- .../hbase/HbaseTableLayout_tmpl.html | 41 -- .../templates/hdfs/HDFSTableLayout_tmpl.html | 41 -- .../templates/hdfs/PolicyCreate_tmpl.html | 48 -- .../templates/hdfs/PolicyForm_tmpl.html | 61 --- .../webapp/templates/helpers/XAHelpers.js | 58 ++- .../templates/hive/HivePolicyCreate_tmpl.html | 49 -- .../templates/hive/HivePolicyForm_tmpl.html | 67 --- .../templates/hive/HiveTableLayout_tmpl.html | 41 -- .../templates/kms/KmsKeyCreate_tmpl.html | 1 - .../templates/kms/KmsTableLayout_tmpl.html | 9 - .../webapp/templates/knox/KnoxInfo_tmpl.html | 106 ----- .../templates/knox/KnoxPolicyCreate_tmpl.html | 49 -- .../templates/knox/KnoxPolicyForm_tmpl.html | 55 --- .../templates/knox/KnoxTableLayout_tmpl.html | 41 -- .../templates/license/LicenseCreate_tmpl.html | 47 -- .../templates/license/LicenseInfo_tmpl.html | 59 --- .../ModulePermissionForm_tmpl.html | 2 - .../templates/policies/PermissionList.html | 1 - .../reports/AssetOperationDiff_tmpl.html | 7 +- .../templates/reports/AuditLayout_tmpl.html | 2 - .../KnoxPolicyDeleteOperationDiff_tmpl.html | 1 - .../reports/KnoxPolicyOperationDiff_tmpl.html | 1 - .../KnoxPolicyUpdateOperationDiff_tmpl.html | 2 - .../reports/LoginSessionDetail_tmpl.html | 1 - .../PlugableServicePolicyDeleteDiff_tmpl.html | 1 - .../PlugableServicePolicyUpdateDiff_tmpl.html | 1 - .../PolicyDeleteOperationDiff_tmpl.html | 1 - .../reports/PolicyOperationDiff_tmpl.html | 1 - .../PolicyUpdateOperationDiff_tmpl.html | 3 - .../reports/UserAccessLayout_tmpl.html | 23 +- .../reports/UserUpdateOperationDiff_tmpl.html | 2 - .../service/ConfigurationList_tmpl.html | 3 - .../templates/service/ServiceCreate_tmpl.html | 2 +- .../storm/StormPolicyCreate_tmpl.html | 49 -- .../templates/storm/StormPolicyForm_tmpl.html | 55 --- .../storm/StormTableLayout_tmpl.html | 41 -- .../templates/user/UserProfileForm_tmpl.html | 12 - .../webapp/themejs/1.3.0/bootstrap.min.js | 1 - 121 files changed, 508 insertions(+), 4271 deletions(-) delete mode 100644 security-admin/src/main/webapp/ajax_failure.jsp delete mode 100644 security-admin/src/main/webapp/ajax_success.html delete mode 100644 security-admin/src/main/webapp/images/data-grey.png delete mode 100644 security-admin/src/main/webapp/images/database_table_32.png delete mode 100644 security-admin/src/main/webapp/images/folder.png delete mode 100644 security-admin/src/main/webapp/images/folder2.png delete mode 100644 security-admin/src/main/webapp/images/hbase.jpg delete mode 100644 security-admin/src/main/webapp/images/hdfs.jpg delete mode 100644 security-admin/src/main/webapp/images/hive.png delete mode 100644 security-admin/src/main/webapp/images/hline.png delete mode 100644 security-admin/src/main/webapp/images/knox.gif delete mode 100644 security-admin/src/main/webapp/images/knox1.png delete mode 100644 security-admin/src/main/webapp/images/router-grey.png delete mode 100644 security-admin/src/main/webapp/images/storm.png delete mode 100644 security-admin/src/main/webapp/images/storm1.png delete mode 100644 security-admin/src/main/webapp/images/task-grey.png delete mode 100644 security-admin/src/main/webapp/scripts/collection_bases/VXAuditRecordListBase.js delete mode 100644 security-admin/src/main/webapp/scripts/collections/VXAuditRecordList.js delete mode 100644 security-admin/src/main/webapp/scripts/model_bases/VXAuditRecordBase.js delete mode 100644 security-admin/src/main/webapp/scripts/models/VXAuditRecord.js delete mode 100644 security-admin/src/main/webapp/scripts/views/accounts/AccountCreate.js delete mode 100644 security-admin/src/main/webapp/scripts/views/accounts/AccountDetailLayout.js delete mode 100644 security-admin/src/main/webapp/scripts/views/accounts/AccountForm.js delete mode 100644 security-admin/src/main/webapp/scripts/views/accounts/AccountTableLayout.js delete mode 100644 security-admin/src/main/webapp/scripts/views/common/FormInputItemList.js delete mode 100644 security-admin/src/main/webapp/scripts/views/folders/FolderInfo.js delete mode 100644 security-admin/src/main/webapp/scripts/views/service/ServiceTableLayout.js delete mode 100644 security-admin/src/main/webapp/templates/accounts/AccountCreate_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/accounts/AccountDetailLayout_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/accounts/AccountForm_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/accounts/AccountTableLayout_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/asset/AssetCreate_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/asset/AssetForm_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/asset/AssetTableLayout_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/common/PolicyManagerLayout_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/common/formInputItem.html delete mode 100644 security-admin/src/main/webapp/templates/common/formInputItemList.html delete mode 100644 security-admin/src/main/webapp/templates/folders/FolderInfo_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/hbase/HbasePolicyCreate_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/hbase/HbasePolicyForm_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/hbase/HbaseTableLayout_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/hdfs/HDFSTableLayout_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/hdfs/PolicyCreate_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/hdfs/PolicyForm_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/hive/HivePolicyCreate_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/hive/HivePolicyForm_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/hive/HiveTableLayout_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/knox/KnoxInfo_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/knox/KnoxPolicyCreate_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/knox/KnoxPolicyForm_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/knox/KnoxTableLayout_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/license/LicenseCreate_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/license/LicenseInfo_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/storm/StormPolicyCreate_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/storm/StormPolicyForm_tmpl.html delete mode 100644 security-admin/src/main/webapp/templates/storm/StormTableLayout_tmpl.html delete mode 100644 security-admin/src/main/webapp/themejs/1.3.0/bootstrap.min.js diff --git a/security-admin/src/main/java/org/apache/ranger/util/RangerRestUtil.java b/security-admin/src/main/java/org/apache/ranger/util/RangerRestUtil.java index eb34b4267b5..6672c5a1dc2 100644 --- a/security-admin/src/main/java/org/apache/ranger/util/RangerRestUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/util/RangerRestUtil.java @@ -101,26 +101,12 @@ public void validateVUserProfileForUpdate(XXPortalUser gjUser, userProfile.getFirstName(), gjUser.getFirstName(), StringUtil.VALIDATION_NAME, "Invalid first name", MessageEnums.INVALID_INPUT_DATA, null, "firstName")); - - userProfile.setLastName(restErrorUtil.validateStringForUpdate( - userProfile.getLastName(), gjUser.getLastName(), - StringUtil.VALIDATION_NAME, "Invalid last name", - MessageEnums.INVALID_INPUT_DATA, null, "lastName")); - // firstName if (!stringUtil.isValidName(userProfile.getFirstName())) { logger.info("Invalid first name." + userProfile); messageList.add(MessageEnums.INVALID_INPUT_DATA.getMessage(null, "firstName")); } - - // lastName - if (!stringUtil.isValidName(userProfile.getLastName())) { - logger.info("Invalid last name." + userProfile); - messageList.add(MessageEnums.INVALID_INPUT_DATA.getMessage(null, - "lastName")); - } - // create the public screen name userProfile.setPublicScreenName(userProfile.getFirstName() + " " + userProfile.getLastName()); diff --git a/security-admin/src/main/webapp/ajax_failure.jsp b/security-admin/src/main/webapp/ajax_failure.jsp deleted file mode 100644 index b48064cced6..00000000000 --- a/security-admin/src/main/webapp/ajax_failure.jsp +++ /dev/null @@ -1,31 +0,0 @@ - - -<% - int ajaxReturnCode = 401; - //PropertiesUtil.getIntProperty("ranger.ajax.auth.required.code", 401); - response.sendError(ajaxReturnCode); -%> - - - -Insert title here - - -Failure - - \ No newline at end of file diff --git a/security-admin/src/main/webapp/ajax_success.html b/security-admin/src/main/webapp/ajax_success.html deleted file mode 100644 index 52023cacffd..00000000000 --- a/security-admin/src/main/webapp/ajax_success.html +++ /dev/null @@ -1,26 +0,0 @@ - - - - - -Insert title here - - -Success - - \ No newline at end of file diff --git a/security-admin/src/main/webapp/images/data-grey.png b/security-admin/src/main/webapp/images/data-grey.png deleted file mode 100644 index dabec13279c0d37095b141411848788cb315a800..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1468 zcmeAS@N?(olHy`uVBq!ia0vp^B0wz8!3HF`W%CyUDajJoh?3y^w370~qErUQl>DSr z1<%~X^wgl##FWaylc_cg49rTIArU1JzCKpT`MG+DAT@dwxdlMo3=B5*6$OdO*{LN8 zNvY|XdA3ULckfqH$V{%1*XSQL?vFu&J;D8jzb> zlBiITo0C^;Rbi_HHrEQs1_|pcDS(xfWZNo192Makpx~Tel&WB=XRMoSU}&gdW~OIo zVrph)sH0$HU}&Uo07PcGh9*{~W>!Y#3Q(W~w5=#5%__*n4QdyVXRDM^Qc_^0uU}qX zu2*iXmtT~wZ)j<02{OaTNEfI=x41H|B(Xv_uUHvof=g;~a#3bMNoIbY0?5R~r2Ntn zTP2`NAzsKWfE$}v3=Jk=fazBx7U&!58GyV5Q|Rl9UukYGTy=3tP%6T`SPd=?sVqp< z4@xc0FD*(2MqHXQ$f^P>=c3falKi5O{QMkPCT6mkoIHoK%2WtOF;xE1B+DuBIgm5JLeCOFN5 z>P^Az7E_#h^?{Dj2SqGWM8kxDsRzV_CtDx~p72xifT_I*n5T}(Jb1Z4uwJQ}clfk|$2Y+lRZ4f3xZ^s;RhyV9Gi)^bFwOJe2^cfHM0FPgR&9Q4=i zIl|?8@%ER)zP=I6=5rpHSup-iFxD`aPME9yuPOiBSM>_c!=D;r{;5tk725Oq&fVa} zvjwi+lUP-2`uyw{?H#jM(;l0-=I&rMJ5=TWk8|^fi*MC}H*xf4 zPO!Pg9z12e^||{IIjpM}o_hW>LR%|Lv83aE@u}29t1URE$M);r(R_T*=be-ns?hzui81=*1-4QE7iS>CSpHdowX3X keD1q)%d)0llNgv8&L3aEwCC;ir=arG)78&qol`;+0F1RNX#fBK diff --git a/security-admin/src/main/webapp/images/database_table_32.png b/security-admin/src/main/webapp/images/database_table_32.png deleted file mode 100644 index 14bb068c3c60331c021e5c68b78effcd92b49941..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1329 zcmV-11tP9FRdW9Lz`Jk|UB2fDi|6L?-4VA-LJb zG0A}gBJqcy*w{qtwKv}HbW_zc<6X~gocI%HZSCy5ovE&>_o{nFAQ)zX5@u#+P+rY_`tl2>PSaohb^~z8QjY8PJ#gP4n^V3}#A?1+A1Q^J_L^{ruKWGB z^L+%pMwZ)d0Fun(Y!4o2M{DaYNGYf+n(Mu0d@d=1)|O^;ceWE|tK;ni1zZ71ykm6Y zJbJpj(B8I>GWDn!