Google Git
Sign in
apache / ranger / stack / . / security-admin / src / main / java / org / apache / ranger / biz / ServiceDBStore.java
blob: 0dcdc4142efd42958db15e6431c75a97010d9ebd [file] [log] [blame]
package org.apache.ranger.biz;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import javax.annotation.PostConstruct;
import org.apache.commons.lang.ObjectUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.DateUtil;
import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerCommonEnums;
import org.apache.ranger.common.StringUtil;
import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.db.XXAccessTypeDefDao;
import org.apache.ranger.db.XXAccessTypeDefGrantsDao;
import org.apache.ranger.db.XXEnumDefDao;
import org.apache.ranger.db.XXEnumElementDefDao;
import org.apache.ranger.db.XXPolicyConditionDefDao;
import org.apache.ranger.db.XXPolicyItemAccessDao;
import org.apache.ranger.db.XXPolicyItemConditionDao;
import org.apache.ranger.db.XXPolicyItemDao;
import org.apache.ranger.db.XXPolicyItemGroupPermDao;
import org.apache.ranger.db.XXPolicyItemUserPermDao;
import org.apache.ranger.db.XXPolicyResourceDao;
import org.apache.ranger.db.XXPolicyResourceMapDao;
import org.apache.ranger.db.XXResourceDefDao;
import org.apache.ranger.db.XXServiceConfigDefDao;
import org.apache.ranger.db.XXServiceConfigMapDao;
import org.apache.ranger.entity.XXAccessTypeDef;
import org.apache.ranger.entity.XXAccessTypeDefGrants;
import org.apache.ranger.entity.XXDBBase;
import org.apache.ranger.entity.XXEnumDef;
import org.apache.ranger.entity.XXEnumElementDef;
import org.apache.ranger.entity.XXGroup;
import org.apache.ranger.entity.XXPolicy;
import org.apache.ranger.entity.XXPolicyConditionDef;
import org.apache.ranger.entity.XXPolicyItem;
import org.apache.ranger.entity.XXPolicyItemAccess;
import org.apache.ranger.entity.XXPolicyItemCondition;
import org.apache.ranger.entity.XXPolicyItemGroupPerm;
import org.apache.ranger.entity.XXPolicyItemUserPerm;
import org.apache.ranger.entity.XXPolicyResource;
import org.apache.ranger.entity.XXPolicyResourceMap;
import org.apache.ranger.entity.XXResourceDef;
import org.apache.ranger.entity.XXService;
import org.apache.ranger.entity.XXServiceConfigDef;
import org.apache.ranger.entity.XXServiceConfigMap;
import org.apache.ranger.entity.XXServiceDef;
import org.apache.ranger.entity.XXUser;
import org.apache.ranger.plugin.model.RangerBaseModelObject;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumElementDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef;
import org.apache.ranger.plugin.store.LegacyServiceDefsUtil;
import org.apache.ranger.plugin.store.ServiceStore;
import org.apache.ranger.plugin.util.ServicePolicies;
import org.apache.ranger.service.RangerAuditFields;
import org.apache.ranger.service.RangerDataHistService;
import org.apache.ranger.service.RangerPolicyService;
import org.apache.ranger.service.RangerServiceDefService;
import org.apache.ranger.service.RangerServiceService;
import org.apache.ranger.service.XUserService;
import org.apache.ranger.view.VXUser;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
import org.springframework.transaction.PlatformTransactionManager;
import org.springframework.transaction.TransactionStatus;
import org.springframework.transaction.support.TransactionCallback;
import org.springframework.transaction.support.TransactionTemplate;
import org.apache.ranger.plugin.util.SearchFilter;
@Component
public class ServiceDBStore implements ServiceStore {
private static final Log LOG = LogFactory.getLog(ServiceDBStore.class);
@Autowired
RangerServiceDefService serviceDefService;
@Autowired
RangerDaoManager daoMgr;
@Autowired
RESTErrorUtil restErrorUtil;
@Autowired
RangerServiceService svcService;
@Autowired
StringUtil stringUtil;
@Autowired
RangerAuditFields<XXDBBase> rangerAuditFields;
@Autowired
RangerPolicyService policyService;
@Autowired
XUserService xUserService;
@Autowired
XUserMgr xUserMgr;
@Autowired
RangerDataHistService dataHistService;
@Autowired
@Qualifier(value = "transactionManager")
PlatformTransactionManager txManager;
private static volatile boolean legacyServiceDefsInitDone = false;
@Override
public void init() throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDefDBStore.init()");
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceDefDBStore.init()");