#?rvy@TXWPA-lYS@rg-PC@%DWyOIRhn?xd+gh$qtPFqR}g#wD@BFd#Ad@YdoCCuQ7ZDrmvFw$%3 z4ORN=a*y&b2m>N(7iz(2j$OuTg>vjK4w>6rsB^-dubiAMfj@-)@+@smGZ* zP5L_eIm+7J=y3r0pT&jmmNLsH+S>NpF1UlbfCI2*g5&j-95PEwxcc`3j&x*#T3QJO z3QZ>z5z4(Ps|3VxW2(dioCpq}LL%^AeEt+JO-*BNZUKMJ&cbmLP!45H8CNPLs)9mS zX9pgC>=?fMehfcmp5b-DdQqf>U8;Z&GVj5siP$-JO&r(shxRLYw?-9~f<1fpJ~?sW zq7`9xcPCOTLQ=nVWD}Gq6pP4aS1|eOMR@r+9DVc{ISZBnMb-Fe{1T2I?jensY5*~u zDb;K1OEmz8XYt9|)btf36A3HAWWozXSR?_m2uXmYa)~B2_Flfx=QgDi#WdMt(6&+c z#Bo8mtm%zv8-{#2EVht)KC+|eJi;gh+oIe`Qi`<-NXeM669g3yb-1o+&f0ZAUt5?z z>$&P_kN}l(;BhxN%JR-ZaChXjMlQFE#cPW=c=!Eu4L1RcE9jskP2xF{N?q;!IL^LI zgT0`c>;PHE8$)M*c(7F?yPB`t3j_t`rgp>GeHXOb1iw-Vt`V@SBv0m3ke1_6>~Wkm z%WS-Q{9dHr`3CvH-u+yGJlPfQhBH&t=YvmRuC&%B>-GX-2qUAHaq@6Ct%lW!9LjQJ z><>Kk&^;UCMpyks{+)0~<4q;&L@WjMstbT6MQXLek~L!EwSv==W@DVy!&RYF)@dNN zc5~$RzIAe88XPtm99g=N*en(raATZ(1_7XP0MSS}vR*791qu4{XjS!f&4RNTyuof* zSAuh+m+Gz*VY?+LIM#t(aJGQ+*K-f|)JH<&POpF1M8l7n4)L$YF59EtA|4H%i|3TJ z5!}i{o-jLun~gMp>OR--(JZ1wYy)pNkGO>jC@FRX7aNIiczkM2$#G}AvW-kkTTyKm zk9_vhLUvOT-e{crWok$8EsL-=!|mXvkp`r|e>S4I)&<}ydD9y$e>;G?N>t(^^qrZ> z!IlBMUG_B^RZgJ#z-zXM+xG%W)S12T5%0jYMNgB_YY*DUlDC-we)pRvyDH+ZX}lM$ n+b?g=@Wbbj0{-vuuK)u86psd$cJ1%!00000NkvXXu0mjfS5$dl diff --git a/security-admin/src/main/webapp/images/folder.png b/security-admin/src/main/webapp/images/folder.png deleted file mode 100644 index 0613c6bf05befc4ce6700dce0838100fcb95bdb7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 920 zcmV;J184k+P)4nSjKVq$187pP13^z=QGK`IOyZu9sMUP6Q@)Z)Ha3SDXMVQqC1d5KE;|ZJV z%)j#tNCUh4O;R*5s_6Fiwva2Bo}R9OSEs0}%w~{f&myqCzMd1voHUb}7E_Bk(ab5# zRk3ysQe4Jho@_b?F2|#zBli_JoCP32W8xGJm%*y+YF!@A8gMy&ly3YrF!vsc?PrK$ zDYlh?$H&K*^mfoUNO$=)xuVt_PWT}NTEeu7aBXdE|K#MPD#PmPs%ga#@%26GAh2o0 z;77s&KR!M_{_>W9UO_^YH&0Jbf68%jaj~MO0}=Dbhzj>nONI?$B<#`4Y3WH{TwJuZ zVP$1y8;mAP9|HC>gjN0w1%Ok;yvOEWtp9m%h%JKF08lITGa#~I6M$V#Aal|TiH=Uf zGDbSoin%}5&QU6r0t{uuWR9R(_YJaa6Ifneb`t2@S&-uF?Cjl*sGyMjFxE4Ccz6gY zxJJKQ@fv3zplV|b9q#Ny`v5f+>V@c7)-#-)o!!5=xv9!9KR;iGOrbx?$ZmLfc^L_R zW@aY7zP`5m0KZx&cJmjniP7|dsi`T`2iOy&;=|r&J#eHL2@X1?=>vCnccu?;$Zd2@ zVeo6qegz_c(F{(n&J{85-QVAj)CVRfC$~6#jiCBH;HM$R`UsGgoIvK3&ZZAQCNn&cF}?y9dFd$% z!Fq;LP$WB_(FZ8*T_*vf^t=T~)M44+4~s9|sDtb#V1{5uT=n38&E5v0k}K${NRW!p uEEzTujFMI=F+oiq;M*E~S72E`;o~>?Qa&bQ$QT*`0000tY=i>smIZd5Lqt8ky}eDYuCD&N`>ZDjq`+N5t-kFunpLJ~Tyr%d61zk)0(*OV zO%h9>hhGKk5>1KpNZ9l9^HcT>f&KmcjuIIpF(1h3hjjoQ zbY(ZS4uA!w`uk@nsUZfh#UP@V98YT&1Vq#)B#lp+V$}0&G6jP9qky4ORR*_OZTIHl*Qc_Y1 z$M56K|1s%f&tW^j#t2*kHfcd@01X?6mJM{+3Gf{iNDDeP;2)!-X8_aCf*6mY+N=PG zh87Gy!N^EY`v-A!1i)-`^z1@sWYGx>99(Cw7}p+M^AIiFV6;mXlZEa!F1ri363;7Vr1hmLea6G;S|cX z^^6~pm9wi{kXN|UA*}gm^NEVi?Fv`t@x}%Zwj)ZygJW}6)yqSIbaamJ$Jf3y>jQ@ z(9p*d)@d|t5)K$xU05W+9)yOPA%j>My2f0Ft(t`CoqY$&@9RJS5Wk&(7EaWZA%3k+z0I0&Ae zq7mC|DO}`7ozM&B5D_WU;QQuFa>Z8{1eAFzcGf&578U|A_0lM({5P#(u33wRq%Agwbly0N<=OuxZ zIIiu=*`V z*ZJM^`w<(g;B#RLx2culJR=&Xy!*syV@IkmNm&W{j^3!JNMRQLm0`hC^neDZ z2kR^RJoPmB7E_`8K9gG~nhCohw~L_KOEG^rb)%cMrdLN zc4UsdYd6sEX^{zXHGoT5dhjvu|N#IdyeP*d_UCJt-Ic76B!{Kf+ zn$#qcf{uX|^j=gpfnz4L>#g&HrdmhqN_#ae%#EG9BW)ShjiJ8XX+;RGp3vlH@ZEu{ zaHBiJk!B}R!SOj6J%_;6Xq_kzJxhw$DspM*l2=xU>+DvzY@@`tc>R(~vA&C{U{d2J zW_vHAo`Uhr?*9P9DX60_&~Yb}+|ZS3cgck^-MP%oJh_p+)9-Z_ zUjiV70=YthuTCO_@V@l3Q?I1%DoE}PUJrd8Dx*VoE zvYs*3AFNsjxSDt*$>oN z-XYJ{^<$?C!!Oq%DYgtZLESu*$YkB}9kpO<8f`&deY+mLA< z)B3~xKt!o%>Ef^Wee{m8?uWe9LUrEkmbZjEV_K(Of3M8%tlbpuNE2kLJp`IrFm5ly zCqp^lcmnuWLWbi!>i~OCik6m>sZ#RllITW?NCjuly@4PSpHD$peRw33fJ^P*Wi6Vn z`bM>3vQ&wkVmZ1hxpotwfVgaDBln>9z>ZItYGcsM6}ESI=c;0j{)S8!w@yE9sz#=m z8tdwuI%^YsAu4UD(%HsnfNyd{rlF17_N?rX-SDdd&7CP0iygXDbQqt|6+}6sYJ_Pq z5#rKqVQ>*sIDYljcxB1W&z_xAk^$Pu7gA9PxZli))=iG9Q6s7-UJ7oaW&lI6yMNB( z5I7_JG}+g~wyvWz4wjbmV6+-)w3n7MZgz1xQz6bxwzMr&bMFs(Q$uy=&HmUxt}wol z0eANO(r`8$-&biScwPoswBC$amz+p=%Ly%l4g+9gylA{z_@bjd);!kBda*PEUjD+y^MR}y8&1A)4RdxJ_uoZC&2{Vz z`S#1}bn{v#DPI@F-+Eio7PlM4s#!TZKvrBQ=;j%rNMG*Q3%1%AX8m56e{Zj5lX-tI zBXRdHO19m|?M)lGed&v-Q=m>d07by#hdb8`O!Q}mQr)_FC-4)?-hWTALT%x!e79

-R%lAs>Q|4dGyF9=Vrv+*a6@}gUCY<%^cy0G`Y4RbW)n((1@H z4B-$+qE>(X>+^xE4V&0)f?Kct{Y=vA!Q$d^+Mz#bEfBe?X0u+~ljP^KPK)8f*Sn?i zhqFpI-~q1gNDuk#H*8||DJW+{lW#)hk~%-?y%SkD%ZBZ5j5FBj=1vJK!*AB3#&1-K zZFHp={z|VJnC|bh`u5Bbf$?vOed=Ol>ZsL{Hf)+_i@qLfk?;z$iyQ5G7_NKCmds~* z+iFdv#+B&}#te#TqsmXMlY}#Mv~QYc3cRL94Q@`Gyt*v>UcUVeMW6U`$={7I&(GTB z&!XM5&*B%}TfVix>=b+ys?5M7Vw~oElSWl)$E;+<3E5@FUUMb}%N7k?)evpPzM)$c zzMY99Obui1k=cSaOh;|klOuuIuj(-*by@(=ZY$rwbT<~dO~aB z!Q*Jmm+ee-*2KB@6NO;v%u2aFjLldP7n^ z5Fb_++`~M^pAf(%h1XrrzP@NC$^Ln1BM9zyJU7Md?pf{htbjiy{p0#G%Hyi3k2)0F zlrK6p^bv6M5vMfiWbKKYj}A)qbO>0!{V&`zb}8b1D(C9b`p4|S`+G5JN#H!lQHqk0<6nLg-t@r_SZW;~`aMYIzA1~5F&{;%- z$K)r$W+gG@E>Iz26_lEB6%yN;xUa@{GDyy8TYW=h;Cz2kYvWJpo!`+vez|^8=O(x- ze^>G?E3FSxWLL}~9s*hwnOiTSAGa@>2IW2cx_iKXkm%c#ubR6RPT^-5R2%)-s!sb( z*_EJ07U1@{@hU+(n#&Ksz>#}Z>2 z`2H8n9G28e@+;RaPT-Y1u|{{oh`%bxQ^D1r4^?I-HXLdEqxKj2g}LuTp7c~Fu5-e# zJyA8iwMEEcLf02K>r`=S*qQv=HRtEULCgCxU!(lh&z#No@jW(Z z*Y7}}?PIG zWhluKugA{qK`_eUcb>Gjz(46UQAwX#8i$wbmybu(V48O%B?I5}8cmiV5UPt1QxPxC zjZ(XDBr!(WqUDL#53zNhYk^vy`27SoA)nS|O2;-Y|3^96xSCf)!w$=~Q6)()pM;MK zYuLgVM{WF%3C@XY;l7{OqOuejS;?0r-ZZ6F zhFzXm5s7~`*@lepOYk6}BWlzY?#(`KkN8ti`?djj_376L>d|ojU81b-h{Ma;7dog8 zq%r%A7VQt^a_95dTRkE76_!V9Q4^|cw_6j{+267!X@jCSlWmde*o$>(LC)eDok`

@8g@0gK(v642vF_S88xgMW)9dyO%rRG#h2G2rjg8{#_&< z8v8qYR8@(AxOr7Yt`@xUn{Pm~Cc;C%UsS@I{Y3^Kj*~SNe;=oVR+e=6;B$#gdQl!jR*2QmV59|F zlwE>wiTLX^9eP>bA!p+09705-w^VPovJ7Ta(RX&56?Ld}W!|~g(#)WpB-QwKh8q~n zVZ!T>YE32ieqD}s_x(xKCmIX?-B;H`x*zA1{pvuXb6CZ&WYG^Tb%Wq|5!wS1YL z@3p%_}Uhlq(j3Pl_OhX3(kk1*MN(R&uTc3h}>F^nmie4J1h z-Y4J4a&nuS9OMj_bat!0^z=iU&`~HX@3AYrXB48K=}nJ@W(O+q3Q8_==g%WxVU1~HCqzVWG3tcH9AWc+|Dkvbm7b&6R0W|bplp-V`UFk(Z z0t5)X7wOWaJkGm!-FMD?|Gal+)?RDR%y-S2&z?1V_QmMM3_z!;s-X&iKp^1BWd|85x+2lpG8OQ&5moLYSx_R8$Zs10yXH7dsC(7ds~>uK+@rmrsPBlM{C1s>pS5 zDJdx)VL3%v2?d0tl*FH#fG8*^AXE@GYHBu#E1Xv({@?B53qVf}xC4X4AU=SI9z;wJ zx@ZG<002aKdD=e@{Lcm=A|@dv1CvuwQe6tLbN~^En3#x!n3R-+t5_a2>-o0nfu zSX5k6S%tw?*L<$6YiVt3@96C6?!gTX4dX{f#|X1?^9zeh%PXsEJG;O3_74t^j!*vN z0s+MT!1@>2zj4uDauJb`5R-ua03illULG+$fCLUtU^#)5f3xp` z05m@@iybie+w{N7{yNSRpebYmFrhQ9W+_n(7KpdbWKp@MQIp>5j7)+R@xopLihuZH z`{GE1a({0ztfded2VHt>Y_lz%tMFR>ME`O=F5@6d!Fo4Exy*w_S`Msux&@o|&(CJj^Q7w%T{%diHEe9v?tQ<-FrA`V6q zv%(Z9|MwO;&h1{-NpoEKbK1ou-$axL4DU*eS2-qX+)|#o-V>OW#=TUBWU|$#ih9Xl z8)P{mHJu^zv~4w-ZJO&AlzXi7liV<;(luGH^^*gJf(a*YKjwZU$dDAHY0l&yMXflDN&Y?be~sxseN9*vQSGF?-8vRoWA;7fS`W^&P_MHuqN5OURU~TAEiL1kfoIDqk_VUmc!9Sj8tq%)Jp0 zytyy@t6WL1wIevq>MZ|Y^%=IYj&n0JTj%+Q{*P+x<6Zf*2}IXEw9O+p0G20S-Fr$6 z?pDMJL+rA9Ifcwo$wHbBCTYY!wI4n3c?mf+9m1p}s?U#z;^#;v6sjbgCOc%GH7xUI z_jz`H9ErDcatnw(_-@afjoUlEx2eo87KGvMTmnZsqxVnFbVOW}X;O1NnO|WOWM} zwBjC25U*TY4kypJ0NQKX&Uf$Y-syj?{sVTVvwZ9&S8(MTGjB%2M;z6|&Q%j{<8C=! zVy~F-B7ua{wXzR>h>&76|C#EPS9d)GTo;;E0EC?}}G-OmrM3WdQV1cI$-nNS8p zd%Pn{@onXf-}THDp<|9xoUxU>ub=d^^2UZGYOugE41X8p$C7z6_a51M;L6Jt6eU@- zg!P=-7LG+EGE?A3wBESkQ?0_4crDSjN%A?fdcpeZ#A~GT@2-|i^--nPpnZrEu{|a= zai`Kb;!(OoiSR&>%&c*mmDMX!ql%&ZW=;*)m)R<3NtPrT2JQPZ)G%2veFv=>ol6^y z&tAFW&YlwUPI77CTEfprTSGB~r&SQ%=5dLE`$EQq+gxM7Y;}TQY?O0RPt{#QT8>ps z(yIa05`JZ`g(Th1f*Y1tzcQnQS%w&mufN9;dNGp;tyTRKq4w`gYE+8x4i(ivUQA%poS2|Ti*duCcN9Nlqb1EY5M*H z;M0S+^AjeJATtl)%4J3vxB#Yar{OxnY1RsVr0EhD6`c>z{zK!J!*l$T=WGu~qzNOT zBbNhzzDx{vv{V42j5WANq}2&>97xHcV2YqG28^A+8ZnC$Ib)7VfEELj9ZU%242ph|H8?xQ-rDh=bN^kF7?fWg25Lf*2UFJ8u>%_FDj{a~N zhc^1R`jD_`@WDH~CvWYGdjc3vvld(lh1*<%Iy1eda!(z6(q+`DGA7UWRCIs~;EVcF z9UthYMW(eU;hk?wPGX(?cP}no)GJk)pmGz3tpMqmFK7bvf%FTyTcZ>t+_$|!^Uo&pn1!NaSL_RUwM8>EU;P+N;3Vigs07BgCe6OJ;rZf)HiS|T@`#A_5 zmb=m77eKOAwB;wH$-xg75SVw5uYqMy57!yGvG=p34u7&tPVHv1avuvgl zd`g<@;7?UG+@J+H97(yk$*oZ)u%gi!puJDqCI<1`nq$KA*jEgSNYRlt10ZA3QKuw~R~w6e!uj%4_83HNz9;?K^dU-OwF3e^aR8x$OQ|`)^0o1%8<= zBZMdf`{weq%mdwkNNJqsOKqHVx>|>l!0@_gIdAa7c*_WVIAwg{_Zp?V%$}Ub(;V*~ z=2BKh^CnMr<~>PO^~-FX4kJY8i#);9xOXRlCeJ`)EeALKI9hACVcXT2Zu3#ASTA#>9~E79^=`8{ zw~%&sx(*66E3fcSB%qQ9zJf{oK3)Jj217^n_nMow9XFG5OZ*BRB{M;O17?9Cs&rP#YpXqN@*9u6A?V#&1UTCN z`lIYYQK>~%4aRYk`Ce}0;|gVHAGOZ~5ViMv!?eXaBeS5Asy?CtGc~SC0flaKIGFY2 zo6%Ob-mW^FoJd`P3BtQ`W0h!+bY&&%YWtC^8<#((p?mXe^BcSp_Yk7g|Eu6P!_B96 zo2&(Qc4wTH(Gwx}@w_#$^xM-d>-@@D*q+2!;%|5H<>A_q9%V7KkGEA*^X=oH=!rZ# z5&fc{*uXVKcr$hQ8_h`l4ow|ww`2ZC?dcZx#7CY;6->&R70dOGY283}xVbU_`k`l` z`Aqb(UI69g=ShK<&SgYr8l4r4U&IK$`KjhmOvviCR#3Zk0bt~PLe?DI`wm9*FtM9G zv%)p;&#msn2YmT$h-^=d6Y9Lhs@a${^K7%5sfA*{DFJVykN%ZQ4xos~a6>&u-k;DBrpx z-SF!kgJ_o3a+8_@O$$arbdF>P5rz)VQ9ZY8=i}crc>YXQvD3R{=lR^DqwrP&X3f9X zvY7XM;3D%-7V=(2d3sMp!pTYNoTY!<5Z>j`DS9isdT`qF?c*VA>hR~`^-cEfCyTzJ z;ABc2RoM*!=G3d?UY$sCax}x-=EKUM-!BuYm$#v1Rc#pnPC?B@n$!++W}wy`U_H)x z;}Ef!%g1OvPA;D#eA2Lg3fKCZV0nsRa8Ux8O{ z69+u?g`JPonQ2J5uIbwpPiVyrGVdPUV`yJu{`u^R=XzPpBI1!ioYH_2uV=yG+@oy_ zZgqrS<<-u8h3m`^I<7X?&U*&sv4oVd27bFIrD658-P|Q1$Zx3GbNV%cd12JPqJ!zs zm1_6MYN<|+^l@RHcW)a1>O&JK;%n5 zUKj7SP#$V&g-aedt?wbhrsZKutYZovYPu>Nib4Cl&HEoY8coJqFMz6s+>LmyJG!A& zd|gz@>ARj_g{#P<*OH!{Ul~U^D6sVuq9)>us^4DqMnAzrdC2?qvd;~Aljm*T6dUH7 zJaBS4;VWboNPLbAVz;@(@bK>qYp88WlrMnI$i0>~*D&=R*K9-fvL} zr^p@1-SLJySw#ew>8DTQ0vdIX*w@C}0_gV7+;IjOeK-OKhgV9{i^XZ4Sa|79y@V%i z8%=1Kx%^D9e8?i!``B7PJd7n1TaZ@j;a1F8G?D&(!GnhkbA+rC!^E)?j2&3MNc~EI zB&ySR1l9Aenv1r0*7bClM*7;!zGq<@8%=dmCss@?_3~&L^<_Pa@ zN_5EDCQJ2`-YlPs(H`Cq8iuk=5p9~H?J9Z;#Wtic88dF=WvY>T;J zOLy;F03hnPo_h3Esf-yfm73573LeYk9C&62)}>3zHCe4$fd@d?YKR! zH@uZyx8shfaaQ5|!|uTO_*E5+>aM>v@%DMr%F%v)+4JDmlCsL+B|pt2_lm%0$tZYH ze35V!w(gpf=-eOWI^x8Zzlv9~C@sd=pUR#0U8aC$_&KvpcU1STFJ`xTV=PvDHBK`T z1>~P46!08}n*>ZJT>zBHa4K1byC@tv?pFB2XrOf(|4~nwsrl1h{|We?669Y8^_QhN zs-+KdEEBJmNHNC7b+yW_`Ub;$p~{-XJHr`*0_Oq-B`_kGsN=@N(gymLyoHD#FyZZD zauPb#TkCeVS(Iw(gS6)IgXgE^M|x**1pz<);TsTOL?6AMha$M)99GT)$$}*QN%klh Mkn^7#@x|DG0qukBU;qFB diff --git a/security-admin/src/main/webapp/images/hive.png b/security-admin/src/main/webapp/images/hive.png deleted file mode 100644 index b7939b13efde8d89db305291c69da5c9492957f3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 20483 zcmXV11yCDp*9}@6ic8VrF2&u8yF10*DekVtrFet8yA*edySux~zwbAHW;UD2WHxy= z&pr3vbIy%Wl$S(Cz()XqK*&mi|HvpQ zDSm{97l->BLMVL}Q-#K~jMPL!tMP~Xp1AI144Q8)-z9ML;o?h*Aq7oU9o z>E?id!$$KPSo~(_T#vx@WL^<-@6VsH;9wmp1uEM$x60olnkiX)9@o4V?FIiVE{Qv= zh={(_B)NBaJ)FyD@zBuFVm;hvcIf-G$W$x`#Ea1mgWyOF;c;PWz1dmbw!u0$OoivG z$<;p=LSDUhI{G>6R-5(O+?YCUm2dXP%i7pJdiD57jA_bwT#r>}3gwcMVDEz5?Yt%j z2h|dG5kim$>kQKiK4IXzH9OxO7d*jGMuB&C$5vLnrvFFJK7G zxei1n7Fg}{@e)P@wclH%w$$ZNL8I{hM*Hg&{m-z)_w7E#*4*5?hLnP$NQ@{(LZ!?1 zZL2q|>;3uUF-~VLjFu|p+6wgx*Hoje4h7gCrGJzak$fcvZAgs`8_Vo>?Y%0W5 zNj@-i}9BvSXnNU<1EX4{V7fd6<1A$UfR;w*f^0=E?VNG-Rt50f!Gpb z@3sg{gsWoT&1!xDvFWYhesNfZGt$grsdjI7IFZ=vl;xF^OMqIHv?fX8@Z=;jIT`$i zUVG|nFVz4|JnxvO=ru7JOniU+K){KEVYt4&ZoN=xyHKfz)$kyQ38Nyur!4L4?0hm; zX8uD>_lMo#2Oo4z=}%o%l&9xb+eNPT=RKxEIiHb*1v#m)i3z)nPMbknC!--VMA08+vuW_2xY zPTx6}@7Szvd7!C<{kZ>?bxDdm+$ zTOS{vm3m8HZxE!I&RI1`6g)k|OiWN=gOik(TbvKp+T2&rQEiZ|mSh=5SxN2uAyh&C z0*fIC!+F!-s_%M&A+d#=Jil_svf$Fw`3iEqCKE>%eu9BPCggGX8w^iGMD#Gp01ozh ze=?sh*Mf(K=d@ohzr@ax$3gq=!R-BbnX2zOe1u#j!Ih(#K#q+6&0?-ptue`itwS=# z0f)hKRfvWJ0zI5yk<#!-&(DBnC`J38`^t>%jI6Ucv{!~l2Yz6tMh3dXP!tVGWpyC#rf>I258=;Z?(aj%; zmd7!i9Qx?!DY2;X{e3V?e8!b$4cIw@al{vgGHTbTxXgxk$8*x=9FbdsImc_IEz7-G z)$~dkV2hx;5GVcY*Kt&soXLp-q3_iif0rgTK3rXni>%QxW*~w?Le2n)aXVW^8byG@G@^x4{f=t|yxBtUvAkaq0{zys|S*!fg%``*~mW;}BcfajO`!TTbuZ z9<|ZEI(}UP7U*iA_v2+zSU9lz0i^RO{x|!0QBubEc6Dmk$B#K9oqYAOwI+K5UESaO z7wl|oDmCcN&J;LtAV15Zml~3Q0`*56UWAs5V@I@IK@a%Ns-0lJ`mQhk8a{nQL z*G0#}rBfN7ak7P)R!lp9rpI$-RB{<6GxVUxN2p2E^&9k33*v->Z$j z<{XyQS?jBDE8@lXJO-XXHwxrJ8YOvZ$R{XCdt}SWjK*BtYZ)82((AmKjHR*U_&%3J zMIlDg8N!ne4-Xp|8G(2j)$H{Nhia?s(Je!*NSe76;rE$H2tfXaxgLnYYR6q>Yga|E z<0|Kmr*)I-J`ZbQzjREc%l`|Hx7!&`JIob=e@8BXB-GdlU^4pPwN{R5eM}}ewGEsR zrvwWj@19_PFKAh25`XFBTpVzcQ8@WOpBJVMuGh9d1nNg82M3%Eo82Ba`=5=^=tPD} z)yiN|iELQY^?m-GoiO>BgauP#<@v(e{Fw4i+lQi5L>M4A{znq5JW}@5^&#-@;fg8w z6qTk)8ePV+JC=~Q)#Yg0Ld#aC?BNXq8bQf(Q^!damfrBS+Z9@cpbs$^!eY+^x5)L) zZYwmd@XeHMRH;N&CYAAQsji4zN~K6Xi_ILxUth1`#1}Q*bWlfnd`cejpY(pg7d=s$ zPqaafA)fTz0cf#5Qt8*&Tprz}?~w^OZja|qdRzQx&~~WkZh%sP$}hOhPhv$~2CJs*0sA9I&~H8Eai97@lGoC<1sAqxQd<*yP(jP-X7}{V(=##)f5D&D z*MIUE8lkNXeqtE9QHiqktT}f+fsy_&Hb{#ShR6Q!Ah9qBDbsBjk%4Hv#_gt{^mLd; z8U5_BySlt{JK3eMXj*!`+~o(4Eb|Xv0~Z^gyO>`@xge~b*-%foZbkov5`B-Smy6B~ z_*|f@0cxzW)80}D3X1=t4hTo7l}Q+b$LKHT>go?l(ljCTL1@4Eek@(aIlh_o)+D+o zFCzsFz8vmPUcw`plsPaOpx7WFZbL8<=^}R&8HtbOZGGuuW3?sxp>ug~TmbTXIPdU%d;YW* zkSxw(e01lDii-L)q3iN2sgE(>xyXiGlvGP^#O420B+vUbX>U<#G@!STVI}6M$rLo6 zS*lNTe19xsR|`7okzt}n!VuE!nT65$q^lwX19zVoJySZFBk$=qP3%{}ZzqFP)gR+M zZ2Ou?lmHq8vj#jLqH}i3HG}Xz0&l1>|S18bZj$+ z)aPS8Xx%7lvM_p*c%jvNcI#*lgsgEN%r9oOvyBa&OJrTku3SB;F{{dM&8E!0Bt4rt z{w3y<ZXE#YW_9U9) zsXl{(!}gKUG$?igf+7gpydgK2%yWPO#AEy*Wo{}CjTIoI&Z>rn)iSWc%Y zHF;n`kmf?tchM1p!1bcuW6_ha5Slf{;_!RM~g1!dNBJBBU9p`wHo=PVymWqxn zBg5+Vs@Az^nBbBRaiiULUqaCP1rOY8tmQdvXY zsYUYi6uFaQMKlM)%bNgk&J8BYdpb%RD zMN|k!ChIo~>+jwRllR2UHZsI)e{Cmh4DzO8TR6amy}7+WXtM2bwq#Z}xio|)NI7{Uso!gFM!Bqv$Ii87ka=n3nVGMA=|6m);~ zVR8Lu(Duj~2b=F*m1lJMY8yVlg)n7Lz;~U_mk54yPbppePZq-dh43A8yy^4UOhrLK z5CQ^1C@Qi34=osR$@IJaY%8QAQ<@4pYxXT_!hRx~qo zV*DctB#$>`RG;tpv$f)9L*Ki)=D(;YJ2~ySW=02PyZp1Dtt5xgRO_v;UnOi~WVg?^ zLN9B5`8D$`9>n~fq>Q5>XJs`}v$Ft43be$P=}=@X-cL?8Hs!-6kcK00O)@STUyG5_ zdK#b>K1T~$a0ElePX^%&VZ~6CII&2GGeZD7%{Lm%>5N5V(sr>XJ27~AlOC$m)Y{kq{s*|Zk%se z!Du4*?8q1B8=!6=QxaVgRAY=~^Lr(I{OxUislN89CP5+*oe1=Rk7gsu0*O_-=6NEt zPUd-Fl)i5o3kQO56cLNzXn7N@fM`IyW= z0n<8DoWb8li#Ttk5?*AOfpCKmj#GZ{01x$7xmeQ`abib&!WsL7C)?TM*9`waNv4xG z+~Cz0I*0PHn(DXD#vh?b0lyJP5ppr}U`RThgJ4-mrAPK{CG<^G$+E+#yuJA{`$KYg z?HScEL_o0DYGCi!A18Cjkj&2eWB);dFET|Bp`aZ*FRD(o}#zV5DuxHe=h6> zh7Eo9XOa7Jg~i&va_#X38?6=N&lC}#$o!W{ps#Je!^bBksVvk+AM$uRFqff)Kz>0) zaQLEh_2)KB+MIMC(E8^^i>(wIXO$n-Hz#_3Ih~j~wP0=9=~Q$`$0mAyp7)BuP^2tU zDeBIw5fOO^0vLa^=~A^b*AoR$8lQ)g+)RIBczF29LKTz+UJ*|_Q(yY0#?sI8&e-RM zU#S;j_pG3{D|D7Do1C1TkU8zmvUqcTr=>Z*noN&pYVD=&9*dYnP8l|OsN9_}wKbg- ze@50OomN`>y8u)7 zM{#*d8UaW4vEU{h$n|)Z+wZ+ydM|fPUM=wE;XxzZbvJl#D@9XW7_J)vHvAy`r!uAf z=F0O6$K?Yeq!L8Z4sJCPF7~F~T6@Ds_udVTvO-p;jxs0} zyoiC);kEFWk} z(N`C27AT#>T1zgIAWKuPot#sp^RwB$qcxx^?y%MBj!X3YA(4uIYu{{*I*DfAH&Jje zQ8$Hwb({+64|F(HKmx{7^|Ejb!2)EpW!b-VjPT$97a9)AuUC<(6ODg?Dr!WKAK*3| z`yyjv)XL^Y;xLLBP*0Ype9^GQplC(-U`D0WaQ@zMj|m1Pd9wtg38R_T<+>^ZF`MCZ4g(DhC*FC!sD*gjxJ>jrSw!|S_Hq^rDvRsf<4sKK_HA) zMP(`>9&_}xI3|}lxyZWK{EGtTA1Se*X^Uq^vp^Ped>si9P3xQ}+&?QdWMdI}NM(B| z@e(ZoXkmN~av|z{GI`i5)ps^L1|aUB6eqf7>+?b(E|1HqJiWZ2K>f9*FsEJC&-z5g za8{5;JsiQ;cGUmnX}_W3#pZ_?37HCQfxT7RZ_|PcSSiMhOyyxon%@G@u3w#PAKcms=f9>nAi0OHR*qnW>pPYxhe0Ye9h$yk#M&Ll4=62qXCgjBy3VMER5hYC) z+|;=-YOr1Kx9H)3B|xM^LIXu8x0g zM&r2+W;}zmXIX2`rtVEi29atz|0G;|_}f*}Q(j6`bV87l!ti zIheUm(PI8Y?qH(G5Eq9iJ~LcT*DGqK|cX|Ll`*M2(wHXF}_T#`m z&G{ifP7*&uViS0!l4jQZ4RJuh=oNauzuG3$<#YXJ?1@K`{X0oyLQ~U8NdYmPAVyW> zf_-i9sx#sisSUu?Oq--jh{F`mmF`f{H9pW0CI!M5#B*iqwLDY%v-}vy-IrUbsA#&% zQqBO#V|rcDpryXVJR}uSy0dSK6QXo}eaL-?veaoL%snKeB)VGfgt(!r&A+hLEZY0Y z?vC}XdpB%o*r;fO;Dh(s!O$X8#YbLuC;RX3iGHR$Day>9(dTD%2UXuJ?;!>qQyKLl z0sSQXqIj`%abe-1F9HLUpaT9t?i#nYZWliC`RhiMQ7rV$ACv)c#6|Ddd&>}g(fdlb zD|^C+)K8vHKU2+ofi)@tx%fC4W1ZSA?a>t+@Ec{z-#Dt5dCZ?mn^K=eWBxQI5ZV0a z_5Mm12o41$HafaIy&SSzKAm;XuAc@O32AJ2nA_!WDkLf}QuKu*Bg3-HprN`{L2Jko z4OK`0CIe|3d0_IG{8iqa-3s4`1>WmH51m3SjuCu^K^o5(WD6@HLt{I`W3|d_&5n=0 zp+(1iDwh}tKQe|w$nORZb^%CaK*lLM&!%ldlySvc0!TKX*o5S2q-(bPk^Dn|<0Cm2 zv)Ug%`fZ#}bvDkMtAq2xsjf>5Ej@Em^N_k1}^8S`{*P z!L@_87k1pNkJx3Lv-ppv8qFBmg#*4f;NLL0NtFg&>!YKHLMMzRZTA^g`>i_xA}m2E zY=-)v(W>0YHGVkK?Ce&#ll4|#{vR{3-(wSHx->Y1R$>0iP+lzw+k(d4dAd9XXCXU~ zB>(z5TAd#l+(U&&MTyE~HPTU=VvEB$y1OgL$jltMM4B67~jE%wU->D@9i?*!zlAcT>ycv`BECTcY_8vXXI zC6qnb^lW)FWle@hQ~k4*-8y~#lu%U`s!Rti$2LWi+uDrT#PE(QmR~bc@0dZg=n^U% zJbcNyesOUl*qx9RlwVK~M=UtO9IdaA=`JhROg?M)@5L~Wo+{*xxeAc3#L868R`1s{ z?vhOVSncyX(B9o1uFjt=3S@BPd^=BHtGr7DYTcllEDL(FFYaH!^P(8Z&em@vNJAnprAFI z-yWJIqu8SGjd;d2WXqiuDo8nRe7pRvN$hl-{h^_hp7mx%u8V9YKqV;#4b}|mf zsQ71Z?^#NLfYYijE-}*yzitD!eFKggyZo=YyORYCGId}fVcAV~=EEP2KF2Q*MkHXN z$4{HxuCQZ!=CS3bCBdjI?>;Ugg3@Rw$9B#h4x43pNfMHhA2*YNAb?_|v{iAsIcwZ} z{{V@QoQE{y$TFuDU(1o>vnz62B~z%}`i=24JYV*r+QxENQ+^>yA!}-NJ>jsPrw65L zIfW5fu70QxJh2LK!DW&dKs|ha!lN@vCLgUA_d*`*nG5lLy&6<0lr0%vb^3`ePvdh^ z(Uk3ZOanS#LOApKvn2>4rli>2j%h=P*5Hgt8Qe`G_@2gCSwq{M^LAJe=L;k*{LzXL z)hOkRtgN#WYvj^K>mP;y)c6fbG%zHE8g|CL>CpyQLuVk;%pIM>q`sAIH1}_w54={( zq8b7UPaNO%kWcEdx2lA#5Zu+()l$umuxsbb%av%+wp(`i5%+#Hv_O#{Z(bDv?=ilU zGCqB0Vg@q$K19P~?1magZ2W;s*OSXQw_2XXGeD0N7Vde&(xNE-BM_;)44{!j3_e72 zI@w!uGi76icQrj1!k=iL&Mcq8YQ{J6*rl-bh0hqFdT#{xJ_@cQ13IX zlt`-lydwu28_?0D7kkwGdcn^Fu3wclJjkv@xQrc)Z#UHAZ$yglT?#8v1so(PyW*b7 z@%p2k^I)DGB5T>2(C=>$h;(T97sYy++glxMkZTwfC+9+MZ$WFBdVBW6@U410m#E72>Ku!|NQfO*8nA&DYfWY3ZsJ_K(4&;`iHIt> z&gHo9m3afpQZ$U&rjt#r8mEX;js-txFVtIABl5j{(&&mrT-6-n`_zYPpI6^2F~s&a z!JB(B_V1T^2?+@~IT!o;`?owA`0`VM^ah>YmzzDH{mENj*R&U(lzr;*Jl(aluU^qn ze)AWrKUy86nsXq7AeVL#jnwk^^OCNuuHUu;3B6>SSjnTbw$*G@ldKa5mIv-aI2dM8 zd=kATLY%&|x-Z$Y4ugO#UuY9Ki^e5v{8=P0C}?JSdbvUA;*IKiH6ItEpGbTv6ETmK z?^eS~lRa-3;^&5D>jRM}j}vEDK)V!uMv~oVo*SzDW5=JmRV7hxeS)`X8-6>QV!9}2 zDoryyZ_T)RYpP|l;`vg5%0!D3ODwn!03beV_(oN?Mh1)JG&$%6CF3qRhV)DmjOW0( zyZKq=qG;xXQ{ntg)l*6R>3LP7K)bJ`lq?>Sba#>FrqEWx-TnNfU+#b@`sA&cr%_#- z;euZ2&pqPz#O|!lb3cyZIOXD5*;L85_KpgHaY}`3U1!Xz38nhm(TI zGIMq$sL-Bd>+Jy1LWQoeHiw$U_=ReLjgpT2EEXaG0a?Yh%#cv&dwaDs8%1dk9JAxw z)m)PC_7J&1sP9?bNW`24vhd(oeudtsnysc7Y{shi4;P7nJ!{nhQwWG|;I=aAx8o8L zp1s0yp%i^?2L$Vvhl_`M<7o`*H9t#nqb%{O#fH(_^WEPn<_sL7(l7-Eu9?j9Gb>R_ zC2(M7+}%Y(NL%k7^j|g36?2__UrjJ2 z7z~~B?yxy@E14GV?d>H4n6g`{fgrE*La*D5=HIE<=_KcXt;LPSh4LvjZ6iI2Q2)d1 z^+yv55&MefT(jeuM_oRG{anTi*xp}o^hV61yo_#!x$qkCqIg*?FQ%YKUOLLx24AHt z*Uo`sbSQbAVj}{#{IzFI{B-KuMF(nyGA$LA`P22De3cKy<~QU1fr0rFl|kd4n#7cs zTh)T!SK}io>ltYkh_c7CC-bQ{H(2nPXlUKF^!^HhzR$BYoCbv2#oKuQRJWNq*S$Ng zqh?CAP|>9br*atsI}pVp0@w(TF*IV1_6{@+3{IN98U2Mm;Outfa%L+t=<=-t5>6Mj zAe{`Wj>XIXtyG}A3|TKXf?}k0g9qkXWy;|i19xm%-5<6CdN0%r_j8sknQC(VhFA%{ z$%m5#`>9-E!1n-1pwXo}H4Z&f5;aDFz6>-B=v?5#WtD?-iEBiwzHceYLrJ)@-chZV z!HPw-(lj}b&DihNf22MJV?p1gq|yOPz~R4wvZlESU9tan*4!VU!W;Xv6~Z)&R}|P<%>?dX>J*1sIM05)(p{tq)v4c*G1PUwL?QC#$&ip431=)ne;#M+rGtRT1=QG5<&sjRyG_{$ zEMnq~Ci{)x;Na0zrj2r@wbiQf~3woh74 zPVW163&3NO%r_>$m8h9C4G6=uA4Pxu?C$RaF9oOB2Pr>HAvx+yJk{I5HLSu4|U;96cLuT(jtRR4-5481meKwd`<<5bEXtBW^fHB_vzTI8F3 za#%1^2go^WL= zwZ#`ik)glD*HBg)xUbUt4dg6T8tU)0wR^pT^zAxm2m2=nqF?m1RQv-L^9thBt>4yt z-|iMltwITl|50VYlTu($HnAa+!^cl7{g9a`8)Ad{A`t1jEvpu?kZ9WaY#$`4IemDw zglBqcLrHl|@C_aTPO(RrKpip-CIxM_!rJy4;H66c;N9m*V9=40ZXM+KF=ixW|55;B z(iSZ_w^2{`1nCm`6qENH@lJs%DIzv1HaX6m3Hdp!b`M!mhpOJ_7&sRa3KmpVi5QqI zwXzRpH)l6>BV@Vix>=E~S_-Cs9l~(3-`?I1Sa2rNSawE|>E^e8S728D>pNa+d+3Px zbkDeTibx?2=TROv@vrwVPzVuOUOhos+FH_~3K_ewy}-BJK0Z$|GS;rys5kV-U~Gf^ zM(5A0JSMcgNDee^6uJ*=-rHfX6R4SBRHx;7nRGr;W;_b%k|mo8?-DmZ4-XF@tS@hG zy?0_bDP_~pu(0OZJ#J1N z?**4F{%C2{MiFLDoqi$>R#rq)z^S9}?G0M1HMQ2%B=O%HO&#p(!$lgg!a)*k_fgfB zGlCgMXW3*KnB#qIDTg)q0_qz)m5%%qkNk&{DXr5Gw`l? zk5V6Hp-L7o+tBvW6Z8qgqt9 znYFT*Vce+#8Ay`!qsPb7&q21nV`VI9ngyd4=Y6vqg1sUX^G~pbco*8#sHHwPY}1DC z)k^2taXK3n0f*DkYJZm&A`=r67K~8dK0W^W_MVlJb767#bZQv=S9?J$BJ@kkx92m6 z*$N#_7M2>Z>~uEsZ&sKuGYW!$zlVXXE^X}njH-)B?_2QZ=#vMrkKI}hpltR78pZF1 z{Hi=rqbE{PPFwb61$vR8#f4QuvXp;fI)WLkK6<%jbUS_gmeLR+s!sE>G$kR=Y?CM` z+KVj(sbwKQ=&k1SRdB3S^UDTAX!0-tvt?SX2=ea!a2TrD{i*Qv&CS}{+Re>{o&FWy zFH`L{w@u!QXeP(hGP)z|sx0<#Hj>4&ecOd#v2R{|6;eAVMe+oou^hpVbn|RS^&i&x zedy4nJUq_;{F#~_u8Y?>s^z{_{hs-i?PF)VZdU&Q3-Z?v=~FQZcrU;C7L#O@)*{0$ zx805h8;~9HE1*TXg#&}GjaVF+^8V@9bAvUj)m*9T&Oi)$sw>ZS{?{h93ZL2X2&?T( zA|J0Kp`m`09PdQCm-!Vs-%ighiwabML8=*ah;P>OK&JUIVL_<~6(LR|Cof;A(^R>n zyB@&MTj7xHzG-UE#yD%AzFqvNbcM?@_Lhj+p}RKZvwTg*fl^fYk`C<}uAv{U05Lh7 z^!MG?5->P^&L^GcHSzz-$vBha$Mou(zO{^HjoH5`JEyK8wkZpUr0r*cT< z^A4Md&p$e+6f1@6d#@@PAoqPUFR&AC*R~;p{!yyZ-q4_nIN#!HnQ4ntguNWpAc2#( z`e;Rl=CcN3vs5xU6fD1_0+za?8?yr|we7>Li~=t*b6?9fege)Be%9YNcg#=o(vP=v za~b2pybqpLx)*|WwNq^$dyIsr^l8rQWMU)o2teLufIK<3JCi(UeXMjuNBmC}^Zj^x zxV|Y?{mw(MfAZtvIUaDBS)M+bc!I6>cEJO3tp_>ZBlc_2gtjN2 zFWpxa*zo*8jk3!zmCCQ7E$sHCWPnCj1@=0m$Z3|~1x4ernN9rWPCm~;FOEojNT$}Qry zTn?f1#SDwo$8K@s6fJ!0Z)FhVq%q5FpoR0;>wsF46atUH;szMMf> zgN}ir(_nRYaN=`xU2*N)+LqYf{+(2&_Cp+qhf}udYmqW)xSk?nPdVI!E!D*C>0g;t zs2+Fs7c#HxRw6We9@me~c-Hd-(z9X8-p_dpeNFs*yo0Hj%CxD9Vk)J&NhY;|q&9mO z!v>RWu!ev)P_Na+Q9a9g^^5gJ=bNJ(nV;6Zb_n;)&Cvyowis)>0 z-?+i-r~RO>(#7h07w}uNhp@r|UGk;h$h~LWg>H%JVkm?vYiCX`cX?kFp_z@rxz`Nk zHS==V_WLf!>lBkhd%2s_2oij=*zB`f;4&r@^aTKQU|eU;<0=FN%S^vj#P91;0Er+E zVY=YxAkCfkg&eAq!5*vvQqXT*4ZCC z!90PU@8*YVJJ`6SBYMVk#%g;=AP<)t%ABqB>%u9drYml5_Z>eck?~MICa2N~WYoA8 zS-#`6xYf?c%#Dn=8s{)ZKxqC+3@ayL zSblWnA(HO46zSR4h|&g38FEmEC(;otwm9V`neBboamRhIr`hNJWyEs7W&_%oxVpM) zc(6q$sS_Gx-d)u?(U0Fw{})lL)t8^dVT%qM&S9=`bAVEE$(R_yVUrBmrj{CPxTpLf ztx+rNGZ(~3Wv<0~u@aa*(;k&AnU_@fC$jB6-P3)c^R_+Hurc){cxu)Lry*mhod(Lk zsHg~CapAvfLn^AGqlvV-MiJh4HX&R{OC`c~d1q=Yv6DoSo#9tm&i_dmyzCV@Yg~3j zrv`5@(cpfBhP4r>-1Z?{OtkZGM44Wm#Q7%iiFS{O=D? z)^-fi?xFX-+uM|g5us~;c$f=q+8Et`ifj>wBMp|tztC!tZf#>l)ztkgqVF**SHYOx zd^;G3{DJ%MjBMAM0>o(8GmpybO(?RFY&8uiq)?E?gQrd*8H6}1 zn~o#11bRe}$>%$AlVD+=-#S?5vnvTcj3#y!oKNvE`bAo|KMAfojt8BQ8?w8F(-$oG z>%b3+kXbvT$Ujm;u--J}Hvjx*g?0rvJb5}2P$6pINb^Y^yj9t5x!We3eE7cF?