}
}
@PostConstruct
public void initStore() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDefDBStore.initStore()");
}
if(! legacyServiceDefsInitDone) {
synchronized(ServiceDBStore.class) {
if(!legacyServiceDefsInitDone) {
TransactionTemplate txTemplate = new TransactionTemplate(txManager);
final ServiceDBStore dbStore = this;
txTemplate.execute(new TransactionCallback<Object>() {
@Override
public Object doInTransaction(TransactionStatus status) {
LegacyServiceDefsUtil.instance().init(dbStore);
return null;
}
});
legacyServiceDefsInitDone = true;
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceDefDBStore.initStore()");
}
}
@Override
public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDefDBStore.createServiceDef(" + serviceDef + ")");
}
XXServiceDef xServiceDef = daoMgr.getXXServiceDef().findByName(
serviceDef.getName());
if (xServiceDef != null) {
throw restErrorUtil.createRESTException("service-def with name: "
+ serviceDef.getName() + " already exists",
MessageEnums.ERROR_DUPLICATE_OBJECT);
}
List<RangerServiceConfigDef> configs = serviceDef.getConfigs();
List<RangerResourceDef> resources = serviceDef.getResources();
List<RangerAccessTypeDef> accessTypes = serviceDef.getAccessTypes();
List<RangerPolicyConditionDef> policyConditions = serviceDef.getPolicyConditions();
List<RangerEnumDef> enums = serviceDef.getEnums();
// following fields will be auto populated
serviceDef.setId(null);
serviceDef.setCreateTime(null);
serviceDef.setUpdateTime(null);
serviceDef = serviceDefService.create(serviceDef);
Long serviceDefId = serviceDef.getId();
XXServiceDef createdSvcDef = daoMgr.getXXServiceDef().getById(serviceDefId);
XXServiceConfigDefDao xxServiceConfigDao = daoMgr.getXXServiceConfigDef();
for(RangerServiceConfigDef config : configs) {
XXServiceConfigDef xConfig = new XXServiceConfigDef();
xConfig = serviceDefService.populateRangerServiceConfigDefToXX(config, xConfig, createdSvcDef);
xConfig = xxServiceConfigDao.create(xConfig);
}
XXResourceDefDao xxResDefDao = daoMgr.getXXResourceDef();
for(RangerResourceDef resource : resources) {
XXResourceDef parent = xxResDefDao.findByNameAndServiceDefId(resource.getParent(), serviceDefId);
Long parentId = (parent != null) ? parent.getId() : null;
XXResourceDef xResource = new XXResourceDef();
xResource = serviceDefService.populateRangerResourceDefToXX(resource, xResource, createdSvcDef);
xResource.setParent(parentId);
xResource = xxResDefDao.create(xResource);
}
XXAccessTypeDefDao xxATDDao = daoMgr.getXXAccessTypeDef();
for(RangerAccessTypeDef accessType : accessTypes) {
XXAccessTypeDef xAccessType = new XXAccessTypeDef();
xAccessType = serviceDefService.populateRangerAccessTypeDefToXX(accessType, xAccessType, createdSvcDef);
xAccessType = xxATDDao.create(xAccessType);
Collection<String> impliedGrants = accessType.getImpliedGrants();
XXAccessTypeDefGrantsDao xxATDGrantDao = daoMgr.getXXAccessTypeDefGrants();
for(String impliedGrant : impliedGrants) {
XXAccessTypeDefGrants xImpliedGrant = new XXAccessTypeDefGrants();
xImpliedGrant.setAtdid(xAccessType.getId());
xImpliedGrant.setImpliedgrant(impliedGrant);
xImpliedGrant = xxATDGrantDao.create(xImpliedGrant);
}
}
XXPolicyConditionDefDao xxPolCondDao = daoMgr.getXXPolicyConditionDef();
for (RangerPolicyConditionDef policyCondition : policyConditions) {
XXPolicyConditionDef xPolicyCondition = new XXPolicyConditionDef();
xPolicyCondition = serviceDefService
.populateRangerPolicyConditionDefToXX(policyCondition,
xPolicyCondition, createdSvcDef);
xPolicyCondition = xxPolCondDao.create(xPolicyCondition);
}
XXEnumDefDao xxEnumDefDao = daoMgr.getXXEnumDef();
for(RangerEnumDef vEnum : enums) {
XXEnumDef xEnum = new XXEnumDef();
xEnum = serviceDefService.populateRangerEnumDefToXX(vEnum, xEnum, createdSvcDef);
xEnum = xxEnumDefDao.create(xEnum);
List<RangerEnumElementDef> elements = vEnum.getElements();
XXEnumElementDefDao xxEnumEleDefDao = daoMgr.getXXEnumElementDef();
for(RangerEnumElementDef element : elements) {
XXEnumElementDef xElement = new XXEnumElementDef();
xElement = serviceDefService.populateRangerEnumElementDefToXX(element, xElement, xEnum);
xElement = xxEnumEleDefDao.create(xElement);
}
}
RangerServiceDef createdServiceDef = serviceDefService.getPopulatedViewObject(createdSvcDef);