>5tW z$&V}`?6eN>o=)Ly&aG$hzZ=%~^-eVq*9MuHn)- zd6bu+3<-LXaMjjSV(EyFxG3+i_en;zaZW)@mlMAz6^*H#r0qD0_tq5Q<^GzWHX`dwaF1 zt^-sSUtlGb{%1|>JuZ1oZLe)st@!+gjf*bO`WI6Fkz+u{ei{rkNiSlAJQc7tG27ZyVdBwb@FXIQrH z#$a@fXi*@k-1$3auw?YLnIb|!aA@aE%Ev(VRqFP_)qNodUoP3kbDka` zpXzzW`-AJf3bio%CQ}CIl9!rkbKTv&4%YnaS?BH3+n?=4OSBoa3Q2ob!%#{a%qGSS zn${I#H}jItSFNAj9D7bZY6|pG@pyzz(Novke0-Y~Lgj6pX0@(;0+ltPIT%*NE67wR zDHi2rCev67BC|E?!uxA&G%YR#btYNII*>MnAIZ3fGq50t+kafR)hsZX{F) z*Ao|qCM!FXd$Y_*CZzA0%&haPLzM$&GcOMhwSTmK%swLu6-Xd=eK;<}37#=}C?+~k zpF1Wg^W6DVT@a>we%zbqnJ>opH4@0&Qj!KA45dSn#vbQnx_E|BwCixM;07T=5qwobQ2~j68Hs;gFpMbpXbooUy+u><7nmM{2$nU zX9pG`JIh7-tz=2LQS>td$V(|PnAY-E--fB=bwIaxNi`4gPQD)ycT}Xa^wq;!c1S@% zpK6o!%wak_?@D=wwRXbQ+T3jSa{6WNkqF+is7I=4V&{Qw>--8PCQD|tull&JvX2Cx?S&$@_tJOx*Z~AqKwJO-CA>c+6W)6aPdBeD} zi86dBwE9_519g%_64HKX0J3{X$n@+mj%}&{zyy>|MXjF&WVoe4_EV7{6NLU2c#oi0 z@(-{ivN-bnfoZndOylOaJ)dliVlmJ*V9oJ?XQ7i%6Tr6NDd;u98S9}NYuin{f#Gy9 zlGJn+`azG@kBn+ zU2HnzE~K%;UaQbx{HDQAD|d6uV{0}&L0g4FQ|2YxGG#k^_4=m2GtNM}T9X_Gmg6uR@eGmi`;KcIwj zVBR(G`6=~eUT~wS6}lqc3Hre_AL2?^?Cs(V$t@R>ulS&_um-kyvXomyYsrgd6DC}p zlul>qeGY6ISjb|Ie3-@JaYvD(!41`yx{)4tQ|p}9Uqelko0n=sw=XKS#j*yLK2@PZ zlj5W2CI4Zw&piQdN5DBNaV%J4t6F$|gi^3)YFqw!SiHphIzUzDga`XYh8hg`x~E&J z#hp*}T=m-+&zH4rI$Df^^61qeaxv=!y7)}Q?)y~@gq<=(8Nu;UH0#6Zc7Uq*d^#g( zTfXh_4v=ugo*|MkfDgT1txO%P|7BdHi@v^o ziN@F77A(Q%2CGVJajy{W!2(5vrZW!T7g3;UcjIO|UR39|Pf_ULY3Cp*v3Ld=4qy~0 zJuA!S`PQ;-$s2eMH5xMmya$=dNc+(ap%h=j;si#sSoxb?i>m2=kt1|(7`*MRE=sWI zhHJz&m9fX>6|jc*XTaRMByFVkE0Yuawkyp9u zng68lV3)Ms-=@q1tZU=h9?(#zZ~Th zs6@H{He2dtLLgx?@H!7A9#s?9n`2OBFmEoG#oojcjCmx|-5{qJkz`i}NTAC%D>DSF!(}w!H zR!uE4l@3Qb4M=Tirz$SaYMry@{Cw5F=;GW@Aq$uQI*20_WYGJL%#(qe_Uq&?YyE2r z4wxi2VeEJ3c~1Q4Xicqg>CG}-QDm*vY_XE{e0dMls!VAF&`=%|fr2larH{{GVITj<~qEeq)Ggn_m~3 zJ$61h&36xGJKa>eu{o?OBD*x3T-W^?G20m)ukSj?uiP3J3>7NvlPXZ6_?&kpaCfeB zmyT>!Kc&W_zR=C^LPq-|pj$KFXu&LJHm$+uAwgwRNyhEUrzgc{`7DI=wq10-01kEj z&9Bz%Nt)F!D`e0t|6VJRh4r(e3*=~)7xKTu{IXlIe7-seyvvLMKfgysMe%w+GLNR5 zw_5zm7q9AkF1`LZD>Lfsw0Ya7!C^u)@IA)D{gcJa{jiS=HJ;zw_y_9o23(dl490E6`bRl z$^}1X&CjcCK%-14HKGa@6BnncA!_GKKRbcU94I+p9MXAficqp_bGeJVIJN#Jt*_s{ zL_hh==XjT+9@op_7%&K^NZa(E-kVRQA1ZLb^TKv9%U3l9$tgktr`PT-`?n+mY#mH0iuL~08zdIVyg4kJ{vD7i5oIA*^ZM@A%BaeWu92HYU&RLPe z`F)q&e?*o*>7A6*($WHqY66I~TyL4kpa8r8R5(p_c+ZaivO*WI(}1})Cf#Pm+v%x1 zQ7YLq#U?wwl#1>k?|)@aPfx(_^6Xf*;W)W_PNY&;{yP_$zX+DWNtVXK#VwxW@s_QP zRCJC2yOc>33=gMOxi0AOrM_N=6W^b9xCokhdazC+Ie6s9F_v-=Yh?x@T@hgrNYh*l zd;ZiLWvad(`}I{)yWRrAu-hL37$hxXFt5;Vcn5C$;^Ja0t^JF~*>c0p!6YD-cLDB1 z`6FyE^fJ6TI%c{)V0u{4`@@lz9t$aI{F&Iz)^Bor4!%fQl@=Pdn%Hl%L;<$CpA zH>fPl9ZSL2W^$F?;*3KqxcB>K@~C`aIxkLFWs-tar+E(2R36!91?O`I&UHfU zQ0LQ(zbAtz14@fjju5{3d}23{CWU6cVvYDQB#_jw#E5`?)^Al&W`i*F%&B=N7e7sD znnOja;`prl%Atm5CP5wnj`yI%jGijL^8`SbQP~&Z=F3%=2(YWOOOp2 zd=K?enRIOKTWfQj0I2C#F|qp@8*k@}M`1H)n=s=-3ma-R0#X8CsRQ!#t6q=U(aYZ{ zLL5c}3iljpNT{VQ_5P7-L`jr(!F#>l4&*%6w?lrthxHsbt`>lXo$MMjJ?C~XW0_$p z@@ld#c(U~9d62mUKT!#N2((7nbN*p$gEImtvh*a(_-sy<-$pBQ$ojOWZKOVrviiI( zMJr=5?seM~Uc@>R+;*k2`%wQ$!p6kBJ)23G-b?vQ4AX0TVz8yl%_%z+xp?Kisq*HE z!rqCl*0ue z64GsOV_1m(d#WueG6zDAjEu~NXE>@&U@Dk)H$jq%gc~Nz;a{)m zZUh&Q4!VEp;usr0a{VqZFW_>h7^CB{79#t90U-|F@wnJ}F=aYd&CZbxS^1y^%G8g+ zjdEtFPxRG+Z3`;kKJX9_i&Co9YG;47`1pzI#r(9eEx~x%BK(OWTy!M1q3Y{-zH&~) zl7+tAI%`5hoFl_1rK3lWw#9r$wYo7Xqlz;4&~khf9y(?sH1&=kP1=8`%=l^@+PhFv z7r3ujE)M~*loNj)JI0S5yPnnX)}Emhuz(*_blGAxx-!a=jOU(qUH?bGg(IQ2uhx41 zZ4X!1`xQ3Fjvb4MiP7nF6DLl*bm>x2C$qLZ)yg&rG`4N)GKsZgw;AFc>j@@#%Z}15 zY5n~eaIPR;4zCA`qb5fGx);h@+_-7W^MjvQ`omCBlC6=4m|!qrkdulon{BV05Ta2- zqbAd)cuo7n`)Y!4@QC@?N%PtBmb2%D)LRaJk%Axyf-rsh^y$;5ySceFYu2oBHvNmnn zRF~Y6NkqLmWxmj>*F}qdpGw*CF(jv?mHu5dZ=#YV?fnmA4->HnA)PyS+OT2ch>?rt z&VEs)Q3+;&5Eb|Vu>5If2>@gYDpH1!uAQ{qx@f0PCSak@mi2l$D_hRXmkkCP1O(*g z-}OH&*Ow^a^y$+%IXM=K<@W8{7K_Ep%S)rt)U8`LEG!Jwy1PQyXqJ`Bipgj&(gMA~ z+ou2!uU*Y5tC0G2DY(b(ry7cl$w|IDB^-rg=U*OW?! ziIfClf524&K#~C&5GVkRnrPH)(U7f_(zqt7Uw+qHgklv~vSi6;pM6#qd#ZEg$kt|A zIV^-Ll~_g-Ei|xR(g^}}S{cXd83wh&DERgjJ}SP0COnk6*UnZDXiPm0^kE~GGLirN z_uuN&IXZgWvdJH>ezbGU!mnTS_I*{%{|0jE{Xe4Uv%EdYhLr(b`xlFyIe-5A>C>lI zqhuSSl@|5$azCt&2zq2KN~+{hxZ91l2ebtZ_kb4P8z-o-Tg zg@uJPXU?o?tWv;mEjzX?^K8(y8MIP@nXC}8ddld6;DI~R6PrtFYf&# zy3Yw4^6(K$0n4)I&!6}4vF>s#S+=)pukV8DUYqi1E&zK1pV$K>s@u|qC9U=*PMlc2 z>2S4y?;P8(%=y5!oo28%iF_jAQt1aCdv?=-#=>3{TUVCo@Q0FE%7Ca+sjgqY9vK;_ zB+4?)FOWZ)p3D1O?=vuc*{_93H$~2kRLZ=$SbuqVFzbFRrqq@sY2(I?_umkPCE$z< zJ)~0IZ){F$&+zdb+m&hScjA;8OfrEfE4vJ0b=88jsPHK{xf16_i1a+ffe;76@|0|t zQ9^`2l*GcF0nydf_3G8D0RaIeuCCu~d}&l>RMX@}jg$XaU1%~`lT5NjFPZVmiyq3e;aq|+ zaOiD@L4*2ybX`8ay{1K+IwqR;2;m@7&=TUjw7y{pSY%ugKAr5fb?03dQ_7Lr`1ts) zUAs1K-n^(H-l6H&TkkvIYsn5UkOCj=sQs&WjC&jMQY8;B=2}uI%?=D;Wtk8r1a=@b zRZ6|H_RPzdDJ>}`A8ukPuTZDc?b)-ZRIgeJWEp4A3un&@tJd7@?&!L_RzsS{sY*3H zU`GUZybWJ&-2{Ra#fVCP*IFAD%po~gVUs#b$3 z9}a39_i98$kiWmbx3@Q{+x(mmBBOqjMt_%;;rUlG%i1=LZNLG3ggD2z?O~l`m4L#n zC!c(B_wL=Hp%q8XbP7Zf1A6?{^U=f6^|T7Bl$to#ZLQ+x$N{i%ULLYeTRMAgWk@9) zN!ZY!J`1kmnY*3%H%Kf6ik#@sp+iDK!qA~ZSFT)H)lU>e#P`MOpWkiKdJ04z%629E zli)jocoxsd$o54z3=4&y4;s~nuMb)_hrcfxH-wvu9&jK+B4O*fy2|eEjKS#GE_-YP z!thRui23g!mJKd0E`R*-$C4#WCQO)+o}PaH1>TD`E!78)m;ofGqGcB}s&DGuBc)Zd zB|&~mV(P=w1H>}`GziokpkU5@K1E2+fJTEl5qAqA1a)d#T^(s%K?U5(Kzatey-};K z^;E)+9S92K>e;PYqLdOg%-!A1%{A|qgH3M{$3xY@SzYumB$k2~UU=b!7hWiF67c@f zy19D6mp)BnRc;|kMx%9*I-7vA2_-V7*R7Kt=zn)qY}^nUHRgX;WSk^8eGWzStUbEm zt4~oY6or|XF$Z6M4SgYgUZkxTYwwIj5!;-mQ?n+&U%ujiTXLR{B~wPVMQx88c|#EBDiqXI4`IxN6~0@(WX_?FGokF-)ZZ>kE5;AIPyWz3r9{rX#3 z<=lAr3NGI@IK|$BrDt<@!%NSjZx3{S6qnB9yQSE=3n$OqU(4B+ZCd{I+n;th#Z>TQ zUl&MGm78*#&GgE}b-LHL2G`4GV=tsQ^);gb>kW%{_9I`>~VeAD8JXQ!&891I?S_ zlMm3kGhiS)c5vRILQbv|T1^4Mb?VboJ8oj0{de{0sfAq2&deG$`EY`#hr3ny`gk!c zSMn6`znNGzP)c7KHtfkKo>;qf-K?1(%>3-BQDX;COE*YYiTD?&-qsIP@mWl)Mnyu7 zRMZ}|XqiHRJa>lA&ON59*Buyf2*K!=@zV2X+z_|Yv2Zcdx?Qw{b{27UPHvX{<&^gb zN+~>}8oB`v#GdHzh)PC7J6-B_>7<$XrYCgMKow<;Oxcbl^88EG4dp}WEKg6*7hV{0 z=Io6PTgZ^Xi+AiyG>K8rOcux!q7*EOtSCs5NF^DPWVItLr+W5g^N~813~yivWL?=VdU?^#A_)4VnpR0!Z;MPzGcWZ^DM|*=7c=m3WGeH{#pl@m_eM4_pFULrxp?Oxo|O z@9UVJgU#e+8rmr4w4M0_{1}zWjj#cB<~JB9rvt>nr5_O!Au}WXe-Xy4fa;SXSeJ_rPttOdY$VQk0^C zmPB;zte*N&=>Jnnu*MT-_EPoBuh$=$nm-<$H3*Ebpq=$)V!+94Pa=Yj6+)=KtAHSQcyo%*)HOPoLg>`&y5wY~8x`pMSP|z389h zn<-|q*<>Z7`7l2&MOV+Veg^DP{N;fdODS zq8t?|AMGDeF?>g7RhnV&@ExXj04Qo%)wOHau3fv%nDIFPqtTd`m#4S}@$&Mr#Z;tJ zO|&eOx1txm{>X0HyAv+_RaE;y+@Qi4tpXtyWvAhtFcU zs+&^9z_e)7@ex;V!4Dko+{*tyQaAj+18Mr~Q!W+e>f1{P(Z}f`=09TnJ3%R> zq;AV*6+2OG*IFgXwFz-D6aFLCzY~NI5Pugp-q)wRSFGaUf9?IuyAt}YB} zasYvU4P?WohTMg+T-v*5sLr(w<2uih^@!PAx+SqnC8@mELe4Vh3=xD<#192DYEI>I zfG{OpMarh%%=zyKma@0f8Mt`9%IMy^_mY_Rm_dKG67i{74qC72{|B2vRXqaf!AbxC N002ovPDHLkV1jVSeq#Ut diff --git a/security-admin/src/main/webapp/images/hline.png b/security-admin/src/main/webapp/images/hline.png deleted file mode 100644 index b488b952d632f5bb078287fb67a09e1312850941..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 99 zcmeAS@N?(olHy`uVBq!ia0vp^Yk-)UgAGXXRX=$Qq_jL;978;KlmGnxZ+}=rg12#@ y5L1ssd*8Af3x%Q=ze`Dw(M@y@J{Z8o$S~;`+uxa2HG+Y<7(8A5T-G@yGywqrh8@NL diff --git a/security-admin/src/main/webapp/images/knox.gif b/security-admin/src/main/webapp/images/knox.gif deleted file mode 100644 index 3edc8fda8c245e400ac9c7a0ca12be0342937fbe..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2347 zcmbVMdpMM78-HnNFgX)KuPKF?voS{0Fa~9;Ok1>V88dH;%y}@Tvg9zPgR=^$$>tE% zW=m>)m18JM8_`Cq+DO_GmCp0c)au(mx^}PYd#?9--{-lX-|zn2_x;?@8xTYzc`_>j z3~<^A7=C)K{eDgTU|vDnw>_ivuij0UbTX@Ylb+6uUKlD3`gk-Ly)j zQaPv$!s($Pl__DWzspxh1x(gfNCHMd(Hx#P@>%00B**?vK@qxp+sS$4CB%XvRb>oQ_&3d3hVwQ*_kZ|}s zP~(vq#gCVGBh`_9PJt_+)4w?8iBX>tLb3QxBSJC3N zNdgER28sFcA{L~EFPbH*YxmDW8lXBF@;4%m`cRm0R6Z-73-KgDRBxnu2gT;F$rv0- zT}2N9#sh~TlCW43hJ^Pe(R^`gJJpwlpY`!oE`>lP5oi>DjSH+l&XYhTl5lvcAD)WA z_~HF#xj{U!gvnz;v$`CO?q{y&KXS=_B8VyBi`Me_akCu|8pD_H#W8#V=*J*}PIM-V z!_yd?H3#%LUn(TxBtUGMh|dK-RhZ2AS_J=^`DZTs|EU^U9SmC29)D|>S(Ca4HPbK6 zuU>q)J`hiRXGH4Dp{4rx;r+X}Z(h&5dii2{>iOier++?~cs%}SZ1mwD5ANR^`Tg$j z(4F6I4-VYw@4NZyjo$0mdb+P(>FVsb+}_sO(%f|E;)VY-{&N0Y!`b>Xr+=Bz8AtHSJx^LGq!q$X-6G9JOy(%a$ zfaXv2^QEj@;p4sBi|k4AAi5LqI4lN@a&ukg;_S3^iR0o$NC$ACy`Aj>8*8iimKNq_ zrY6QlhVu{x`g-uWx;n5q+FAhM@CK%S8v(9>dT9Pq08BO66;ykHG||(jige0ma}LGS zoQ#{eC~#%?o7pM~Z7GcI>J(O>tBqVse?)2vxWIM9Z_mK1vTf&{aFY zWGmb;#AsJX+r;h818;i;*tQ=a$)?DFxp3PE4xqY%UV2aux_z! zrfzsAyJcsOwpYNqEUUqepR!jVr$~LZ;*On!cu3W0z2=t4pIW%a^w*%DjxR*uL*D<~n8affuPs(v@E1P-*EHuk=RIVOszFBZ%>rz1__-FSR9^@+6?}4UG zjY6d5k@MG@$A1%w`1a)yJBioj6QSED_v;Bw@;apBs1jZdQkL0o7!0sW9vhdZ%7lnq-!Mds#pcu* zXHj5=A>xs_*&AkaUvfN~;2ZqnAhTSzQ!vvM#n_W|H6_-uFA`<5QkuDY^RR_pc2U<- z$|i)!e^Hu6p$80VDU$jIH`+Cq1Y3oKK42JyCo~sJ$)¥=6ck%0>H@-hJ7$E#`F)rFw@GvMS#&-Kvzdn|#}) z>O#$6bxHMG^7T@Kpau%CpYk|HRn7<=8MjWq_SRKLYVY8DJatKgTr}T&bU!k_<=*33 zS+L$f{jXaxDJhLhw$Wn5;Pa*$2DriGRPz;o<;8;Jom%pX1Ir$TvGhxn?E`?i$Al*qNyQZZVhaIc3+30XjcYaQ^ zu=%dGC&r{CX=7mP`-D}8kFTil(rRV|#*P&KVrmkuTVMBT%6L7LYtv9tInZ4(?S4Tk zFJPo_(){5o*>s&Sd2(nW{@DSo!{>Pd&@3bo*Upl(x)z!+MmMJ4u7&%wSrrR*v}F;t zOF5NE6T>h}H)aiLPRP8K^n{0hTtRj%{%|td7>LfUC>*rQ@?GWFSb_E6xlH8EjO}Lc zZpZJ)G1q@=XWlzww_bl_tQCj%^{Nxzyj^;_&B~mP`uU?G5e|pISzYa76FU%r0Q@a*He$quyY{fhzqB|Q@W@cJ*8IJHCo diff --git a/security-admin/src/main/webapp/images/knox1.png b/security-admin/src/main/webapp/images/knox1.png deleted file mode 100644 index 56265c73431c6dd3cdcb068d6ab599309f384566..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 34126 zcmZVm2{@E**glRw_AN_VNgcrRT%Zwx`q z;J?feCp-9O*}H8Mf}ROqI)Cg(ui+LpCfymy(pgyhI@DTNgv8Cw^!A{(K;aK% z0%9&kT|R5J-AiO%lOM)~LM8U6&-a-y8GcZA8_r8^t*NQeR*Xfxi`r~Kjy!=hxak2B z@AfB+Lnk;UN`eF|3!I)Di`GxDYp`&)KNVts?A2=v$ve}Nw;T=HOU|x#-4BPa+Ie&E zInG<&p7g;B40l7tQ~lxGav3<9tBcE^LvZl9H2hqm#K5!8lt*gl6d7LHd%ojZ3@~6yUl(%vc_3O?=?iY1 zLMD^p($dnOkKW!>-^5`dazRh9FAXXVHOc1|xBNQ(G4SWFt?ydOJB#rs&z0X0)1GI7 zo7BjJx5D< zX=e=FAkQEYOgvY&krgZTe zURzt(B+F~0Hv$nxGLXjnI$6Qkk7^4RY}C{ORIE^s^um@!kSxn(wI0J72}QX-_e1YYFxe zc*1#_Y~IOa%C6;;Urxr!Vj(+dQksJvcgsMuQ zsI|GCA~e0<5aSI#+h7uJpe}?dPCRbyI}x>AqNL zs7-li`v-iRvX=Y_CLHKY-0rb)J$~|WrX=jXoon`9bU%__Z#nWiPFY57)GNh@?K-=? zd5ituU+JQJjKdqyUBRrf(#;#6NA)P{<0-qytcwK}U%%=>y7h>xH~Rl=bpS`6(t2m) zm)JxmtTru^z$Gg_!)F2~4n^%43I^$zY6@fHnF`LcHnpJ75FyWs2sYr6j0vqH?F$opafh#2F+LZ78_erNnj zhe63&wgux18hC<(2X>Lh#tis3grR|bAv50vL(;uYIna-$N;SD*o@iPg<)bw=o))FD zachu99py}_9RlQT>|A&Jz@I;p1J;Y{twH7PdB0-ppLc8)MlB}XxdWe<*vHkIIY96& zO-@ce7jwj!!;TFtw_8pUXr4 z0U1WW9B&-*UsFQ!(HOS*eCahTG4ya`t|c3}3CD_t1axNpAPGkjw6>^1GKP1$>ZlHt zEZ`GfADbhS>I4N0j0| z6gxhg{H+&3aIJIaW@YBr^z)@j_cm&JbY>At-s90>-Z3_}pJE^m`b#2x7E_k|q5BoZ zK67w?NYH5VIgY`<9$>S$H!{6>Ef?6(V%qNm8ABJelv`g3nl1-H;^Ywr35wzlJ`P zDCLBR%e1a{GlFHEPssVjuer9d2d}g8|A~g5AL%#!?H@3=IAogbh7bFr$ zN~w9x8zlPO%qr!&xJ-4Yd%dgfzp8~ESsz~fe00n7#LZfl_JktDABT_Rx#$rPo}SyD&-V7o z(;oEH)ZE1LwD05C>j#K;gQE&h@8PCiP}m9RqOd_MRvvO#{eaW@g)!HU2m+ zb=r4zW-+*Bvw}AE$3$+S|Ela`*wh$Dp3GkCY4^X@TLI{a5sd%)SgOO)!$^34|I@c= z%*bnmloZpN_tH?xMgez()3@!>qD!qGO<6p1r=87~Xl^6r+|=(o1&6D=RE@Dbn52d} z(JQ>m{dDir!*`o}TftfoDcxc%d*DWPnhJJ$^WL$|;Jpf^TWO4FNfgj`!w!^4paTgRSVlN_yJ@>2`n zGR^xmMkIgf*fcX9jyKD9+;Uq8jqXc-y(;+PyiOt;d7XW=>AHPeq_O3h6DKyzl2nMW zjRM+H$g_&8d}3-VsN|(5=J9_9VUv5>1H^b2&ZmUsDJBJezBDzbp2t)yJP=`L;-B{U zGwq(+!taW_UlmL<4_)cab5>t)T8csIUyaudjz(_|4mVAmo*4`Yrko<89!f>{+VX4$ zpQrVR-f^ung1C>loTI&oySc9SZ?(cGuK}M<7Thni&k81=E!am}OE%(S8@00hdfHzv z1x2inqjV%yytnay-6E~MUZtW$sNB}c4E@*HO9L%95J=ZM%%*~Xj0zzQ!Y{% zfR$TJ+Dr>*;Mu{jfc0p-N?D#}gX0 zj>Oh$={Znio%#@hSb^d27~%D<^74*w`etW=eC#c}D-J>Bq1B~kWszc6=MMPXZuzJi zNQXcO6fXA=w~}06D~{={A>4fN@7Rv5%3s!O%jhOD4Dm_!`e~*t>kBE#X^E$EAEQ*` zHzss<(V!$;vA2!Q2EMhmwcvu(Iiso`)1LZ^hnKnb?x!q;>&4_=2o>X{^?p~y9)li^ z^RGE!`j41ot!oW&i>vvPt$@FHwZ`Xjf{Qgc)A;55Go9ou5vBbSd~kWeeVcfj+c1`# z?7%I(T5+aInL`oHnM35}l^V-gx*TLA`2+2NGDdm{i>UMmtN#+R}q~JFp*fAZRVy zq)BVObT*c6mt(@Y5h}|q_)H>Oj(|IUL+$E%KxI##EOdD;8t&XTK@0?LPPtb|$E)++ zA0ED9OF189jH2Yh$ywN?CVnE!_@$+)+`3uK8qYykQzskRYK0P_v7YTpX86b7tCcrs zJ!y*}uC5c3W#}1|!PfqMxQouxR`ru2@3}H|?L+9-nC&oRnpl$N_wtZN5wp75^wPPGo=AQb};HQ*T*WE%knW zkIIuqIp{!Wm<`^!uq+9ArC3}bl$BBYB3WBfebcM&iyV!`reO(U! zsv!r`&vP^t$N!c)kjqq>;r-Ny_!N#ty{jE-qlQadq19%zzoMD6PGih)I}yahH_l)V z4n2T`0$EVB)#Ha!i_b({?E4FX1pN!hk#Rd7NjNPoF7Ak26%Py3<#^$p?_>P>BMya_ z;gJn9Fc1TxG&C4d9^0$oO)hU@eo87ajWy=yo7w2CkSq5mf4^Tl=#6{dkI=jV8BFZB zV`mp{^+o6UA6nW7^_+3{`NF6vrs~&6;CR|TJAXRFaNJY>J!yS-^FgnP%Yyys+H$K3 z2?g-*=2t`5s?tfDq)q#BJ6fiWuE$OkDi95qvD_UJbP8kYeS&wF>P*Cr!BhC9~yxEs}ffx7?VI7jJ6az5m}bGdu*XEOPFK$LJkhzYO84G;Vn^U%lm%6e7OXu;Xp!Z^pB} z6LsuL8H?bd`MJVrgi+R{oJRx)o0NZpXb4L)xja%*Q|ijmtFO4!YtkveMHA_$b_eI5 zNnlTMeO(T}PQLKZr=*>iS~htPl}AojNk>Yxn%f zi7S`??+cQZ@eSKA)UeTKZ;3YvWAc`Qw^YmL1dlaU+k0nR4GD{!-Pz?MrTnkLs|&jF zsT7Lw)Xp~S=B6=yD`RV|{luKJKQ!#2E&TTKvx6OfpYLQ|$)yny6TJ%cz6dJgRKm^4 zUMTKzV>dDfw-Dy%1@s(=P)%iLMZ4^U$DGtI|;UGn_4z%$(pTvA&l(a0L)r+sQj(DO&Ge=Q9*Y^3ze9Vh5V8_R#(XqooOy-J z*UaYfUt$09iX(41L2j=Qzd7H0bVOINb0L#R$2YuNANwRMakX;{VM-8h&@Qll0ykN-(%&`@1Cle&iky=s05zpH#uMCn8loM#lql=M}C zNtTtK02RN_bDMg$T`_w##wQ~D)<6M46CD4gO<>I~E)|CAYho|Jh*XDyv`;s@65qYs zRJJ;g5~(4qm@?%YlVI9=$1m}C`wnJ-YXbvN4?BJ%C5q_K27Zhx=uA|^8T?gys=dmW zsg@uCgIT(D;Fteg4otsce^7vPCfXSGM=TiX<0&7LHQ?J->v9NtL!ZWjN!#0uJ+hdV z(+Hm}nAwf_S=S4(@@QD86#h5Yf?xGxkKha5!?wu#Z?tnBrmDeqdHQ9PluVoT7PxFV zxwsgKdBhB+##)GJ`cu~NCB@7}H}v6R8;5Gb=3rxsm)BNm@k3;PuHxC-QV6+Lwrch_ z$9x!fAJH*zL|bmB7FJmM{P}bCiVvB7=-{B1=6>33BO@=j+wFJ!d-I)Iz~9sCq%cqv z7yNE$xD!`vjZJ9iiEYmfgeDhRFmvXL>rxO*9;urSH-qx6RMuHGs_7XXpiXYwz5I0N zauV_8ifeoB5kKD^faQsVcjwx!Sspl(M-Oh`rp+x*Pfq4n3^lK<&i0~;1opOzA(rd~ z6$mO=<5eM3lRt*ypW3hr5Q{5*UCG3IE&Oq&JhaSkFGt?)m~y^%YiqUA4gEX%3SFlr z8XOcX-d+5ph$jWG49?6C{>k5bQGH!aCNiDFP65kl^;IO&Y9o3%?^pB8Oo)Sa23!L~ z#cFr9gR_(&E#~Gs_r_k%3uWcFrJUIgBNpEaN}sHrc}e{2Z-iD8sIhosAU&vd#+R)* zZnGIAZSMX3^`drRO(rKNqb+Te;v2Ns^LmyHWB=cJoq~Vb$cAPvmjX80b>Ah$C*P?z zm>)*9gm!03Xe)Z#1PRdhhszA|XkY&t?y63?CAlmEIVxBfexum0{LsH^bTs2nESJ>n)sR<;NPU`bD5g~Wi53MUbRFD9devsuJfUDlt zj-pu>#h~2AllR8Pt9ZDRCB~}kuluPlm=|?=@vW5v(v8!jr~A}5c4{5d8M){!jqO>b zLOzMsCpQjYoc#_9hFF@#_$f)ca(rK0n&Fa6yqeMeYxA9wXw!wE(8jxHu7h`;yiVd0 zml@n~a4$7A1i7l1g7EJu13F8M3#FpwbSrjW?RTjNB=jMB-*ie^O)Z2{qXB^8dX9N*TL!?M_yy0 zzQ61iCzV4<`a6lR>kEgB;B^Gk@2}zA-6I?#A~9vm6He^x=$8Yxp~U=er0MGF>a_kr zcSEKLfCkp@j4^?Y+SFH)#*>l~?eCE}FbNu72j(UxH>=GXR~=7>Sol3|>t!Vs2vJTZB2{~N(th)0eH1vh$wcEg#NEXp{ia$~0RbW7>f? zy5T`g^v_}k?5D~NDC>*$AFErKi5u!^$TCNYde6tqJ&YSa`g@p<=8bv=}b8_Cc1fOo7}e`z(S-Nz+@5z1>A&;DYF#HeAke z^j;f@y7PHj1`8IJORN~3`;1hcGM}L3XJ1_#nKt+_s`z=c)uk?>dG*H=<;ScpQhiqd zaL*IeJnx~DW(IrU4SlwM554-ED3l}4D#n<>xTTA)?`lA5s&XRq_}w4yvf1R^+-dcb zf-T3B{HFo#@0u;Jd5Z{X7i+yDf4H%tiIiL~89X`~|EmgIn-(%K$yf3U2^#=fHJY6E z=c7U3j>qCU58T@tFs2};Dik=W=)`somBTnR)7!g=x{a7&oJ3eZy z=hyMDXC{h@L}U#<@Oi3D7TriaH68d>#%4pA>YydZO1JpNPs?rF*;jt01VfbXhM^nd z#Xr-N-OB{9q48t0eLe#&O!C(=`CnpfZcqDfIN&!a$JW}CdT|C!>ia^&dr04%6J_n%n*|`zE%d`;94o5@J2SM~GR^N}H807Z0X>6yzxZ%Xj*rFWHOu02AlCi}Uw^2{DS>P3jW22&NuoIGsS)8ge!|zRo7WE zgfQ)yM{Q?bzocq|7mB zg3^g9{Freb4BlsPX8IEJW&8<3n{a|bPyF?TGKp{B$^_w3-(SG{PcOA~=zq4HD!60O zUceM{`P9y7>hUM3-7;Rx>kyWK+NKLEjPzS9=adocE+wVF%iP#`2*ICp8ax!#tWoc$ zi}x2_$kVNT;#I6=u%c-M$*Qn33KUBTZLge9qYo97KzCWdBpslJukV)r<4NpuCAqS~ob zd0YbH(pq^_6`K5CK$UaG_Zi#09qSL~Xoktl`Rb2lK@*(}lmAJD9y6Vqt~i|i=JkyP za8>Ar0uI|lZ(s$CjbZZXzB(lPsg+&>BL{Qd=1l(Un&T_w#xK2Y05m3m?)mRVZde!@ zHA&Y69&s`<$N%_olJzI!4bBCDo|UtM?g0dWVRG};iR(5p0B=)c<-^!*`>Wq;0mQ7L z_S8J~%PghDqN3}jA_`KbgoefE!71o{oVQ{HvVo_(<%e)J;hgUF^TT()6~gF{=c{`h zSZhvgZz9aX%d7LTzg#Bq&mNF8XnxLlVNF%7=V4`TI+d*T#n-s*<2m}`^FWR@nmP#f z(*W>GG3A8(NZX+v*9EdNk~$_Oiv4n=W@=lYVZs?di5DF%%B2AFtkCZcH@l->pe5^T zjO7`7C^xpmx4&zx<-4!Ncu@|=o2 z3{WKs3>fCSyUW{M>U8BZz89Kt9&A<-+xcVXz4<19A-7^^)yOMgp7Hnw<6&M1dp*>~ z7!~*ay>EU;m(wjjs60EbgMK~qNRYstJ47wX$|Bex(jmHbG$t==7T0tkMj`dX?A+Y# z{d*^<9%%aNNKNN6UaNHV^@`fFLmvsyqVU8&uH%aR_O0f1@%Hu(H!d=RX3`&sNqjRK zlS_5=0l=cok@`=oC)K=8`fe^y!l2^nyv=5$=7~51|E%}z!<(+mXp!=C7$WW{oF?SA>prIy;_dSHLzDIGB=c$moM$E1QbTT6aCBk zf7w-kCuBF;w0j2w>X}M4PPc?Mhakh4%|1P1@y!9aqsCUFG3@FWOC^h=DjQES+o@N+ z@n^bO+uI+#R%?IX??&nKY;WcyrceFjoML_IwL4B_Sums)#(DS7XBB^w(hu6MDpe@M z!zY)$s(55Uv<4&jC4!XQ=yOM~z{lZix@t$YBhF#{0~h9X)vq7hehhDjTJWaWos9E^ zl3@I#rl5cfN$mQK!#~EEpoY!N(E|woVNzY)VlaT7zfu|&)0b9~%Pi+2RXg?C4MOdY zoyu{06c!3Xn{rcpd^{Ze@S)G1W>l0hOPoQYF6~8X=ivaNl~K!~YsolW)%ZJZC>@d{ z^8RI&oF(FC$M>Q-7JjsiEn5&u4!AhajW$oVrqMNG>v?@}AI>Lf{i&~?OmKI151r$e zT`ee!Uo-dZrGs5J7MRnvHhmL|0sm{p9a_^-{rh*{hHay~zakjP z7mSpwmG?_6vbOC|U%f^@wm$W1HjDGvuk8w6)>r36lj%u0*7zxjd_@HXv|{vo|AU;J z)opFREkB&jT|d$qh=4egJK^nbbx?{WgoHkI1}-IWt?A|Y=Wj7xvowr;PI`ZZzG9jM z_Tu3Ip71n7?8_f$l;<7!xudH&R7%%hO2e%86SH2|IupO!z^hP^Cp^uML@C2Xcj z*{H=u*)DJLBRIy_OMU<5uK|3CJuSMwZc`oQd3WjieIYuw;q%~hB#A$>>WVZQy1W8} zot@J8{Uq02zpQl^ed1>cBTn66I{@VVA~C z&uzY2LhR{v=epkUnA_^{GB;28+ykfoC|)LkA=e32NmnMKRqLBH6@SGbesvnb-H5(;J>>jR?t^-Ta1FpHx6qGXt*8^hBwXoJU-`KW6R5fTARjUowCJ&aon(RGJ_TN_BST7 z&aTQcEgwWne&H=w)BuEaDX(@;4vR_P|CB*}1MA)tn|vok;>DbY!CoCdDwTqA{EL3P zExPbxCb7Wr^gKDUVBo#n3eHu%)KuT^qQidX|5v1XO|?<7B4v!I@&H_6+yNEu_MwEMn{@xEqIb=D8<{bA z0*lzn#6ml!E@o45IJm{rbIjYUc#j6Ftj)GQCEIBr--+cqaMC;=E8ERyvEtqPlIFBb z;@75^V@L?7Gn5X}C3$n6gnu#Q;*K5l%w38@DPW9)%a2L-05nM#Z*{zo-j==rzYr>m zv;9B(w;oh{`J4HI-%nvxXU83M@Yt%f^n=$--ie}-zT|t^Zbl9>2%p8aFd4(&y4u0>BfgWTB6@ zw`;a&#+BLbkZ}eYSUC6}8u%a1HkViW!CxsUtv*hgU1|0G-wV;)Pn1A~X#c&Z3p-w4 z<-Vo@iEX&E?qqzc<`12nov-OHEE^~8lK?QQZwyBVwigkqIL``b6gS#JO?V?~+T)`EjmP-k=CohnSn zlihzX$YWexd;;99n^DidL6?ZVU=?4r^WFNi2ayo3ar;T=!I0INjXfBygh=4$?*nA7 zuWtdRC@=4K!C{Z{nv}3(*P$t{r?m=Zn=pd=xR2i1PjJ+G=w0*aZ4Zkab0gbkpWu%~ zj(lBM2+=4-HaIuA&fnHh+a_gg-+B#K&ZI6a*_JUM{9vgM2iSGnWqXAz1L??M2OM%Y zMNcpL4M?qZmt2H<`oD$6H}7oh{`ty~>#-lS;B?{46K^f;4Z!+7n=TzrVw=5vkUjvr z>A`%JlcvG+Smoi!C;-Safl7p9?WnLfCkEvZ#-d}zZ!)N4ak9PTbSp+H6{pTd`XW$x z&S5vpaZe%}$B*dMrgJ7t?<`?6H`lm{^m=59>+V=L0AjzzVq=UgRZg5(8GmFF8h}~=fadR7*)FJt5Q=W?3{cT4b0XlnKZ6Gl$5`Fv_{Oeg zSeBdHX|9yecnjc(zNu}zUxtLg&b8Gw$_1@^czLZ&pG$@hCL{f4JUZ$*=&hC=NKuJN zdtb0OU(^l-`Q2PNoOFRm`2Tl7iwOz%zrK-?k!W0D;W8hzh4>DWe=W6Z+u6 zgBW|9!8iWZQXg;`9CE#!1)Bp_9sk!0frQkZHU7KSdegPZ4>K*m84Mel-M&QN-r%{S znYQX>=q7$pBI4rV*Ee!^hDkF_DD(EGwZ%sNc~9_~BFwI{!8buIm6*jnJgL4m@J z^#vi(Jqiw|)?KQ5{>gU2ndcP0KdM^eGVNmEWESrD`_;cJV+_+0N7^45+iIkBDI9T@ z*tf4ZsVz;qg99~C+L|WHm!Ro0r3_X*{UJC3WED>yIL}${30n(KxYdi;gBiQkVurrZ zA{tObw|D=Kbj+vJm=z$>Vz5&!8&vLtGWJn9o z{A@OZg_@#KejHvL^i<o+NPQP{V zP)uaog`q}cjqT7g-#Iv+20yDnVUZa(lhMCpL&xX3pXt)}GXeXxUwpm)wC_F)VRecr zPa{oWGqcMj864NeT zXMT!|!l-c^rH8AG%Y?%|XlwUa;O}pkHa|8$iYk(jy60nQ7Ki4}^DqN30zlUe8q~_+z zu-`TC%P|d&)xUx`E9c?lFW0|XZE+tfuqZ8A$)7%FIg2g)*!JhaGQW}OURBh{%)WW} z&(KRL%07#u>DSW~mA`-q3@4n<%{v`?nQ)j8^!GFaNtGS_` zS*3Wr2ZkEZl*`O^87!kF50SC)Ous3Val)<1xq-)cfz94MtJ#J|zkmOpc|@~&KqqT5 z9Zv_2<&4pEUls0s<(Wu5qqYx5<%pGOQ>EBkn4<}pp9rX^gRjK5&Z86~x@5G_<(?%w@w z36Bdrpi(56GK8&&RZ%w~3Wu3dlLAuLqg#?EFi z>&8Q+c4?*?OBs8d#Ty7+Y3W2X$artJvLY;bA*`k+BHh^F_+-BOYGk-yS7i zOXpwxiYnR<&h>FIRrt@{)XHeap9iwG?u5@@5^bpKdm|>G(?>M zTfc_zCX-wOh?uSD6_tWmGv}fsW>4-OBvP_20l6yrr8GNwba3++=4je>TyiuAn@E+= zCMc`4rdYscGFLv`zz%-X{X{)r!fpE5INf^TCj;c224WQYO6gMmpoRcvDUx#mrB6-a z8n^__|8VlVtBEb1YEE7vsHhh@h`w*O;Dc#>0I6p6NO5t1no!+*@g6{Hxvb6gqZN^D z7wK;x-%zjPS8c|a_Vxgi&E|L`u8Ewwmd(G~finL3$tf28E?05)L-dhAw3|N%dp=fd zZ`URa(()Otxzmg5Kr02Ub3hTQGnN^pbbzks0^r~5(F%&#n-A1?wnm1ZweIz99@QVY zJizlw&1KF9#Za`MVNh86b-m(I1`$WSg$gSF0t|6W6Vpd(F%I_yX44}MOO)VnHC2!f zTTOGBovQ24HYO_}9a-L;_LN_#wtloI3~HLAK{!j!1^LVc1t{+CyydiJ=E`>w4*FTh z#MJb-P{{d2N!GG+Hc#Zdi!(B|E|hrko|(l(P>{D^O&;>9pF6HV+~b^^40cpZ2uDnb zmRQ-e%Kjk}L~~Y&ytt*|)kyG8j-~t>Sx8y%UQDUAo*L@@cAx{Pxx1VL_e%+qS1Ux@ zL_VZ8{IK?|kI6)jtlT|oXn$ejcFfAqMe7NTXBWcQ=}Z9RyQqd-N7{p6=RFUlH)3?d7VJ4Joq4Zd9Rat5cgi_!_rh&U8@&T^J7iAN4Eat3EoM zXRUJ_L-p_szZ(DHLn%vnwZ5Nj3e^WOV`;lFL?Zg-MqC`#m8*I(yJf1Sl1m8^5Oi`@ z8gt$)AB$Y7N04cFR7!TnSP^@)u_R%xWQ`G69St;itU+YG6)(&&1Mf(&~TsrNF>nMp*wf(_)Tb|+y;R<04Of#dZ)xZ z6*nC`{e>~9!zBJaAYTck^%2nwYICgg=PvvkJ6?$f0>76yf}=ujV03hJ|3L{pE3TwJ zw4T*^bV8a+Ce6e97F)-)9zD+ZYRNEeTJ#t$P2^~*bl8DM|gR8XC0R6pUt-?bPs=UQE<76Lyz%iu##e-@_c>lGCd5AKjn zj{=n|2)9Dp+9IG~HqD4_c+dpU7HcHA6Bz++`PAC;=g<9-f!uf!Xz6%SYkUMn0Z#R%(Rn*6 zd#Q6_oVcyaeeeJ7q1_LewfS)KcNY)OyY$-M(wBp@9ilI#wGtx#&=Anbfj)$hg{IcN zP~G4xrb;g$#C{|VTOE8yoi!yCAK@V3Dk@NAU!tBIz!08J-%A#hJFtr#p?3T@Ibyb# z<3p(8rMB#GE@%C9)0`J~H_MGYZo(d`rH=P=wPK2eNM@vUGoXZazUd(mk ziMVK|%SpK*w~%O7;EbQ_FmqAZx+liH5mqgO7U6y-A$O#V%_?%sU2CR^>U8hkR1-u~ z1qrs)5s3^H3HFH`fqQy)skbv%?#hj+dCu%zuU(zh_}p8B#z`9qK~q3YkCf0xk?rz< zGZ0&O9vr+TYeQfyS7z$xpFq~TTy@Yi;iPswd$y4dwD#Dsv1N`2wzi$-kM-mTAn2n3 zOIQ)qJjj~UecQqawVT;X_DI&>3L0(N1^jdk^5-YD?^(-6e%%n;7NW#(G)ri{pS_kH zu3LIp34dyDND%Exdfy#PnIw!dtw?|)rwf*sS?9Tf*C_XuSF>-}KaVw#uFexdr>f9) zwNZlz;<2&HYXF9zhP^dCZgT~+On^F5Dt_OpozMTAVP$Wwt&#PE2b-65NLp3(;!23` zW}FKPcBdZC#wZN$tAW|id;9mx#Tg9Xyyk17jfeg8C#%1`zqzEL#5y1nZd8_;GaEBw zc}x?t72gDZN@+pgT;bG~Twlsoirp{;JSSuD9VZJgi@Ao*kA2gKEqDRZ)vlwveiXid!$1-h^niG%5^ zcOHSFxCrK;B={*RP8WVmaG&p9Od6-8F0R8&zW!+6&(TlAzrF&|o@k!QV60$bNVSZM z&a+yGNXc*eZ!3Zy5(zcp%mSh3rA(y-Lk{7PQFTq{`AM|D?oG@&Y*{4Of2z48e%dbD zQ&;unnTv-X%N#7@d!gqLrhrp1=?6KAcxIKFR7CRuz}N4~^0WIz%e>qM$E=cC96`Eq zYM7UQzNj>iIJj|$`3pVdywsM%ciHH~bPJ#;az!s?+Df7iqZ|HTKyGl|HaS=)8Kozc zY!