dataHistService.createObjectDataHistory(createdServiceDef, RangerDataHistService.ACTION_CREATE);
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceDefDBStore.createServiceDef(" + serviceDef + "): " + createdServiceDef);
}
return createdServiceDef;
}
@Override
public RangerServiceDef updateServiceDef(RangerServiceDef serviceDef)
throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDefDBStore.updateServiceDef(" + serviceDef + ")");
}
RangerServiceDef ret = null;
// TODO: updateServiceDef()
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceDefDBStore.updateServiceDef(" + serviceDef + "): " + ret);
}
return ret;
}
@Override
public void deleteServiceDef(Long servceId) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDefDBStore.deleteServiceDef(" + servceId + ")");
}
// TODO: updateServiceDef()
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceDefDBStore.deleteServiceDef(" + servceId + ")");
}
}
@Override
public RangerServiceDef getServiceDef(Long id) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDefDBStore.getServiceDef(" + id + ")");
}
RangerServiceDef ret = null;
ret = serviceDefService.read(id);
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceDefDBStore.getServiceDef(" + id + "): " + ret);
}
return ret;
}
@Override
public RangerServiceDef getServiceDefByName(String name) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDefDBStore.getServiceDefByName(" + name + ")");
}
RangerServiceDef ret = null;
XXServiceDef xServiceDef = daoMgr.getXXServiceDef().findByName(name);
if(xServiceDef != null) {
ret = serviceDefService.getPopulatedViewObject(xServiceDef);
}
if (LOG.isDebugEnabled()) {
LOG.debug("== ServiceDefDBStore.getServiceDefByName(" + name + "): " + ret);
}
return ret;
}
@Override
public List<RangerServiceDef> getServiceDefs(SearchFilter filter) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getServiceDefs(" + filter + ")");
}
List<RangerServiceDef> ret = null;
ret = serviceDefService.getServiceDefs(filter);
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getServiceDefs(" + filter + "): " + ret);
}
return ret;
}
@Override
public RangerService createService(RangerService service) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDefDBStore.createService(" + service + ")");
}
UserSessionBase usb = ContextUtil.getCurrentUserSession();
if (usb != null && usb.isUserAdmin()) {
Map<String, String> configs = service.getConfigs();
Map<String, String> validConfigs = validateRequiredConfigParams(
service, configs);
if (validConfigs == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ConfigParams cannot be null, ServiceDefDBStore.createService(" + service + ")");
}
throw restErrorUtil.createRESTException(
"ConfigParams cannot be null.",
MessageEnums.ERROR_CREATING_OBJECT);
}
service = svcService.create(service);
XXService xCreatedService = daoMgr.getXXService().getById(service.getId());
VXUser vXUser = null;
XXServiceConfigMapDao xConfMapDao = daoMgr.getXXServiceConfigMap();
for (Entry<String, String> configMap : validConfigs.entrySet()) {
String configKey = configMap.getKey();
String configValue = configMap.getValue();
if(StringUtils.equalsIgnoreCase(configKey, "username")) {
String userName = stringUtil.getValidUserName(configValue);
XXUser xxUser = daoMgr.getXXUser().findByUserName(userName);
if (xxUser != null) {
vXUser = xUserService.populateViewBean(xxUser);
} else {
vXUser = new VXUser();
vXUser.setName(userName);
vXUser.setUserSource(RangerCommonEnums.USER_EXTERNAL);
vXUser = xUserMgr.createXUser(vXUser);
}
}
XXServiceConfigMap xConfMap = new XXServiceConfigMap();
xConfMap = (XXServiceConfigMap) rangerAuditFields.populateAuditFields(xConfMap, xCreatedService);
xConfMap.setServiceId(xCreatedService.getId());
xConfMap.setConfigkey(configKey);
xConfMap.setConfigvalue(configValue);
xConfMap = xConfMapDao.create(xConfMap);
}
RangerService createdService = svcService.getPopulatedViewObject(xCreatedService);
dataHistService.createObjectDataHistory(createdService, RangerDataHistService.ACTION_CREATE);
createDefaultPolicy(xCreatedService, vXUser);
return createdService;
} else {
LOG.debug("User id : " + usb.getUserId() + " doesn't have admin access to create repository.");
throw restErrorUtil.createRESTException(
"Sorry, you don't have permission to perform the operation",
MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
}
@Override
public RangerService updateService(RangerService service) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.updateService()");
}
UserSessionBase usb = ContextUtil.getCurrentUserSession();
if (usb != null && usb.isUserAdmin()) {
XXService existing = daoMgr.getXXService().getById(service.getId());
if(existing == null) {
throw restErrorUtil.createRESTException(
"no service exists with ID=" + service.getId(),
MessageEnums.DATA_NOT_FOUND);
}
String existingName = existing.getName();
boolean renamed = !StringUtils.equalsIgnoreCase(service.getName(), existingName);
if(renamed) {
XXService newNameService = daoMgr.getXXService().findByName(service.getName());
if(newNameService != null) {
throw restErrorUtil.createRESTException("another service already exists with name '"
+ service.getName() + "'. ID=" + newNameService.getId(), MessageEnums.DATA_NOT_UPDATABLE);
}
}
Map<String, String> configs = service.getConfigs();
Map<String, String> validConfigs = validateRequiredConfigParams(
service, configs);
if (validConfigs == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ConfigParams cannot be null, ServiceDefDBStore.createService(" + service + ")");
}
throw restErrorUtil.createRESTException(
"ConfigParams cannot be null.",
MessageEnums.ERROR_CREATING_OBJECT);
}
service = svcService.update(service);
XXService xUpdService = daoMgr.getXXService().getById(service.getId());
List<XXServiceConfigMap> dbConfigMaps = daoMgr.getXXServiceConfigMap().findByServiceId(service.getId());
for(XXServiceConfigMap dbConfigMap : dbConfigMaps) {
daoMgr.getXXServiceConfigMap().remove(dbConfigMap);
}
VXUser vXUser = null;
XXServiceConfigMapDao xConfMapDao = daoMgr.getXXServiceConfigMap();
for (Entry<String, String> configMap : validConfigs.entrySet()) {
String configKey = configMap.getKey();
String configValue = configMap.getValue();
if(StringUtils.equalsIgnoreCase(configKey, "username")) {
String userName = stringUtil.getValidUserName(configValue);
XXUser xxUser = daoMgr.getXXUser().findByUserName(userName);
if (xxUser != null) {
vXUser = xUserService.populateViewBean(xxUser);
} else {
vXUser = new VXUser();
vXUser.setName(userName);
vXUser.setUserSource(RangerCommonEnums.USER_EXTERNAL);
vXUser = xUserMgr.createXUser(vXUser);
}
}
XXServiceConfigMap xConfMap = new XXServiceConfigMap();
xConfMap = (XXServiceConfigMap) rangerAuditFields.populateAuditFields(xConfMap, xUpdService);
xConfMap.setServiceId(service.getId());
xConfMap.setConfigkey(configKey);
xConfMap.setConfigvalue(configValue);
xConfMap = xConfMapDao.create(xConfMap);
}
RangerService updService = svcService.getPopulatedViewObject(xUpdService);
dataHistService.createObjectDataHistory(updService, RangerDataHistService.ACTION_UPDATE);
return updService;
} else {
LOG.debug("User id : " + usb.getUserId() + " doesn't have admin access to update repository.");
throw restErrorUtil.createRESTException(
"Sorry, you don't have permission to perform the operation",
MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
}
@Override
public void deleteService(Long id) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.deleteService(" + id + ")");
}
RangerService service = getService(id);
if(service == null) {
throw new Exception("no service exists with ID=" + id);
}
List<XXPolicy> policies = daoMgr.getXXPolicy().findByServiceId(service.getId());
for(XXPolicy policy : policies) {
LOG.info("Deleting Policy, policyName: " + policy.getName());
deletePolicy(policy.getId());
}
XXServiceConfigMapDao configDao = daoMgr.getXXServiceConfigMap();
List<XXServiceConfigMap> configs = configDao.findByServiceId(service.getId());
for (XXServiceConfigMap configMap : configs) {
configDao.remove(configMap);
}
svcService.delete(service);
dataHistService.createObjectDataHistory(service, RangerDataHistService.ACTION_DELETE);
}
@Override
public RangerService getService(Long id) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getService()");
}
return svcService.read(id);
}
@Override
public RangerService getServiceByName(String name) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getServiceByName()");
}
XXService xService = daoMgr.getXXService().findByName(name);
return xService == null ? null : svcService.getPopulatedViewObject(xService);
}
@Override
public List<RangerService> getServices(SearchFilter filter) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getServices()");