*}=4EhL2UmAb;YI9OsuF5V?Up)NiHp7%Z&N1Z$dTj5Y9oe*Q(=a%Y5NZFO_3BYX zBwVtPu+iq8HFWItIJb7sMui`1Qb}c<@Su$O-H{vIdgrB*O)rHcG8gJCaD=G>-Fhr$ z^Y$q*-zxl^hg>uzze-4lvyNEI$RzA4fpeNm!_6!!p}oGUb0yvIr!7n@t4Ri#6VPq- z;UC7!P)1C*UJK(_OhrJm8V;8R{f^&HsTgu~QQuEHicu@~Al?@ecev_M3IMb@@%s8> zRpGp;9edwTu>}&Z+yHC9?}YO&ouRttOdS-;=Kbg35t}bYWx85IUy2$ZMbNz;Z;C^Y zJv>&3UltF|%R!f`h%i|Lh+C9e6i5%KCDO~Evh-tUAA!nut_gXf@L`w(5SAm})moR> zcM~3k=x^Ly;#OYP`KSV%N+fdWeYp8fBqYDtt+j7EQ3-!RjK)=c5#Vb0b?EXaDs);oGy}@U# zmiBgPPOl3g(EdJo<-hPxUaW@=LbIg#Pk?yO2NzfcGQ?r_-Q!3A{ zf6|imM)EWXw?3!EJe3^N>xyT{9Z$2l&Xtu*JD1K932A9ty%>MYRxTf}bK_xBM6LCs zq7N5RDW$%E4f$qTe@U7({+^M;g)%Msg_i;J_aW(bSH9oBdv}Nj{7D%Z5lZK_JQgS0 z&T+s9#^G9kZ1BvBeS8Mh_F?hR^v%pYAlB_)%)UD!etKPFQcT;=%hfd}yDj)eUABag z!|cYz-OUS|U+T?nsoPN8k3SKlFxho^I_oLMQvDAL7L|yG8v8XbE?Z|lDCr69I5XM4 zXyljIl(DH=ZsJ_JZ{RghH7qYb_6xQmb3mMu5_@+c2R)6LzeHJX|(}o$PA_nH=<{W9c6N3`Nd!4o-TuUD`}^`l_#3Pn z{a4;zp8L+lT9`(ETffsEeV@EI3%E7teaXH3t(gu7xWicBwcY^%5{P99mC0?p=mA_=9;;wb|>O~ zl@kdk!j1jTrzB5<$Q?)ke3>?<`8&h4Cw2G_V8hqicvE9Mll=Ml`Q|n*Du`q*DmSqJ zF*cYyI6arv&vV&4PwT<-_rCh-gB;NUgdfZxt+oGP+g|l`wZGeQfAXwjoq2J7RXtWV z)^Y^vZJ@s2|J#yi>gI9c<-?!-nMvYR^=GaUkPZurpcYP@I`FWquIW^^Rh{-qI|gX9 zpPj+R5sAdItgP~aykEj|O?JGx(eTve==8R>V9<@S`~pFp%zv%M&PNOLiJAiPuRC%< zG?87UO@wPkoYY1j=9}eFRDZ)3v3a~U*U1kbwO2^Tydz|@9Z67)GoS)U!hU1lDA)h0 zRbL}`;9_CU(^K3u&f^;E8WyVY_^IW|XY(_CMeezxp}r%`zrXP#Sm}0;Cx(oNOS&*X zMEB8nxagoU?6VI5Vr>rcbOR4d};-8s4s!57y@Hgzwhr`(W9#xY=NrnV5L-6E>LAYIkf7_97PM zW+a7HYcArJV^Cz8&6Q!D(Q%=Q#a|dgR^6{_8)|bQ!Cjtzf7wSuI$@WCKo=UPq~c>V zDSY!*;*ahu2U$e*U2pZr(Z=i2s&h(oDI>jb7{cxL-QB6g&b`^$F0I35eus>JjMVpu zqAk5PW9-vWMrmgo{gVcYau$o#Y`YV+i-)EzjVf_kEUlxj-5v9Xh(Gz%HCmnqzYC(V zlt=c}H|%{?>b+SK)4nnRG8N%9nFMEZMzc0Elbb>k?30Qv)AwGy;dniOl(;c;Ch`@z z%y|jTLM0aFg#Mg@O@4YsvPNcsQ zqCEXLz|fNj0I1`hOaNMazl5L;>_SVR!EcFIrD;|<(|XCxbGDDYywZ3=-}e+6Vn6i4 z)zs*mnJcZ(%!0kK5`x*n#NmmNKDEXB$)YqgK2X@*rE=n2Cp0__x@lX4bS#C!jegmG z-?i^|_x+}fadkto<%^;LinuHTe0MR1V)~Au`n>z&cIzO-#nsox6Zd|h`96BIIa1=q zuZ1rt7?*$FRtPlMb48^eXw{CYTLNtxCuN1|!ZD(Im^&XTWQCsB@p_m!7;k8c@T)x{ znu!TSi%T30e2>k(+iV5MFbjCvb=fFRTKUwFg%{a!@&;My({$5p5mRr`H6!ons1USP`M4zqI$K*;HbFP)xSGoVB@VeWV{jA8_XM+El;M^aG zd0)6teA0b+Vx1qS=s%Oa5O^&Y|2B;U2n(W(rwZ7ZpQ1M93F5Vv9m4p%yv7Hj3_0lf zoPLMY*E>h3p#AX9kcHhkW4tSCQ^nk+x5br45(a?4KvdrGi{&*na}jo@mWAaO z&hgQHq55@57vc;^oE-G$rSbhdK#L26m=Cl62AAdC8%c%VQLmhhCw`g40;N3?eMpR# z-j}~p4=o$_AXddzJNkd>I?^wq^oK&L(AN(<>As)ciXG?Do>o5e1GCs*)pj)dIM?3P zV!-EgO3tTMh2Q_Ix&EWtA`Nbo2K7Yl!%w6TUjVY#Aw?$0KYoec#$mbIHT{Xh`yG^b zOu5@J|8H!1ApkbFpGi!^(Ex_AaRoyo)k~lfmbpKFo7|&4boQ)M?W>N$J8f<*%>N$E zh-Df@uq%ZqC(6Kc|e5R{bsJmlMP{6YTIbwa@4RKt- z=Mr}_8-06Vy#E#BH+gva4sTJZX0S5bCPTKKKqb_S$Dc@O6PgIP4_ZDocZ$q#fjk9e zotkh{<%c_8E78o{-6|G7%n&aK!+EAhih!P~!;J+eU>Vh- z6kron3&0X~^oc>BN8zcqkm^9*?;xFX_mREf>^U>-EH!-249nT59A`}4-zC52Aw_$L zFh0lQIQ%Q#LVaYU_6E?#UDSSZV53*qLH|658e^NEY@cG7&rOYlFZntw;x4y`&P$!^ zY&*ks@Jt~?XE7$kI01)1(-kL7W}i3Sf}w@dMhM} zZ2EtOc3Rd39jSyS`>YwNoMss6wJUzd!Gh@uE-7*V&#$WB8>h_WhIvL&K2u5pD* zk_s7dX&_`}rR+!&QbzVp_TJaMzw^3!zw7<^ef{e-p7;5Bp7T7rS&$FlWM%xEbfYy-j>z*pvNt*bb0$D+#?P^FGE{LiJM{mlx0$cq|L z$s>D#@-Zy|Gj8;ziWsMW!eLsx>&sW%(g935--2wZ+x*s=DNLfjH_$itG|k;jParlB z4xvtaclJZ&$ABFFQwkA(^rdmSqV#hp^4xDPer&nAA2rnR#TY0u_ZQGSyh(Nv!2J3b z2@qAT4o8Sx{>5DB{~c?c+y53K+S|7h+`mJbrEj`Aj!Wl118JDr^54=z8MdrjeR^p? zXTRnJZpIBy82=h|!&Ho0ddH}|8Ui(l)G- zwm@~@)HkxsL!DE%R%^GZHwQtDR`&de%laD{^_d*0^d~D1l=>_A{S|je(p4^1e)fI+j*&kHJ)gz%0V0-(kkH$SD@QG-&>cv2 z+?_YuV`)wIkMv_;0e<E&d=YaKXFX|BQ0=O0?}M0VCb@)_Fw-kp0g{;HqiCwmv7STd2wMlySeo*VYyMkPi_(fZvhr`OS}g7f?Fs7bt_iV79C~W-}XlXut5mJ z4H2$2ev)L=l?aD+ow=GG`?szpjMs9eCY_|8@^RA$hjRq!rJPW~4z)a?H5uKndUwCc zraYCGK7=jP&7wRfeBlaW9ZpCMJkbG6yuovdIMaBr< zXCnZ6(^Lu?OAqJ}09#GIX&r0#JiHX$*GgE44fD++61%z`y9$SO+VfarF08#SUg^wt zeEB}Zan>^G%S=(W@eQ0xr;dHmQx$KSXqmX`fpTt~=OrHcVDuaBu0KGkp^-hekBIt! z5|W{`>Xe~|U}&}C_dIzeqpMpS=}KFWwG%ZXJn~Lv11!?DL-Cm{%1|)EMe3!*mJ5S!64nG--1~faLw@! zLz~Ie2osAeg zu(&K@*vwvyWJgW+i8s5xQ5W6UR8%x)g9_~_$FLr@QYHM&;X?p7JtN?`(T%AzB8SUS zTPV~=gd86_ZV4cEOivopwRscUS{i#_I5IIIy)i6~O<_k2kyw1i#^zVcK{M(Xcc)6{ z!0C*-YpZkDRa88>iiAv!U=mr1`DUNwHVZJ*&&!AKJ&ktqIrXaONA_TSQSs|V)r;FpGDo5%;s8q?4^UjtT1+Ws%?#(AjJIYM zB$})|9SrsL1M1BS)n96RLX$_eSjlK@a}!@1WmXY?6K84Myo$VJO=r_EJs43#eqmVS zzfjJPPsHCijl8l-G{ABMDj=nIxxarc%WopG_OL$LS}4LFN3uEs%!D_#`jel5 zo&vduY@dN9=f^rD`J%*THx7jz4u_MAz`m*>u15yHG){=>l#oyJd!GNrM>pWb34HS- zh6@oIiFpwh-`^xjz!5~$-|f)MVncI`r(VhFxw$TI^xnBfiFw=r-fx&a41y0)CWXM9 zgp7tvZuC#K;{DUbJ6LW~&h2`%bYpJ~!}y7+{^~_!#+x8(5HuXR;_xmh_ib_Xpdb2^ zKDrU^Kyvm=X&k$Fz2U?~ zf}4$0XsMZc?Rm`HWgrFINj0WFOnz5{Vt68<^A--aJ;nlKHYnG_6wqarG7kN^W&mPV!=F z>+2#l`}v1Wl^=l(R)kUU#BuXWAMmgEtdV$sXl=XY_&gy!9ohBhnXL+msnj)>3#TI# z8k!*9Hy))(K`Uzpkh%T!xac|X%2BjwOlmK?*RxwVy<|sKDQ6z-duwTjq?V^)kq7ulE+Q5AobatHu zi4NiMfTBJ}8xjjUwipQE6b8RGNqq6FIA}Kj@tLXT9V>7H@E2Q@dNPMH`eZH2W@SGA3wtT7@2DEr$u_LYdL2f-zH%e|fF<~9#6 zd?9B1yE{-vFK3rxmy*I z!@L1>*f{j$N!?XnL73g{e>bwR4%xl;irF`?myTTW!I(7&lnEFd=8;Q~%9CYg*`^@Z zYZ+cns|V6PV#XUrBm7Y{IZRJNZlsbecC2Zv*FbRKoLUIK{6y1?CdDjcoY?>4lX9IW z5XsNG$lRx*MD5Q7gs-ua4k;*H-w4?r{+1M6Wm$>0V@rBx2BMoqLMS=h3x#e4LCytV zS|Cd(?Vd$yRQ@pRt znw9SdpPYZA(W@>ZSM^id8^-3onDfyqVM|;})5vxB?lN6}#B54sfW979?uE%_2;ssr zv13&O)JS^iI1ST%;qN%vC&lKYLSWi%0MpMA2xQ#`*{^b}K^JJB=?7sZT;9VtmVtX% z_E&p@@84%Z3h+<^#O?DRGthA0P~DK*yf3smrojYH)M6C0Ff?qjTI75?GN03oW!>;P zHj#~g|C~|`B(Wie@#FPTqk1>sg}-A}sWASTy-;p?j7Z!>k3S%?sJh<{KGfx+VY{Sh z+5pOk(UsRfU5RKFmf3eSptLD3wn&6M^SJc+!tUT3LN$*;b8=|ee#+*ZjF|uYXJ-MP zjwSh@wRLsGz>{}OpXV+~Kq1O9Bu4nAb@nhXLVCK&d5`-1l;F0S*+aCTcIJ^bErD>y zo&PaiS7ExF$nIvTK=g1)u4i#1#V#B_%(IeaY3$RR1cUruxI8g2*!$s*&H-8GyZP1& zp1+#rLR`gFg8cb)?)}?qI z_?)$i2L$*ZY$|;SCPgU(;^d=8kBH&ngO0YrRqvE{cSQY|9SFp})Jx{9)O;mlz*$sQ z)`_bb96JI?reE-4lO8&}hX+4BYUt!?!Z%JtETYESnDPEQ<(*yBo9nkwP84OKHDupC z1g!f!Vh2vbz)hp|&ONS2j`d^9AH*UhdQ1TkV!E+MZqb=jjuS7%K)D=vyid3e*T|bX zY$~#4B__-*ojcS3CJNZeb}utOMZ$omp~$isv8&xou(@8JfSC4^Z&^k)z(noe=vzSqy1RDufSXSa5If?G z)E&uCx^)SYc1gq9Jj3oWg|;oYDWVIdH({pw_2L??V#m(RP)&4N9H9kgp6$e?QQ%Qh z!fxKVp)}9-u=fJbB1${4{_60$c)_1t*%|wy%k;;K{xkOVV~-Za5zqr$LiNBx5X2@e zgI;58rbYMjY`bgy-p{eNyFH$4jchNNEj-(>OCz{x5faHhK_N?ej@Yq=X^}kZg->|- zdpmXtkRni?soz8KD^n6-r*@Fm2Gs+1p9p#-WzdcHRatq^L`mv~m-e1N4^II{Qse`chGSSh%r^pmVcue|ifc05pIv>P8@{ z69Fdp;)C-So_9n^zZ3RXU|I=oY5}Q>Z88b)1&!8f*&QY#N2)LD?(PC^Wn7>P3|h}zs3goAE|esy z!-e0vt|WkdfIDAi3*d#b@<%MQBNy$qcPyy`tM~*u((y$tbV3(Wq|0xkdRd%!`y!Q{ znZGI}3a3No!oCG1f*rMuM*V%57HoPO$wtgMx?8Y{_A2-%~$$dDn@ zf_aJ>Z&Jj>gKdfpC%3k?zNvqX)jrFcDo}VqI}R}Y#en}0R~Lfm`Lci>C;cHY34ue?AScL##_q}EvY;y_)j{OUequr&b%(T2&&xibJGKh8w&*LmyCaFx-PV^51;4Y zcmOEtm*+#1q&{nx-{TAbA1SXW*)EAc=|Q7{5K@L236@dd*u=ucHPe`t=nos<+)YMP zIFWr|G&kLU!YaByyJ3cn!l~lTrF+Qu$?Cza^WcS-_bhCoSgKr}j}@+HlXDU_fy<>g zP_}OCfGLD@k_YnIozJOtPr~Zuk=Vc@4Rz5S&g5>w#}UIx-2%2(xiH2)5Yi%DVAZF8V!wJPg95mW74bZT@My-+v zgVOMbX!v`XUtj?45vCrt>|Y~jtzaHaeu}Di7e}ASMST>A@PMG#=q-=x_i#@FS4)`Z zwCuYE(-#5dBKJi#mFG zKe+NwQO(Frug^}hof*G>N&@t&aHxJ&tK>&{5WWa^Xyhn09%9=>=KY|rVLDkU@pd|N z`em5TL3HY`PmV)%-ZgCX>$=^eW{TQ<&ketcf$X|rypFv>L#}G8g;T$9e}bNV3(XIx z^t^`eEva}-(}z+@5wnhhy;$;NYTK&>_OchIGA1#krXw=Lc3jow8ri=;0XATW@cW`DLkw8er$=rSTJS zcFr*En{^n)fk~$cyg&`Ft7t%uBf9YR=oC&6;^c-t&dv27d-l~mLFrkW(djuWt3-i~ zW~C$;C~enky}lGEzohC3L^s0TA0doUv0wAT;%1D8I$oK^g}FV#3l4s?i;k$au#mP_ zZb1WdIl#z=&|+>FOGJ@QC)c00gOS#UA`felv6xTIGjz%~v=^ps(K6&M%KPX#LZ~4r zStXE|+cxw9URg^tVyD4s2nlD%-MnJ=Jj~Jr9WB3ZB%%e{4m3-Xc4DhZE^iD^0kM2? z76H$CSVuHKOK4Rg4nBJdJ}I}^k#&Q_P*s2O;;!z*=Dpw1z+r|dQK2Pz_oGjpn0b7d zyF#W8kn={rk0qY=;y$_SnBq?KhlA+!v3lag<%fVy@`nX6S_J6U5X5~qfj6{zzju13;#W)u5*>>k?;>m>h7%HczYBsaw; zCcQ!(_H4K?a(y?&8^PCZFr$#mEe?Xzt`Rr4!#| z6g)TaZuC=7xSovLJaV~B^8;+0m$)xD^{gJu^oD}AE<^}Nz2Df;X145@PRDv>Z%YmeQ%tS@;&e z=)6*c93XF zaeg8gT(ZAw(#OZ1E&l59;_RjvQln|1o9bQVt8I-w^tT(~6D(H%nfjieGMLAfboT2E zlmMe%uX0IANliFJ<7j=ylvE07zkUzDSsGS$x9HyRJfO>lCjxFulb^UHY45)`G0|h_ z&mQ4^D6r8{O`+zE`N5ay8WBc|cZv+hwiH`zE$*3X4A&Fm-Ydot*r8*;3N?XnWD_FG zcF_JH#D#A#Ycgo61G&uWld7;akj0CO-Dk3Lk3osUqO@a|b5l>xgSc(FkUOz{XHEMF zksT&Qx(Y9DP@y^Xo{h8d@yV07^RITc`RFpX_KSZvX$=ap{^@*V(r`09&68ZqnxA~C zpIic<48Ztl^i6ArykW#Qe(^vzG1Z=Tv-QeLyCa*H&JVYO#xp*L3p-`bkp}4&*>^sa zu4DAn`6;VGBKLEXd~;EuF+-gxnFJ?^s4I@U9u?B5D6f@04vQEaA16oH99{{3ZaFZL z&j-i&eoT8EiF+sic;z0`5{Kz4=Zp68>lBx#T7oMLDca=mJsfm>R!SecEYe9|>mOiB zN)?OD62F%1kgBFHARg%Md!^Z1O@Y|4J@~frhUfF`c9Xvv+~ORpOX%;46-LrGI-XZZ zs|*G}0{ED*8$VLp0#D>_<@q67U9K(^%4Te0LcR+gC~;G9?F<+~et!PqZDsPbbUo)u z&i0^wz9Y`+zWvc5GmTs&yySjcHAomz~T zRi`p+Q(Tg+)l8DaDgcl3>FOfe#Ef}VnbY!WJ5Q0@NBvxU=n0$hgaY8I2%o(@*-07W}kv=o!9cpL-l+L z4Qd*xsZDok0Z0FR5~U`{cBQ9%m*XAw6<$z`pWnTEx8ej_tc4x^h{ttRRBPh|<1}{4 zE#-?a$n{LJadL*1q*Y459$Q5WBqptA6CvFs^WtL_@2c69LxMGC$*{eS|G~*)Auc{P z=6GXcbq3VyNoKcx;ZyDDH9Z~I%lj zloZJTUBdEm(xt2ud-s!{3>b?Cdb-L?bzz@a_Q%fiV?txKRiHSuG z{d6wCqaq}4mE^{fDO!6HiMrL#4?<}KQj{BJKzx&$qAcN5F$|T~PILk&c|PXCsOdyp zS^f*iKQ9N9$)^Q=WL+ML-Pvp^5v4V?G~FNa*}}QL(d6Q(Op<4>Xh14tj3{B*B4}md zcdBwL^1g3_+4cEX@cT{C)ybTxn3r!{I^a|pHTh%ctUi^XECy=7%&@{Q{3tnjTRK2C;0-{&8i9h^E0@-~L2`vIXjSpW{} zSc1|{IkZ-UQ~bZwG2R4lZelCaVw{$y@f$oj>x_6m%O(3Z_c0U|6_qG@E;;eo6nfu5 z@orob8B*z6R4>r=JXa~@P!dxf>3ZF4E*qtF;JtFZ0{R9v#s5=g`;=Am$i?et+}c~S zn`LJ>iK-IbQ&J7t7%gNa-7HgnGow+}%PmR%>|z8Z{K6G0)lse9=?~AjRYLTfQ`z^4 z`0r>iiNkI<@Reui#gyHM(4+vKUqP^9v~POAzOyEIy{NYi`0$}K^4k6|`;7{DA*oNS z-{GuVoKrZp!bdpW-#<;sbXcWZPJrb5Z4WMjm#>OhTr*SaYnQgSKhEPn+-Bz?5So{{ zjYc>ov-ZT`l=0SK<@io!*6nDm6H9bqje|ng=(TTkauer!-d(KOLgFJaV2p-h^9S`2 z15XLGNP0(cdKdtUZ`=aasfC=1_Td>S+it8wXD?NZci|?TS=S_F?eea)-c;3Cw)COa z=g#PeC3G7WmgZ2`!LR?p;Fq6dBtH;Nm}f$)fkvK8tvQZwtoerhF!IBEfLfKBiE%5Q zxOriSk?;>q4w|j-mVUYD%BPL#^D{kdPAxZgK-yoChi_%7lDm69ccl~ukj+6!e=DU{e3(>$7C zdLUc`#o?%xWjm~~K@lmHDd;{gI*U#yaK!TrVxd^Fl6nO+al+=-r3Y_rA#O6-7j+P= z*Mja+Daa9quO+rfQ}H;La`zid_k6CV?0)2$@>5zPtDh3Op~;u`!xwsZ;o3 z$d+0OU$|99G^D5TnS@3%EVXsENcWtV;`-^p1D(j>BP{Qv9xwv|bQi z{*LL*KjQNgbzekW;Vn`7cZ^PlDF)9_w>V!ex)7!p85y~BUvDL24P9*fThZU%`F>F$ zzr-hKGj+VBoX`R5U%_kuq2xdt0rS!3{gjxRWI9Oyy;_I5>DW)-FDM9&)6>{~2z^~I zB;}xG%`0b6ECRQ7R`NTSd6ClrlCY=^2>Og1e{0aLCYOVPS7HX zobi>%F{SD7HGu6ZG7-bvtRVGx&@N`f(j`xbEx5qe|I6kD2n$s!EDjI!0@A_a%qml6 z#s6D?2MXzSjO5-3RG_SA0T1va?`=2$HdPW=Clu+-j&SkHFW$vd4g01votgJ#2A{Q` zCa0BIsmniHo5;C)nW!+DM!doFo>I2;%Ut>j zoHGPOsM?EEN({6jLUB?r#(|8r@e(lU>+kfUm)2^(LIuTX{D*An)jSu+R z<7QKFo#quwP>|%CNx3Pfqth`%m0?DK87%WTAMuZ?8;5Iu}$ydt+} z@S}s5Y{R=ke~FEDk?>&(%|nW;@aJ$09iM|;zfmDDAMw}+$5khfhYLt}Z_9u=-uk=v zIzolNbh~X8hRH|&agLazk2ZHg-z)ukaRNBkI+e_%gQkE`O9cZ%Wwd)yR1$9+{@NZ6 zkBHej0w2XtRqa0{L{#i%U3Jc6plJ2$Ge0bCFV(G%{V)1tT|9m0CAR=bXdm6CfWCzp zz+O6qrQgXWlsh2NcpZ8)HgnZmHzzIhj2x@zhq{*7RmuCSKKdXPua@inWN){kgak=K|KB?WDPLILPhkxwnzwI^7qItJhJY5G%F9rkVs|?O zC5;R?z?DJMtU?qUPd)RAzds-gveH*Ru6J^x0u_IxHt7?*PXV^h&qSP--UWPqpE26# zY$*dtw+9J@l9t?#lc37KMMD2O)+cTLsht$702K%K8AN!KKy^AlH`=n4irIxePk*3Z z;6(pXgPztV%}}@nrv#@ip+j_(3V74{g;&h@H`e^${!Bw%v4T*gJ5KIW0cf}8|W73Yjfjw*kmlk;_ z3KPW^SD-f%fV=nQI>+)lUYio|;8~w84-Os1J0FVbaJM&6f$x7=&9=>?-H)EBZ4^{u zLd~MewCUw4Mq$fA4|D+7e|I@lJ4NV9p=E$1fTS@ym4-}`t~{67hGH1U7haxaJA@*! z6|r5Y?v!u259ky;nSa;2kJr(%_tOP!PYuSoCUZR$LYkq3%@p@1{VC@%+0UxR*=oDw7^%(_$x}PpH>yaOdb?u^E9Ov~`H#F?ABp8G( z)FYGe4yhB*Pb8w4{+8<*)Rsfj9)&1-M3a$ZzdsR!-rp4c6YufPaohIo-V3EFlxxV{ z(-hC#y>7!gIFyeot zKI9;H4nI4#>hpkUZTF){lGz@K4Jw7*xxEIHagT`2`w$vxjMA1myij1^(2>f`6i}|W z%ha~yG%q@H$K^n^zXsAvlWcbuubc>8+r5L|1IlS$J>)Y$F}UbCXEUQ?nx-9sBCoaB zrkp@L*-D(*(5@CRpT+YMCZlX(0WIC*R~d$SvwZf1h6+F@0Ntw`DhEsWAm-7*=Zf4% zZxsh>)9>~{HxwjI`ilVue*=Z^4%FL%EY~z(?{B<)RA&lzikHOBX`j~Cu5-_N#fC1e z2F_2ECBuJ!5xQy;yCHJjt4-lm*p`)_r3hMtX;NJeH4?lrhm*3og)pj&)27HRU2pjb z+u&}GES7C3KOzVa*`paWDIIjwHWnOF4LlzvEQQ!krY(S%^)KzV4aVtql(3FjVm#>| zE}jz7Z;_H*k{6AN@l+;oGtfK{dWcgclCPyb`AsiDt6u`!U%#1A;gspR|K*A(`2(r! zRYDgpc)7?NF5euy@ z+De!^x-3-|D${Jf{a|Ev6_Fc~U&qMTUwjw6Ud=qhB(_M)$aS-{HSmFz5XZ(?74ltw z9r_nf+$Xj7=wXiruI{}9N?~?@ibx_^#ircu+=rHgXt3zov#uS z((A4qd5u49SJeY_266?T>y9I=Jr~pYGDMeOD#c56ovW2FquMu!h(97pm5?q6xKd8F ze5L{Yx``fTO+iUQo68>16>A|j1Vbx`)ePd7XE#&vj66FKhWU{gy0&0 zsTYv3RJZ+HWhe&R_Nl!~wA*4L?v|FIrPVOh* zK`jehXFk;O)Q74?h!5TOS_|aJGT*(&Gv#M*SKKDmjyKE(JdG9@US)rB2&h{!F!*)8 zN4yjXSR``ZcsaM}#X+|UNLL%kai|mkLDr&Ly7Owh9e4b{$X!*hdqvG3#bR)_@` zu0DmFl2S@Y3doJJ@;BHloiG`d;-+7DrG%KB{M_Ls45E$UD-TV)Ai@k)JgN=&E| z(m49!N6^XLaV+$-ln}jTRM>L^wVkg>_2u`d2-pch zkwjUdB+S6+$K5iYH0!HgjX&x3+)oK<16icyEGJnO!8tXRp+H|3jZ23C>l+r}m)IDmM_t!e8OYwFa~<7nsAIFY7aG5X=Dp)ALg_*Xac zooIk(FTUjZ;%o1|b)85pDM|an^z;K#hjUix3Sw4N2OXd2>>xcIwPihxHOl|?;-Ua` z9b6`OYVR}~-lW_WfpQ(1hSZTFkrAgqG>a|TAV7Y0*CS7wol28U13lfIAVc0f@2?Im z#H1#_K3nT%qJNL`b!pi^Ju4kkfCQWU<>K|Wtdk~DdR8g!H+?A0NjAZb&2~4Xf82Fl zI z6u=T|Qm6>zL=;WJm&SokkI}R!3yJw(<-8;N616EaI(r^t#jLk~eH-n4BgMT8w>zRn zlxeVK6Ey8w5lm==)B7IDx4CodlH|~M2 z!^igPx>rsM==GQu20}MBSb8>TmANMU+=E|uYOtwNN@A81&%uH{kiCnYI)f0!J3yZ9 zKjKwoY``!{4MnC|H<7O^5N>8(MOAl3=Al`PDmiS6asy+hGAR0 z(-WW5T(2V}d}N7x?{6IwGcaM#;aUUv;K>~r*>%dxJ16m)=)kH_8PG%7LdZuLo9#Rp zH_bwqQ)pt!TZGcyaYg^WAC6u`$D$O!C)DmSEt$~YDU>!Ipw{xaT#F34Ge>t%3<%14 z9%CH+W+72sRw8m{Q!}c$gZAgk&-#}e13t_liZ3O4?G4rMHu|K&f zc;{?iHPrkg?gG9Qf_6~9PU98+Ied2C{5b>{e0)~~W<}j(^o*brBjFYM4rc1{|aEB9ia{cJ+?f6zApgNm6jZf z>SF|FMSc2*f>wHi z6=a>zu6Y?t8f8qpNv5)6n`aPxKdNIwf580(V4>|`K(-KavLCGOD!uxemAu{{#bo>+ zIUn?kZ=W0&aYlPM1GBU)_6aN620r)2Q<}_Apebm8N5;)MQGFqFzKf@JFnp?-{f}p$ z_IhUBw_|}3l*s@Bh8R zaGHip)wzb;R7TT(j00QLYS%J#L=CCyWAlzx%DX^#w{+`fT3VoHoVP$!r74yJ(g}>6{m@nV3u+k)kL#Cptvgh%SVrdz5&S z->WfYz3FO$*4I++YO^X@v26Y?ScNTFlI5<1lBBte>x8o!29vkuka%5dbpG zfS>ZMvYvc;2G@^4T&UI_B(siraHwGK(U-mfl>KMgbp`&60HVXF49&Jhb3HaP6q7Ek zE{r>hm{@>#Ei4>ffV8a>#~{Hbw)ozlF8;PPa|FOT<(YiiPEafz{oGI?k`KL8n*LvL zX_YzRNu5Ku)6b;L+UFVIWB3y0(|vu($&gBWy7uNuT^3W=v*z})Qe5NV2LXHkt z3mEijZtdQ8*0MiAdv|6&rU-Bjf=GS3MLPZHu1wLg5_e+QE@_1wUgl-edFTpJ?8eg? zv67_;7sRFWXx^GKTwsKaf3-$Ah_vd@+bWwWH>*45Z~?`%V->tTJ+_tRCMZQXj~k0Z zOQ4j|b6fY%RZN1SsN#n=;=H%1{&xtk^R5s~&dKW;!?L>XYz+=$bhl~xO}s?XX7G;; zo32dOTX>WtN~MdNPHbvMqIpP9dpG*F=K}@%OI_?xZK?43hhfAr_h^B{XDr?GU(82A zf>V?AN{3e&(EMUGxuJ&GQeHmHhFP%%ePaT9>g<^`shnoZ65RgWPpb`piX|3au3B(k zdcAH4LxIn+Z~Z9F(^_R8K5E9EgyYI%Q65&s?d+47%v?A37iDd+JabP1*d18{Zg;)6 z)z6@RHiI@3|B>3_l8zDKKjeaZW4%(yo1V%FwVYdvmB-Czgoo!^W%dPBVKN!%eD?d3 z3;--sbLY;7su;`oa}XHAm%rgY(T=!)LP_)J?Te<+|2fjo1fIRsI#N}Kwj5v}uljH8oY@8Me@bDU+E z?Fwo^@(AfWbTeG32U(BB2)zr;JsfHC-lAEW_E(Z!@ms%f5P&nXp)?Mf+GdH5sxfT3 lZ_(pn$3DOQ(`NhDd}O&Mo}Rz3rh&kp`U&mh>8fV8{vWp03u*uW diff --git a/security-admin/src/main/webapp/images/router-grey.png b/security-admin/src/main/webapp/images/router-grey.png deleted file mode 100644 index 54241399f3fe67da181e0302388ebf8fd6c263cf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1533 zcmeAS@N?(olHy`uVBq!ia0vp^5|6H_V+Po~;1Ffc1+hD4M^`1)8S=jZArg4F0$^BXQ!4Z zB&DWj=GiK}-@RW+Av48RDcsc8z_-9TH6zobswg$M$}c3jDm&RSMakYy!KT6rXh3di zNuokUZcbjYRfVk**jy_h8zii+qySb@l5ML5aa4qFfP!;=QL2Kep0RGSfuW&-nVFuU ziK&^Hp^k!)fuWJU0T7w#8k$&{npqi{D?ot~(6*wKG^-#NH>h1eo~=?wNlAf~zJ7Um zxn8-kUVc%!zM-Y1CCCgTBVC{h-Qvo;lEez#ykcdT2`;I{$wiq3C7Jno3Lp~`lk!VT zY?Xj6g?J&i0B&qvF*KNf0j6J(SfFpHX8`gNOrftYexnUy@&(kzb(T9Bihb5uTZsl3!k| z30CjxYvq|&T#}fVoa*Ufs{}MbFEca6%E`dU)WXTY#l+mj%+S!)#M0cr)zZx8 zsy79&#*K8%e7EnP;}f?%Ds))*{KKH(Q-~RjGtDQbp z+&L+z=yTj@N`ld`L<6H2Zt78m?B6GyeDZt_cdF`%!&*7VWOxdj9&^rnXntvhdf+L2 zN6o&(WuNOma%X>x(w}xDW{z`{OKe$ig!%e|if@kO*<1_z;i`Wv^P}pH-pF0sq*l5p z1-=Orc>G<;@1f1U*T*JCtYTmDN3&{SS;#9p?@ebvFS=LJIU{z(L5>_pVZVf#_bv(f z9jW^A($V@1(;N3Y>4n`ZZ-|CY-y!I@@rGRfQJzqttG1uN_LN=<)#1x%6P@$Yv(k(2+E zb-PK(y$!baTg=WLDa>7X)a~!~)_ISW@*e1{d%$G3i?eJ+yRp{paM`OJ(Ej&Yuk#NCSKVnolOeP^blKMX88QcQ zwiX232-|ld^2YW|xxNH}dr?jEy%GZ3TzB-pwph!5N8-uqTNCE}TvfZROg7bd>1N4i zb1S?H!rwmA-5T=dtun8 zE}uJatZd(kvw7t)hnQ?+8(Qy2XK${UJNaszX6Do2@F#vEWUq-y<7)WAbYy{xvXxqt88zBiVPj0>%;reYdky_FZ}YxyID zKrj`~pzQVufwg+Za{SKuf%6=MyP;Spuf z2Gu-y)IwB#KEFl1d)~sK=7OK6QUi5IyQQsG#sBSHChwG_qC~zrh>$={;?(clxg#hd zqDcyEU0GYx2@S=o*x6yLiG6)ud_2VVt#&puQu9khf;#i zPY*C(X&%$43dOr9NfEeu7Xrw8vb0yJ_@f< z<*rFOeowxnw(NNt?jIf+|2DIIT_L&el?0VF0~@mzc4&1O3V58!0tQl-mRJ!};1##n z((Y!XZXRqKY8cVYn?B}LSSzJj#a9ERO0t`DnQ`xgPe02kuKQw?GsQM71NoRn@-*b( z;Q=4?hx;||o(dnHk3J5?v{$FG_uMhTOiHs{?^){f(@vdc$a(v`Nc>tExdVD3w6;-u zsh=^W!RROGbKaWMC#kwxU3D=?!qig3eA4e0Q=YeQV^dQEBCL7sTN^Dg$cjD$@SY)w zqxTJae4kIY^dvUnHk*k(9bXJ48m5^Qks306+bAy44ZX#K_UmW$h@43k?3qTTBH`1A zU1pnPs8pFUNB`s(T6cR>dwX>XWeBdV6tY3@`;wR09X!jG`Nyg#ArEd!Lsq3~aH2KZ zk9y;;XY786t5w;cL(J^tw5H9})N37lgp^&g%!xLu%p8())JFW^v8Z*aXc+&@HkeaW z)F1#c!ibgEO!n-byu_SJv*>Rp4~!DHdl#NYND<>=0O$o4OE#$MdjW!cU<2{h5C-6P zzs7?Rin^$i=yu#z++QgV84Q!!Gan3db3FYf(Y+sQjj>R=+&YsyI=@(E;}29p{t5n@ z_w&=GN=_P|Ha=g-ggM;MyLEqq;1zw!!aqv&lS{&wp z9@WvyBZVu62EAnhtMiaXR9whK?P8;??QgLYSqW14abMQ)5v zJmjsd6CR)gd|KN99-`P}&qvN51~q>F*(SZ9*cP77MYe1?Pd;GyC>FV7L_I?8ods{r zzus~6{33{6TInqE92Kbz9n}ot&xJ)UH%hwyN%7y&^SY<2)K#81y#g$lNH+4mcii-N z_Okr=MX0(C$la>hI_Hf8BQrmolIqORd>qK191Cl`=0Y|I)cj$jc9;52yyo&*f$BkS zPP{7jW13!a*;FUsO$KIK>82rZ96R?HPCnTDXV;WGo6vc$jlAfg*o!!ZT+A^UWhlEB zESve9HnJ5g;yy3rr>BbuG-0RFpm5nW7`(Q|jV%@u?(FQ;IEgs_3aHw@=|gh^rDr@) z*maRBT(|YpblRya37W;Et#U1aQ#=iaqZ5#1{ZZQG`Al%kQUWj3w^F2VB(lQyk{O48 zRi4Y91Fazi035o>#%{sZE;{$1d+#f?R81ZasL9=kB1-q%cTubiR8H+slzPjj#!5vT zcBV&n4Y%LnYorAj85dLoHpz*--}vFP1FumE;`_2#h7T00WaGQ1SA~(Akc9p5* zV@fU#zCaJKO3FxoN{hR#`NV%%a{Ttm0(fpKoxIN7UoZ*VwetNkD&ya4aeyAaQSs*W zQ?=LdY7jQIg}TVy!{Y&@X>@EX$0BD>dzgP$8E)l9cO>DUdaUwf`t0`1k^25R~R1~!5iHD$oQCTyC#is>IY@;W)MbHxioUleiQ zhMk&JHj_`D2x$=q7I>fHb6B#!Kr@s7%HR$JBzm3AXT;<_ofY|h3mgs_3+l0%7xIzu z*MC(9|6Bp)r- z%nrFsp0i+yQtCpc`CW?Ims#*rWs?YhBCHVYw-SR(1WQldfE5BM1SvFk^Y=VOh=xcUqkCtWTlb;Kq;70s55v; zc1JM-EXP#EcHKE}F?xB3NF>ftG@ugI1qOJ|fVh*0*6ze}k5I$Vo^)2{xbERs{tk?J z6U_SNXzs~u2b#m9z#&=hPg?(!?|KgLRT%Q z`|$>a+A?WFX0Oueni+o!D31{br&ZyHP9)OSV91+BMUGxudAGUd$?lh!SKQwr9O?-V ze6^aZ+4vf>FhKvm;~x5mDVx2&e%`-NfC^D8(+xUWWi~3D8g(CrehVrlZRM+xoF6hB z9FSUD)bBjIjVmwHkpC$#9O?b4I7#jT#cxWIVW^Q>&lD69Zy|4L<1VDt8~R=H%zpHP z?ZcHiMUN%{@K^|s_}-M{NlIMZmWF&cLr+`WDrb(BydtvW@oQv78SVVHIIed?<%5?W zTzD1!jd!9-MMo#VFU7Cs*#;+aQ%hmx+3oaxud;@VE_40U&IQeyL#4f*-{%G)_s%j6 z0R9j6ZMvH!M06Q5*i&Y1_I^X@;JKiGVpf<*&j8~uO^_KGz5iIYHh70DF`lG`_y{Vs zvYZ(si7hfQ$k>!sLpZ!pjz8q4<+b6Q`G_ta@1l{r= zN3CoG_ip@pYp2&1A5_3p*uiIA_X1XVYzd-O0DTdOAZ&3Y_X#x01>zcB*=sUjv&+uO zTle?(4S!kz@A6@3d5X;(ex@#vE4PoN_MbLX_nt&vmDcHScr$L?j)==InkCn$*?xng zaHT>`c$S8=(EU2J-5=EEcpQu7eZW&QB}*G8K*t^{z;7umEF6(h3X&0F*;O3(+W1^k zW-ce`%a(kf{w8*P;kO+6>> z{MejoLdnCPGnc!XPM0dzZ13H0pqaXd-TGw`A!CLmke-cgwRh0Y&d#DNP3;INY^Rea z?`zjg_4nv2KXh9P+fN8j0TT?kewVJ@9X%vf*05oer;q`c5w;=$=)jsy$-!Yjrby9&8Tp zr~JY9bEl6Zwqr+2zfSXSjiH(C=8J0Lj%W;$NP|_yhqJG&X)_(V2HRZPUGLXjAPCmd zNo5FQET80qV@Yn)MFO>cXN4Tkq!~(Mgj1IMFZ8Knkkkl`eWRkH$KSRo<{rR72n&hm zhh?_$viJvN*wl2<9exbAl7@K5QLM(8qTTEXt8Y`smPH&?fFAl)kQo-6YmMQw-hJJ-B6v>Ue?mlz z$Nzpf2o{HJ$FO=g8mcZ!r&LgEyF~$AoPM|(ZIE&;d+67@mwu|VpO(?rAEG)!_v&H7 zkDVfs;;NW1r@o-Hq@kvjEL&{fBuET)c(+aT5n(yXmz`NzcF+H&1?J{`W$u>G;lvkb zox4Yu7_fxD2{NvQcQTN+OUdpvaR;-!j5wH~O}*QY;`<^J#jWQ**o%{J>hRY*$8yL8~9s#Cu`#0aIH*Z4DH% z*z1T9+uq+H%TjuH_RO$_+BL|ZTGZ!BAXOi_{yV7oG~sQq)qf|GQpZo&Nr`T7AH{zw ze3-ycxP6O9(~h_`(o|({^Ny}oTS%(4+PHhM;hJxAR00)2`Q?XVsV?&W<*O1NXbG4g#7BflkwkVBXEDsGki z6!>%fAoJbVE#Du()lo>~Q^?4>&GhcLL(!DpPtSY&*8H7+bU0n1AR+mz*yHTfv_S6; zR?c+`QKcXOka_hBwgEW(e&1BP>-UydQ{r@fZcw)OnY9-wdXn33Z|ls#g+RS4ZN0>IHXyz%e7uShNw;p_oj=nY9i-{3#_4)<8C%zj z?FS(61c}M*f@8~2T6qdG-G^o|C#09+_|F!|or~ASeOY<$)EzwuTr#M)J|^GwOicfD zGUZrp6oMSa)OimHd=UbIDm9LC-*1Y)amCUikUc8;D%2!uO?I%aS11-VrnO4bcbzal z`zj~foa)^hwg*-qA7JD3TX6>qYucOHlQb4wIunn~IgfL3Z3<08f+8$wy*TgXg{7E0 zR7;44qo?Bwo7or3vy#>8&S>|7YTv4`<=a*P_YzOr*`z+P+`*(36z5dBt(J-$mrzU< z^$kTE2iF}OwXSOVLt+if%P2zMtpsxRzLW^Z#IQi7*)YxrUS6aPXT;ik9DLo}K_AQv zb>!yKrdtn2CkO+k=$rCbp=+)Uz=ozo5Rnvp0A&Ve@H}jgDYucB5V;V%S(3;j`8)1s zOVKrSiDw3d*bUR{xAyl3C~S!%I^T~q*Li;GdDyDEcJ|0PcZ;3b#a?sI+lypt2r$3+M5HrUo^p%ZR*PSV zy_)$nk#m2;(1