}
List<RangerService> serviceList = svcService.getServices(filter);
return serviceList;
}
@Override
public RangerPolicy createPolicy(RangerPolicy policy) throws Exception {
RangerService service = getServiceByName(policy.getService());
if(service == null) {
throw new Exception("service does not exist - name=" + policy.getService());
}
XXPolicy existing = daoMgr.getXXPolicy().findByName(policy.getName());
if(existing != null) {
throw new Exception("policy already exists: ServiceName=" + policy.getService() + "; PolicyName=" + policy.getName() + ". ID=" + existing.getId());
}
Map<String, RangerPolicyResource> resources = policy.getResources();
List<RangerPolicyItem> policyItems = policy.getPolicyItems();
policy = policyService.create(policy);
XXPolicy xCreatedPolicy = daoMgr.getXXPolicy().getById(policy.getId());
createNewResourcesForPolicy(policy, xCreatedPolicy, resources);
createNewPolicyItemsForPolicy(policy, xCreatedPolicy, policyItems);
RangerPolicy createdPolicy = policyService.getPopulatedViewObject(xCreatedPolicy);
dataHistService.createObjectDataHistory(createdPolicy, RangerDataHistService.ACTION_CREATE);
return createdPolicy;
}
@Override
public RangerPolicy updatePolicy(RangerPolicy policy) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.updatePolicy(" + policy + ")");
}
UserSessionBase currentUserSession = ContextUtil
.getCurrentUserSession();
if (currentUserSession == null) {
throw restErrorUtil.createRESTException("Policy updation not "
+ "allowed",MessageEnums.OPER_NO_PERMISSION);
}
RangerPolicy existing = getPolicy(policy.getId());
if(existing == null) {
throw new Exception("no policy exists with ID=" + policy.getId());
}
RangerService service = getServiceByName(policy.getService());
if(service == null) {
throw new Exception("service does not exist - name=" + policy.getService());
}
if(! StringUtils.equalsIgnoreCase(existing.getService(), policy.getService())) {
throw new Exception("policy id=" + policy.getId() + " already exists in service " + existing.getService() + ". It can not be moved to service " + policy.getService());
}
boolean renamed = !StringUtils.equalsIgnoreCase(policy.getName(), existing.getName());
if(renamed) {
XXPolicy newNamePolicy = daoMgr.getXXPolicy().findByName(policy.getName());
if(newNamePolicy != null) {
throw new Exception("another policy already exists with name '" + policy.getName() + "'. ID=" + newNamePolicy.getId());
}
}
Map<String, RangerPolicyResource> newResources = policy.getResources();
List<RangerPolicyItem> newPolicyItems = policy.getPolicyItems();
policy = policyService.update(policy);
XXPolicy newUpdPolicy = daoMgr.getXXPolicy().getById(policy.getId());
deleteExistingPolicyResources(policy);
deleteExistingPolicyItems(policy);
createNewResourcesForPolicy(policy, newUpdPolicy, newResources);
createNewPolicyItemsForPolicy(policy, newUpdPolicy, newPolicyItems);
handlePolicyUpdate(service);
RangerPolicy updPolicy = policyService.getPopulatedViewObject(newUpdPolicy);
dataHistService.createObjectDataHistory(updPolicy, RangerDataHistService.ACTION_UPDATE);
return updPolicy;
}
@Override
public void deletePolicy(Long policyId) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.deletePolicy(" + policyId + ")");
}
RangerPolicy policy = getPolicy(policyId);
if(policy == null) {
throw new Exception("no policy exists with ID=" + policyId);
}
String policyName = policy.getName();
RangerService service = getServiceByName(policy.getService());
if(service == null) {
throw new Exception("service does not exist - name='" + policy.getService());
}
deleteExistingPolicyItems(policy);
deleteExistingPolicyResources(policy);
policyService.delete(policy);
handlePolicyUpdate(service);
dataHistService.createObjectDataHistory(policy, RangerDataHistService.ACTION_DELETE);
LOG.info("Policy Deleted Successfully. PolicyName : " +policyName);
}
@Override
public RangerPolicy getPolicy(Long id) throws Exception {
return policyService.read(id);
}
@Override
public List<RangerPolicy> getPolicies(SearchFilter filter) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getPolicies()");
}
List<RangerPolicy> ret = new ArrayList<RangerPolicy>();
List<XXPolicy> policyList = daoMgr.getXXPolicy().getAll();
for (XXPolicy xPolicy : policyList) {