ku4v89R}Fi|m4*;M@~33cE!Ej)Dt`ChXSO+Hw^$QK=e74Olp9r>{`` zEe0w)_qLjZ4sxYQ0xRbq8T_^MF%tP|{tG$!?NAQX4AqLaxcgQ}!@;@H)ZCQExP~nY@Le`hf5E`tZObM$ zE4*@Xbwi>Czhf@U=BKvGgB{1 z{h)|-o3?tikLuq@JJEr@Ox$~W3sVaR1R{egx1@csy)MISbE-MJkXs_^dHvBr#Z;r; zugE?#8ySkq%D%*9mVeLFQ7bc;Y4Q^h8QCkLz|+nxn%5?Vm1eWa;PIVF0-9>azjUK* z7z%0u)e9H{9U@QmWY#w?F=^SwxJwS#n+l|kRgf2teVULE`n~g?4aj+aP8vl^7t{z?cxxikh-<& zzZuu*K$`&weIBxA;XT*Li~d6aTc~fV(I}~`znr>4;fixoh9W?us7v*-{0ltM5aa$4ap?Pu4i-zZ8b8U#^@>4a5O~_sodWLoZJpi-q>M!+5 zz674t2Nz7bY)rrhQqh;R6Y_IwM<1Hnx}CIQFBWOegUQYkH02!b7EBG+x{!*CYR>6& z+e)UMCRlI-8<}?P^dtR?V=>(D$o67 z%);)VXWTQ&HaTyStV8#IHrV|mY~@K- z4TG&jaGY+wVud5yl#V;mc5 zknEw_?OU=|R87lURz^R$Jt*VopIQW7XJ-#4|1;Av#5}<$<6SnaVbmqTEu?SJ$VXC9 z)7ivT0bhO(i;j6ClWMSZdK}9)b35$z*`fTOR~n^s9pk&3I^p6?V(zx<(T6;pg+Gwc zr+V&(B{Sz7Cmwdc_aUdYS)t0Z_CtjFdNS6TT7{w4mqEC%~Cvt&8^CxzNR?>xpFp?MPAg(}I$8I67i5zS%!Sc`kkZ zZEk`Qp3gegsN=Uk>vdRoE|#!|Ix_Hy5*)xT>kl~)P%|jB_0CYxZMVMac8W?K{QV%` zr=>WnH&`)X6FW*x7xW^v#fwE9)k$zY(?l|(cCQxcQ7EJjUi@q&!9sp(v1RkYsX;mY zYc-Mn?&*8@aNDSGwzDfQx1hv+z|DwSULuo+j({8x$8f+fP4n9eUb&K~i&+o1CiXVu z_SZQloqqE^Xy}=`plXiUl232rK|lKc8lOLnL?9Crt+wjdKW)C`IZN2wU%5=y{ROB1 zmP=Ns+i*x>o8+4VUphKWIC<@NJw$tko|y@%7G?0Jgto#ozI9Qd_a}?ZZ@G0G4vRa+& zt!cgDo%j-QC_psIcCbqxVDA#0EmaQ9{Ci5M95@^HGfhmxnkF;m5i^zWds$hQRSWq= zy$ZR@x$<*ejNB`IEO;%sy)?OM1<6e9g^AX9VLO3sCop}}(9qc(F>9|tRcTqwhAM-q z0u}HCZ-_r~*ZOoK@qWUeIrC%kfOW5MuZNlZ!-aKY>f_5|LcR37mdpl?Q)ea1x*S|7 z)`h6M-0__x!tHAvE zhlbA1wf6})718~gTb>aIwIlC)Oe-8daN#1Tni5`Pgkq|P^x%tv%;PvKbMMam@ z)#P7})o$a}gn125*-$mp{`h^^uAsjBS@N&uq>Fc}y){las(G0ULZl1j(KR)o`1^koLM zm8tLR!1LY_A0)_~y94L&gisV?V&B)6DC*1jVpB79NGwlZ=(x4lXTOdshU?XK54yI~ z^NG<*qg@w)Ie4%aTw`9GO^c| zeJ3)ck2Zhf!zU3)r34`8Kd||KZYB_ z)deLF9yEWF_|PxGnmPFw*@s1g;F3)I-j6F2m#KxFm?h-3#Phsgc3ewXVrrUSAob9} zjEei7g@1f@?WU87Gft2xc7>1rZJK`!_a}=Em)uz$>CnZH_*7Y+*|Qf2a;r&p!!M&- zjBeCq#|52pueFmcAN*Ba8y&PSOV7Vsup*o@8<`f5D>(BVe^N9G;O3Sn0+C21MA ze~(Q69@5N+ z+S4~V_X-xN>&qbRTf1c8iJ%9Uw}Js*?TA5W`q0q5UO+`oE$T zmB$IO?VzSZ>Mx@khHfW+>0T8M4&LKcp8Uv~{meMASb^oqN&;uxA!C|urZPOWK8%+g zvG6%GNAjGap7X~K!ve@lc`LKahs_UyVp3-i4c38u8DtFHcW@fZpvHJ@HN@rg$=GJut&xV6{poYZ>Rlw=p8~o8-Sx-~o82e_Pk9J2K^KQ4<6|Kdvj2(f_GNg|s z{Y%gqRBsJ<+@=@nq-kC$JF@9*I)9^qfUbM)gzi=HqFD`|b0jaM$cfSu*!ykX_Sfpz zbTC(u;;av3)NTm5dc(`M*h6XCNBgDI<&>glfhzq;W6F7)Bfic;$7}6Vo_s~P0RNnI zZX0g&b@Bf&hm0JWR)7b^8mo+!8k{`faUY3fUDC;QTarHJQnx?6qRAnHo8UYXugq0_ z`98`*;^?aUCG!v9F0Z)UHu`hc3Qf&gloCES82JHQLT9T$hTBr6sVYf2dgRg<*j>o@ ztTJd#&|$Y~_Mi3`U#Dq!r{u=@JLqt-{eR-VnjAftG~n?ky|~sUgX6_7!^^Y`PeD_D z@siEoy57zFs|0soh0RnApW6)^LY|(km8iM(G)^3&?2EFZIGY;`+%{%e+0f#3OOo-W z@E7r0E8Y{WI;JvyFMTVCK+KJ#H)Dy|Be;&%P_d#?EFK&cG%U zrS44-B=&Iae}e#6i-T7c#}l#PtefjFPr%ROHgY-`CX7e!Z4#fX7!qabxmT+j&$|>D zzaFy$!Uk^YkC^=5(c7$q9U~_Dj^g86ykTqeQ z-Jd?P;$&{qDJS_MOv)Tds?@czgL#}3=TU|1zyzZNemmp+&{^25y1|#Q?z)DSnt}6m z+5xhc(`K4`=76@oJLN2wu}qpl$>HxbZzNp+`4e#)4plVxtZJTeeV(A~c_AE%aaIpT z7=1^)0W>qYhDG`AIrQSJ4zPj<7tx{QH#0KR?nOU9BlCh+OgV3-sWI+A6$Ebm|jz%rOop(n~!@JAht zOWW$sR6jVqA@Jcu&GgQ@_WazDn-X!Td*XzbhOG%hRByx4jmNTk<|pe_pNkFk;}ts^ zf-iFpRDR9%ojG%+ler}Ip@72~1exwrlH#0&AD(vN?|rbjZEkB`d$^H%`zHlGp-&5; zbGdeO!kQg^(UL=_Wp5-^!q&vGmZZKWJH2Y7ZnD2OhpvvE8ejJ2y?ghj7rRNk#fza#I6EIyn<8xw9rU@ z#hI4PzpQp6i=8J(Z3F`})z=LaY z=N@Pg1_!)zTeB&P`K>G3ldcc2caq}Rv6P21F{y=bQ$36%{@eB~i`SBMpSD?5p!{@Q}yk1kV|X*(}&fCgC2;#B{+d3I6@16k+ANO?TkdU1b=H1o>9vE_OuOzf$48l@r>!6Eye2gwMQIr4!EoUZMR4#L)alpn`gA#Tf3lIy zKKuOX?n_kdK>xa@!_6D7V)Gw+U{RC^9?oUbx)pW7e^C2ST}St-FCLToP`sdg1tBD_ zp4BOKTAJl$G}_I`Cd%KBb5?`g3%8YqlAAd;DHkQ;74Dct>!}LqdFS@U9nLpentj#o z6?o0kR+@E8>6nX(uKx4;w_h8?V67q7;iP_f^djtx^>>}#WefKRF;}6!}kQ!OlJMDD#QiBAGP74?x`sDE3mrZamp>`w1 zPL`x&W>(&bddD+C`FZxTuKV8jLdr(y6=M&YZv0y!3ip{OQec+QkSfDZX2Dd^xl zo=Ck(+}@;tGP)H#c4|3EeoYtC6U76~R9=rW9Yh_Y_Z?symLN0znzoG3Z7qT~QDh9? zc|$W-i76{9b4B@Kj%G_GV`k{7q|p7Z3*Y+I=1mI-He<$vp3*e&0OY)8Ck+qe`Q(AP z6wRIc2Ca2J*vKBkn4Fr2pT+99KU4J5TMc|6lU7{(dl1ULx8i8De;ONhnC75Z);)A# zGg^q*#R3@F1tWuLQ>uS1qS74!z$6GioOrL8l%HoYC<_G?U(S z09+y~%E@l~W*L>Z2QyIAvTPPuap`&5 zNB{sD=$b`+B^&9Zy8}_SR-D@H7$FXBmd!mFZ}s!;Zwisx`#W8opMY8aH~{5p1kXO% zxhk8jvT>KNwyb2RdgcsjT%Au)1v?rX`Yzo&MU_M6ciNXZ96Thj zgQ)bmATE76?zx(17&2ohCR5I5tU!_t=gS9ykEg;(J69-&Et*CV>U>-DT%ek((9JC@ z`sCNYMgi47EY`X238)@#ao~*18-Ay6&vf|!sNF5aEthcu>kS_74?yKUFXQ8J>avS> z>C>jIcZ-xp;+>1@hAAwx^!BxkWhX9Bo+ZaaS7t?bxs81Ghmh8WrMoXdsC)l@C=F7s zL|CIDO`&ly>~3e5BuE9Tt+JAs(&bknkp5Y=nV9H_bUSv5FezePSJ@3UApl+g`dGj2 zxvij0H9?Eibi-t>P|q;cV41?Bv>~Db?G3BAUrS<)VL z%o7+g!rE$G&wEx_Sai--oMLZ+lo=vg9A$^T-sMk)Z*}q!qUB}h*UmLS4wFB$3BDtq zL@{tO9vO0ndTHZFHeS88qoRM|sg@cZn&$4g}@8xXbCPpZW4M* z0=vx%4_^mE4?uh(9JQMiM_r-_*}lAY1}g#h2UNVgCQP;bkZ2)MG*MF}4VWqjJ&MNd ztkHXRoY=4~B0(Q{?sYw-}yU{lsYbdrB_I-y~v`KAL_w8~C7q2*f zRt{ajWsVWniG^l@(0_x_mL2gSUlIX=Gwz`&fLG}w+97mG`~=#_jFT3;O@vrEZ=>L! zcUP5eKn4;OR`szppYDMoYZk6`2BrkwZWSN{d&4;k=*evo6u~+fJJ@}j8I>E3-yv%t2ln;cSJ@0{VL*cpN^0$b!b$!D6HDose#%u~)&(%)YT{JxkT+fnFtZTiXq?d7IRE&4B!#Bg{9v9Z zMs6GC88>;}LG9|p7Cc3wODNut_*!hrsQTX^x@?qTikq@!N6w(Z&ZQyXG7t2i?V%ELf7W9YUryn2*F=pEtjM(cL1-?N$ z%z6yi##kh@PPsq2-(2?ErG~jFYX#*yj19gptI-8QXfzYau^q{whNE2J&$p~Sca^Dj zDsTO&l?3+fD~DU+hrKanX8GGv{#Q`of0g$lnYLwQ}r5;ZG$?*uV0EAPn_;%4%m%Xn(^But!UDifkzOEh`-$ zDn@DkqIRFa(hy#**L>SMbJlAI$0p9>;dzaB`Ra<|;A`J_@>vmIyW4=*Qc+s+kG!ml zb`TR}B??E`6Q#TE;}4(gq)kP-6@XroJb5b7{N)4ZFcc+6^CRY{>;X_Yl%pjXkhMo&Cew9` zDlG#YUh()3;Kg{ih89PIK0iFh@&vFb<|A73@WIB}HFAGF83KK7QLWyTEE&+@IKBJE zty|bn?#L=?m0Vu}A>>}QL}-q}s_KO`)qxf-cu;p1{Powb1#YZ$#Py-h0B02YepX&; ztPhx)YJaJ=>BGIy^9ndIYc0oI3k8+Kjb3^FoX?R>u!m%7KIrt-A+|6MlQp6JFL=j} zW#he;X*Z}$Tknfp1&Om6UK!i0GK^##9Q@h+VnLcH)2Vq%b>+u5J1t)HU%PhA-f8S_ z2gYu(4fpyc6Khh;S)d>tpq8$3L!TJFFkV9~NWndN!?p?82QLZA~~;-~&hQgmd}^ zfX=QroSU@7=fehz7X#jOLD_H-)Hz8DqF5r;-@9Lyt=jNgod1@i(Wt<+-xQcmPwq7l@V zD_*a^0vdG%JJH4f>gT}uJjfUQ)+gQlf1uNTTc)pSayTb$+Yxn*H21^)u!uxcDtCXf z+UxCZf_NjQ`aht8UCQ`|d}8tdfK>(-;=Dl(J6g=9`W`zrzO(6QoM1JOfgVuvDSftd zh06_w+eczQim@w}XcT&V5|3I5g*sJq!io5fsce>rOtsj!^+l+hU>z?iy7rio_L7HI ztWxWSz_Y0pfn=0@=33j)TB9^^BTwkY)Kl5uYm74f_{v%+;@EK+4tB!or$>^X%|eRz z@Zm!t?^%hd@KZs_G4ZBdU`vcIh%4;ngpBk+ZiM^gCuB)UXWl)`BllfOa!v{v%RW+5 z@=*Fh8Za!!^szmN#jNr?;Z~f zEb*HzZ?tZ9YjIcgg3waTA*~B8*{8^A=QA@i_upEwL^mn6*+wx$hL1lg3Nh8^m;`vP zM0HdNWOVk=2h;OH#za4DJhN^OGd}Z*5m?L*EJKEOu1!4~e7`hMr&dGW51*dl<-cRYiMZw%R5@)KQXc&>_u9qNHHjE+#WLeA!Z*X@AHFRx zIKKRwv@V@ULQMlKV575yI$dk;Gu@B7u#Lp{xM8r*YDpB!={=~(4@NoD*CjRo&(f$% znlC}5NKWB4?337L&%8fM)o$Gl{$;Kr;C646IDw5Tj$*&g$M#~k#5?#wk_s>#DNF|d+?cB($k1Wg3#AnQ0PMf1g0vri80!(cpT=o8i4Mi51&r5b5Q7?_!5Ge$_ z6uusp!ZnEfk67h!iWAJ}ht}T2_Sg1FYnh2 z2&SUQ1Mu`BzMdrfy!mZ-WupTiMw5fpv6B9cA!?WL=LIH4w-NJOb~0rdGu;rL?7 zL_Lf6^{9%sK~0-Xx$DagT$;^!z#!c_f{Rc}ItX9q%@T$L%sX+dXqB-RLcX54{idRE zq|kPDj$XjdzO|FbEZ{;US;7z7Tb*)xO`ua=&xx=L7oWBS%ZM$BKR8S1O`MS#5wk;d z8^A6b)$4O8}7f!R%bFvguGx+S;!h;md$O6f>u@~_LTrn(M zTaf(3F(mo+$V}PwNH+;R!LlRwz9{Senm`>SM22a~iMGG79BRm-o-?C&x;-q~5OOc- z%7@l1uU0`5u2_dmQ5ZSir=VW2nKgzzI6BTQ9LN<93}co7Gy*pTUuIL)gsY0z@~Y*+&i@z5Ge>O!tH)tg<^}>M9MP<$Y!O{Y%hTIqK->Jx-~c?-Hrh#)0$9*BJ~Zpm3|qXTip+Z|_Vj z=+pnp0K=Nml=K6*r;B3E=w)BuNj!RX#LP-LRR|1A_p>8RW0XEJiS2ii>CGd3&2ceO z9U|0Izu|wWX1V>=etm8zazjQmC4->jT>vz(S~f`c!ust$vwS$hSc*TVKEvtiFTQ)2 z;pR^gVb84JqAtb+?209*1v&`(ob;obM_xWAD;?Tr4F`q4{5_Kd>rXRWA48p4eW0*^ zu1Z%MoOt{{i6llDbZeQQKQFQ!wJJ+N^>l7(s+?@x3C2@VM>OE#5f9~1Jr+{>JAt0| zGMW2;JGp#lL0Dc`R!P9*BcdEIz0i4|?506!nE{H&+CUY1RcK>B#7(JFyXEk9LWt=1 z6RHf=f<^>A77c%k{S%ZPksMD#kl4ytE5NE3WO}1V3u%}so1-x{V(RQ5?qWfMc(s3g zhv7Kkl4v?(gb9&$1pb3G1&=jvL{Z2w zn{s|m(QC0PkWXa%eTI<^v;%SqD{q#t3@xgSwj3%&6Yxpuw5?DICPFD#(j+k(_ODfc zmP7FeLA`D5j)ClT_wI20i$KqP-$VrgEeD%SO>q!BO3}3o>=vnS+d2Z1n{U$wWMze8vW&YgO#NR?1NRZgb2zFbuX4#2r%CE(RtnisMw( z;bUR`3BV|H?gC$h^P;}9j4?rk(r}hXSc6$JL9!m|0m6j)j3Ky$jc18^@+KaACQP_b z-F{YhLBn|zBR5a7#@{B&_LhDgs+;@-ZIdCU68LS*d7K{LbwiTbT2UE3ZQ?KSKji4x z{aCtmf?3yfl2^aUmdiEx7<+_b^85C$_@bLsB0_ zh&xL?%!L%Bqv?csK7!(C?LM;~OZ&elkjhV$rP<58Eg&iPG>N-K zg!I7V?x0uUJ};nHY^|s%S3?%l{rdWz2e-#1$~B+Tzo5xp*z z**t9}zv(SB5^%K@bfu<~^`I1~d1A`KDUH1Xlinwk4yAFv@cwN`O^fv2DFmTEp_o>%{k;GY#aXEx?S#T>Hj*IiJ}qV+&4Msy&>?@^e5tvq$7UISC9!x&KK4Sb%_F8ZQI1g0i|Z0BuJ8iAWVkaMf9C!uJ*}*s(lbl>E;lG2PL&lB z@+L8+lGI1TOJ@mbShS-u9biT-P}o6Dd8@UV^xmA4i?Kmx#r7`0(L^)=d3u z@yYJW7&yZ)MQrRqYH@L~GI-NPQ_jz%ywO#bnhbVmfQhkEIvWR`YO@v+E>4~#+g^f6sV#Ri4o3w|fuqrkmUj&XqWm||*TLMy!^ z-JJ}3)ZhycI(=L0SGK~%oMBhmb3eY{`ma+WSSnH!F;VN217q!1He63mroXxJb+-R( zVnA|T*;60TTxz!QYD?c9y9m;Hpz<-~eP8}B7Hu1c*KJHE%MDLEuW zOEer0cV?%4^|3k{Qa0n3m*mWNFf|v7|8V^7Jp4rE4zZ9T}t6{Mn~g6L(SDAf;~NK*p?l2C`k)SaLE5ik5#rZ$#?v){@Bt#uMRSwr^-& z*zaZ5vxE=q9YCJsOYNSOsperC#7`=W{G#}cL*`>0>GASBvyGIg) zd{{F(S@Y^Kg39v(bW`fW5b;lR_bH=l2oj}hLOU2>jYHQJT}PC}^r!N9e=Bxu3`L~( zt`}a0w6TVp^xNEwfl=rUFwOqc*W&0sb_@9?0wTK39VBkNDGTA2qD!#sDFpDU{-Xbtv{D^wZ8sRDE#_AZiN9*_jg}%Xf5A2u2Q{Frm6jkh z-;imBzdAq^c^LDnBw`xiuf;Vryrcf3_v}Vq&C=O1vE2^hdmRLqk+|h=IWuRGes25| zGK19s$^f5ibQ)=vaMruZ;1N&%OglH#7Z_eDD||RY?CFr0;sbK=wnDKpkPXR zP}D#I;#+^&Yb-nqiq?u04Va?ui~!ib;%vs@HW^l(FCe9f)v~h(F580wQpW;-kY!7$ zI7!>mM9-FdYN$Q*mgzbijT)|`o^QMH>h_5zFNP*v?8%mTB1holio+423rJq#Nl*5O z`Q`5ZFD2KM;9|;1lUsg2V1ueC-T_aK_jCCklAM+g(iW8tSw{^J&5|P=7oBKp|9He1 zRYHLNT}3ze$fB9wa3@r0!Q;KOl^d__dW>o}0OzU^IECeZcOk=50jNVbRhogI{Y^7C zS-Sf5^e-q`jB`F>_M_dg1%TbY2%TW$&9~dNFuw{IdDNT8Ba8G=4hKUkrKF)Lz{KPJ zEomnqR%=E+YY{`h7y?&?S}Mzjvp=0~RoC@ArYu_i^&0J@s_KbZm*NQ%TYnje6Nn1G z?fBBMaxh)dJIQj24ZkO@^6m(OHbWaCtC^+{5Hv@O5Mc>kxDX2i|7^UU#SbrUErM%U za7c>WzNHd@czYvAOfeDSEoTN`Ap84R80^{0D3*hsSWQ$_w=kOvr^>zo3Xg-Cy#4aG zDDwmTU5ppqt{w4m8ioJ2Y@=!C+(t+>dh-S0)on%7*@jG8P9$TtBzJ)rTW|bAH`BQA zZT~ys4Dpc^>)eoDiRgcqcPBym_8>7HF1`V{Zq15kG@K)@MuiiW@VZZ$fLi0KI0DJR z<83DVBA)6Ir|3QYvO+rXHSv!%pgTeA*x{*?bFyBH5GF%R-lwy&=P+@QRkCCKO?{L) zmi{dUo1v@(+f#uR(mgD>D1Uel4b3P5Y38E7Tre71jQ}Ckiy>Xv*7W0 zWiq`B1e~o>Df@qPx2%aL31^CdB|q%qY9O@n`^ERAK%>{qfQrbCYXnz(I%kG1;Zr{7 z3sFVX&rDQcAqp$8BAw|Q!aznz>N;w zdW+g%aFk;(fhK`}@nQr!PCvCra$Fy%`?p;n8TV^I1Iq^QjPABMi|=F`4zbYfayYj; zlFG-c$*FQK-Dx|2YS=xH$Z+W4`MEjJ200TcR%5us-Rdkrn9+nn@UknX1-?8 z>1Ln_aFiq-CHj-}QgqF*cV17-LAWW6eq#Yv-xnyMTQc)0nLYz@(v{GiJH*%1P7x{f z=Za=SSLO%lL{<0X&b-uuqj}hi#`r6BVeh5pqS%Htg)5At zpE)_=bR}K=gX{r>b9Nl)@p4jL2D!<4DvTpdkqTIX9G>fd5=tXaFyuSpN#TBJ7%)KJ zBI1vk2?O*8I}@cRsxAB<-A!H{&;Fuh(3>VH;aGldqF%sBNy`$EBiYyd7x<|AY?^R7 zs|WvIKL@ummEhtZTC)w(NrxJd+xI|{%RT>Yz)sgiw%KK~J0zAH( zr6X<-JCSEfFG}K{KrW%^`eF2fWN*6(l9Uktgq14U8?vR8F|U(4yt?t?7iGyRvN}G> ztT=dy`ZO?4I?fnfo%fc3Ru5=!@)99Ja6#FQp++T3wmK->Ede2?sXes)FvV(-iwv%IK9q(#flo~{%-sq*&U7zKmC#-M(27FJgwWH@aiFCQsNBcMn5lAcr@@*i~qRBs-FWNg0rB! z1E!UwWG8$JqB?v5;*p;#qhT946|Pp{FR_>*L;cDChGj6_q^htVX_vo++bJnR`KDXY z?V)~9`PMY)hJto2y9&3}VgIQ(7W^WB6Y$wX48`0W^cxq@YjZ3D;ss z@LMJ5oI@sV9Ny~#7iy*F5W-KB%-LV$`G;5aQFhjS!zrV77c@HTB45Bghd=$4yBI$Eb*e zd&rOoRtKLs6!s-6VmySo9q#cug`6p=fZngeX}u=SZkjkJQbOd~Zu{K(?(DLvu^e}} z;}jpi_sl^1)8Vg^o&16rw(^hwuHm-DB(a@TTuWAmx2$LsG%AtCFV5ds_8@S?cE3bG zhVlk8VKXA#mZfZ9TJgN>oK*f`{{}ZmRG*melb(phJK4Ck4R>T!^X=-K%>Ebl7Td|T ztdcOxM;b!YDkxDA8+IF3lwxuF^t}?0>#tP=Zvs9ga3s%F@{!^$TiNO7tZ-dhRujqy zPKx$U#oXcBIOIT5lZHidiP%FIWe8kt_}Qv4 zq}24xJX@vryZ0+8WTx0Eg`4^s_!c;)W@LI)6{QAO`Gq7`WhYyvDB0U7*i={n4aiL` zNmQuF&B-gas<2f8n`;GRgM{^!6u?SKvTcwn`GuBNuFf>#!Gt)CP zF*P$Y)KM@pFf`IP03tJ8LlY}gGbUo-h6WQb!1OB;3-k^33_xCjDfIQluQWFouDZA+C>7yetOgf{R2HP_ z2c;J0mlh=hBQ8xDWL1Hcb5UwyNq$jCetr%t6azByOY(~|@(UE4gUu8)!ZY(y^2>`g z!Rmc|tvvIJOA_;vQ$1a5m4GJbWoD*WIlH-88k?9~npl_{85+8pI69h|I=i`=SQr>O zTew)d!1TK0Czs}?=9R$orXch>;?xUD3b_S9n_W_iGRsm^+=}vZ6~JD$%Eav!bDZWu z^`_u=-`as9%gCZ6wqG3Y7)B|F|lP!<~Pxz^Mz|>v@Ox7lU?`bhGFp7J+IEGZ* zO48BLm~rsH0RfgH^^zLwG7e{2T>tP3tWRSUn&zN$%0ae3vZH=M=U?`uT7_+i2bDba zesCR`_xJB#|BI?z+}z)pH4VjN?y0dioZ(`X`oq#aM@8U&T4U8@sRr4O-ycuRXNsK0 zek3i#OW_8CvdNbN)8;lLZDKI!^Wb{!qwuZi7f<*EBj?x?4XU3yzupy_k-Cd#3wx2m z>3zZrH?Vf72PRw;Q+Sq?v_P5RXU}AgQqusRz?V#$a;#K2TUws%XHC0VQl(nU?PX*t z=qaxn+#EDhQ}z=34I{5dOjA_#gjV)(r`)vX(z(snv-z

- - - -
-
L diff --git a/security-admin/src/main/webapp/login.jsp b/security-admin/src/main/webapp/login.jsp index 0db688230bb..39fb3274fad 100644 --- a/security-admin/src/main/webapp/login.jsp +++ b/security-admin/src/main/webapp/login.jsp @@ -38,11 +38,6 @@