RangerPolicy policy = policyService.getPopulatedViewObject(xPolicy);
ret.add(policy);
}
return ret;
}
@Override
public List<RangerPolicy> getServicePolicies(Long serviceId, SearchFilter filter) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getServicePolicies(" + serviceId + ")");
}
List<XXPolicy> servicePolicyList = daoMgr.getXXPolicy().findByServiceId(serviceId);
List<RangerPolicy> servicePolicies = new ArrayList<RangerPolicy>();
for(XXPolicy xPolicy : servicePolicyList) {
RangerPolicy servicePolicy = policyService.getPopulatedViewObject(xPolicy);
servicePolicies.add(servicePolicy);
}
return servicePolicies;
}
@Override
public List<RangerPolicy> getServicePolicies(String serviceName, SearchFilter filter) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getServicePolicies(" + serviceName + ")");
}
List<RangerPolicy> ret = new ArrayList<RangerPolicy>();
try {
XXService service = daoMgr.getXXService().findByName(serviceName);
if(service == null) {
return ret;
}
List<XXPolicy> policyList = daoMgr.getXXPolicy().findByServiceId(service.getId());
for (XXPolicy xPolicy : policyList) {
RangerPolicy policy = policyService.getPopulatedViewObject(xPolicy);
ret.add(policy);
}
} catch(Exception excp) {
LOG.error("ServiceDBStore.getServicePolicies(" + serviceName + "): failed to read policies", excp);
}
return ret;
}
@Override
public ServicePolicies getServicePoliciesIfUpdated(String serviceName, Long lastKnownVersion) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ")");
}
ServicePolicies ret = null;
RangerService service = getServiceByName(serviceName);
if(service == null) {
throw new Exception("service does not exist - name=" + serviceName);
}
RangerServiceDef serviceDef = getServiceDefByName(service.getType());
if(serviceDef == null) {
throw new Exception(service.getType() + ": unknown service-def)");
}
if(lastKnownVersion == null || service.getPolicyVersion() == null || lastKnownVersion.longValue() != service.getPolicyVersion().longValue()) {
SearchFilter filter = new SearchFilter(SearchFilter.SERVICE_NAME, serviceName);
List<RangerPolicy> policies = getServicePolicies(serviceName, filter);
ret = new ServicePolicies();
ret.setServiceId(service.getId());
ret.setServiceName(service.getName());
ret.setPolicyVersion(service.getPolicyVersion());
ret.setPolicyUpdateTime(service.getPolicyUpdateTime());
ret.setPolicies(policies);
ret.setServiceDef(serviceDef);
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== ServiceDBStore.getServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + "): count=" + ((ret == null || ret.getPolicies() == null) ? 0 : ret.getPolicies().size()));
}
if(ret != null && ret.getPolicies() != null) {
Collections.sort(ret.getPolicies(), idComparator);
}
return ret;
}
private void createDefaultPolicy(XXService createdService, VXUser vXUser) throws Exception {
RangerPolicy policy = new RangerPolicy();
String policyName=createdService.getName()+"-"+1+"-"+DateUtil.dateToString(DateUtil.getUTCDate(),"yyyyMMddHHmmss");
policy.setIsEnabled(true);
policy.setVersion(1L);
policy.setName(policyName);
policy.setService(createdService.getName());
policy.setDescription("Default Policy for Service: " + createdService.getName());
policy.setIsAuditEnabled(true);
Map<String, RangerPolicyResource> resources = new HashMap<String, RangerPolicyResource>();
List<XXResourceDef> resDefList = daoMgr.getXXResourceDef().findByServiceDefId(createdService.getType());
for(XXResourceDef resDef : resDefList) {
RangerPolicyResource polRes = new RangerPolicyResource();
polRes.setIsExcludes(false);
polRes.setIsRecursive(false);
String value;
if("path".equalsIgnoreCase(resDef.getName())) {
value = "/*/*";
} else {
value = "*";
}
polRes.setValue(value);
resources.put(resDef.getName(), polRes);
}
policy.setResources(resources);
if (vXUser != null) {
List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicyItem>();
RangerPolicyItem policyItem = new RangerPolicyItem();
List<String> users = new ArrayList<String>();
users.add(vXUser.getName());
policyItem.setUsers(users);
List<XXAccessTypeDef> accessTypeDefs = daoMgr.getXXAccessTypeDef().findByServiceDefId(createdService.getType());
List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
for(XXAccessTypeDef accessTypeDef : accessTypeDefs) {
RangerPolicyItemAccess access = new RangerPolicyItemAccess();
access.setType(accessTypeDef.getName());
access.setIsAllowed(true);
accesses.add(access);
}
policyItem.setAccesses(accesses);
policyItem.setDelegateAdmin(true);
policyItems.add(policyItem);
policy.setPolicyItems(policyItems);
}
policy = createPolicy(policy);
handlePolicyUpdate(svcService.getPopulatedViewObject(createdService));
}
private Map<String, String> validateRequiredConfigParams(RangerService service, Map<String, String> configs) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.validateRequiredConfigParams()");
}
if(configs == null) {
return null;
}
List<XXServiceConfigDef> svcConfDefList = daoMgr.getXXServiceConfigDef()
.findByServiceDefName(service.getType());
for(XXServiceConfigDef svcConfDef : svcConfDefList ) {
String confField = configs.get(svcConfDef.getName());
if(svcConfDef.getIsMandatory() && stringUtil.isEmpty(confField)) {
throw restErrorUtil.createRESTException(
"Please provide value of mandatory: "+ svcConfDef.getName(),
MessageEnums.INVALID_INPUT_DATA);
}
}
Map<String, String> validConfigs = new HashMap<String, String>();
for(Entry<String, String> config : configs.entrySet()) {
String confKey = config.getKey();
String confValue = config.getValue();
boolean found = false;
for(XXServiceConfigDef xConfDef : svcConfDefList) {
if((xConfDef.getName()).equalsIgnoreCase(confKey)) {
found = true;
break;
}
}
if(found) {
validConfigs.put(confKey, confValue);
} else {
LOG.info("Ignoring this config parameter:" + confKey
+ ", as its not valid conf param for service");
}
}
return validConfigs;
}
private void handlePolicyUpdate(RangerService service) throws Exception {
if(service == null) {
return;
}
Long policyVersion = service.getPolicyVersion();
if(policyVersion == null) {
policyVersion = new Long(1);
} else {
policyVersion = new Long(policyVersion.longValue() + 1);
}
service.setPolicyVersion(policyVersion);
service.setPolicyUpdateTime(new Date());
service = updateService(service);
}
private void createNewPolicyItemsForPolicy(RangerPolicy policy, XXPolicy xPolicy, List<RangerPolicyItem> policyItems) {
for (RangerPolicyItem policyItem : policyItems) {
XXPolicyItem xPolicyItem = new XXPolicyItem();
xPolicyItem = (XXPolicyItem) rangerAuditFields.populateAuditFields(
xPolicyItem, xPolicy);
xPolicyItem.setDelegateAdmin(policyItem.getDelegateAdmin());
xPolicyItem.setPolicyId(policy.getId());
xPolicyItem = daoMgr.getXXPolicyItem().create(xPolicyItem);
List<RangerPolicyItemAccess> accesses = policyItem.getAccesses();
for (RangerPolicyItemAccess access : accesses) {
XXAccessTypeDef xAccTypeDef = daoMgr.getXXAccessTypeDef()
.findByNameAndServiceId(access.getType(),
xPolicy.getService());
if (xAccTypeDef == null) {
LOG.info("One of given accessType is not valid for this policy. access: "
+ access.getType() + ", Ignoring this access");
continue;
}
XXPolicyItemAccess xPolItemAcc = new XXPolicyItemAccess();
xPolItemAcc = (XXPolicyItemAccess) rangerAuditFields.populateAuditFields(xPolItemAcc, xPolicyItem);
xPolItemAcc.setIsAllowed(access.getIsAllowed());
xPolItemAcc.setType(xAccTypeDef.getId());
xPolItemAcc.setPolicyitemid(xPolicyItem.getId());
xPolItemAcc = daoMgr.getXXPolicyItemAccess()
.create(xPolItemAcc);
}
List<String> users = policyItem.getUsers();
for(String user : users) {
XXUser xUser = daoMgr.getXXUser().findByUserName(user);
if(xUser == null) {
LOG.info("User does not exists with username: "
+ user + ", Ignoring permissions given to this user for policy");
continue;
}
XXPolicyItemUserPerm xUserPerm = new XXPolicyItemUserPerm();
xUserPerm = (XXPolicyItemUserPerm) rangerAuditFields.populateAuditFields(xUserPerm, xPolicyItem);
xUserPerm.setUserId(xUser.getId());
xUserPerm.setPolicyItemId(xPolicyItem.getId());
xUserPerm = daoMgr.getXXPolicyItemUserPerm().create(xUserPerm);
}
List<String> groups = policyItem.getGroups();
for(String group : groups) {
XXGroup xGrp = daoMgr.getXXGroup().findByGroupName(group);
if(xGrp == null) {
LOG.info("Group does not exists with groupName: "
+ group + ", Ignoring permissions given to this group for policy");
continue;
}
XXPolicyItemGroupPerm xGrpPerm = new XXPolicyItemGroupPerm();
xGrpPerm = (XXPolicyItemGroupPerm) rangerAuditFields.populateAuditFields(xGrpPerm, xPolicyItem);
xGrpPerm.setGroupId(xGrp.getId());
xGrpPerm.setPolicyItemId(xPolicyItem.getId());
xGrpPerm = daoMgr.getXXPolicyItemGroupPerm().create(xGrpPerm);
}
List<RangerPolicyItemCondition> conditions = policyItem.getConditions();
for(RangerPolicyItemCondition condition : conditions) {
XXPolicyConditionDef xPolCond = daoMgr
.getXXPolicyConditionDef().findByPolicyItemIdAndName(
xPolicyItem.getId(), condition.getType());
if(xPolCond == null) {
LOG.info("PolicyCondition is not valid, condition: "
+ condition.getType()
+ ", Ignoring creation of this policy condition");
continue;
}
for(String value : condition.getValues()) {
XXPolicyItemCondition xPolItemCond = new XXPolicyItemCondition();
xPolItemCond = (XXPolicyItemCondition) rangerAuditFields.populateAuditFields(xPolItemCond, xPolicyItem);
xPolItemCond.setPolicyItemId(xPolicyItem.getId());
xPolItemCond.setType(xPolCond.getId());
xPolItemCond.setValue(value);
xPolItemCond = daoMgr.getXXPolicyItemCondition().create(xPolItemCond);
}
}
}
}
private void createNewResourcesForPolicy(RangerPolicy policy, XXPolicy xPolicy, Map<String, RangerPolicyResource> resources) {
for (Entry<String, RangerPolicyResource> resource : resources.entrySet()) {
RangerPolicyResource policyRes = resource.getValue();
XXResourceDef xResDef = daoMgr.getXXResourceDef()
.findByNameAndPolicyId(resource.getKey(), policy.getId());
if (xResDef == null) {
LOG.info("No Such Resource found, resourceName : "
+ resource.getKey() + ", Ignoring this resource.");
continue;
}
XXPolicyResource xPolRes = new XXPolicyResource();
xPolRes = (XXPolicyResource) rangerAuditFields.populateAuditFields(xPolRes, xPolicy);
xPolRes.setIsExcludes(policyRes.getIsExcludes());
xPolRes.setIsRecursive(policyRes.getIsRecursive());
xPolRes.setPolicyId(policy.getId());
xPolRes.setResDefId(xResDef.getId());
xPolRes = daoMgr.getXXPolicyResource().create(xPolRes);
List<String> values = policyRes.getValues();
for (String value : values) {
XXPolicyResourceMap xPolResMap = new XXPolicyResourceMap();
xPolResMap = (XXPolicyResourceMap) rangerAuditFields.populateAuditFields(xPolResMap, xPolRes);
xPolResMap.setResourceId(xPolRes.getId());
xPolResMap.setValue(value);
xPolResMap = daoMgr.getXXPolicyResourceMap().create(xPolResMap);
}
}
}
private Boolean deleteExistingPolicyItems(RangerPolicy policy) {
if(policy == null) {
return false;
}
XXPolicyItemDao policyItemDao = daoMgr.getXXPolicyItem();
List<XXPolicyItem> policyItems = policyItemDao.findByPolicyId(policy.getId());
for(XXPolicyItem policyItem : policyItems) {
Long polItemId = policyItem.getId();
XXPolicyItemConditionDao polCondDao = daoMgr.getXXPolicyItemCondition();
List<XXPolicyItemCondition> conditions = polCondDao.findByPolicyItemId(polItemId);
for(XXPolicyItemCondition condition : conditions) {
polCondDao.remove(condition);
}
XXPolicyItemGroupPermDao grpPermDao = daoMgr.getXXPolicyItemGroupPerm();
List<XXPolicyItemGroupPerm> groups = grpPermDao.findByPolicyItemId(polItemId);
for(XXPolicyItemGroupPerm group : groups) {
grpPermDao.remove(group);
}
XXPolicyItemUserPermDao userPermDao = daoMgr.getXXPolicyItemUserPerm();
List<XXPolicyItemUserPerm> users = userPermDao.findByPolicyItemId(polItemId);
for(XXPolicyItemUserPerm user : users) {
userPermDao.remove(user);
}
XXPolicyItemAccessDao polItemAccDao = daoMgr.getXXPolicyItemAccess();
List<XXPolicyItemAccess> accesses = polItemAccDao.findByPolicyItemId(polItemId);
for(XXPolicyItemAccess access : accesses) {
polItemAccDao.remove(access);
}
policyItemDao.remove(policyItem);
}
return true;
}
private Boolean deleteExistingPolicyResources(RangerPolicy policy) {
if(policy == null) {
return false;
}
List<XXPolicyResource> resources = daoMgr.getXXPolicyResource().findByPolicyId(policy.getId());
XXPolicyResourceDao resDao = daoMgr.getXXPolicyResource();
for(XXPolicyResource resource : resources) {
List<XXPolicyResourceMap> resMapList = daoMgr.getXXPolicyResourceMap().findByPolicyResId(resource.getId());
XXPolicyResourceMapDao resMapDao = daoMgr.getXXPolicyResourceMap();
for(XXPolicyResourceMap resMap : resMapList) {
resMapDao.remove(resMap);
}
resDao.remove(resource);
}
return true;
}
private final static Comparator<RangerBaseModelObject> idComparator = new Comparator<RangerBaseModelObject>() {
@Override
public int compare(RangerBaseModelObject o1, RangerBaseModelObject o2) {
Long val1 = (o1 != null) ? o1.getId() : null;
Long val2 = (o2 != null) ? o2.getId() : null;
return ObjectUtils.compare(val1, val2);
}
};
}