Merge branch 'master' of https://gitbox.apache.org/repos/asf/ranger
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index 71511dc..21308b1 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -65,6 +65,7 @@
import org.apache.ranger.rest.ServiceREST;
import org.apache.ranger.security.context.RangerAdminOpContext;
import org.apache.ranger.security.context.RangerContextHolder;
+import org.apache.ranger.service.XUserService;
import org.apache.ranger.view.VXPortalUser;
import org.apache.ranger.view.VXResource;
import org.apache.ranger.view.VXResponse;
@@ -91,6 +92,9 @@
UserMgr userMgr;
@Autowired
+ XUserService xUserService;
+
+ @Autowired
GUIDUtil guidUtil;
Set<Class<?>> groupEditableClasses;
@@ -1413,6 +1417,19 @@
public boolean isUserAllowedForGrantRevoke(RangerService rangerService, String userName) {
return isUserInConfigParameter(rangerService, ServiceREST.Allowed_User_List_For_Grant_Revoke, userName);
}
+
+ public boolean isUserRangerAdmin(String username) {
+ boolean isAdmin = false;
+ try {
+ VXUser vxUser = xUserService.getXUserByUserName(username);
+ if (vxUser != null && (vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN) || vxUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN))) {
+ isAdmin = true;
+ }
+ } catch (Exception ex) {
+ }
+ return isAdmin;
+ }
+
public boolean isUserServiceAdmin(RangerService rangerService, String userName) {
return isUserInConfigParameter(rangerService, ServiceDBStore.SERVICE_ADMIN_USERS, userName);
}
@@ -1517,4 +1534,5 @@
}
}
}
+
}
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
index 9b225a3..d690297 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
@@ -47,7 +47,6 @@
import org.apache.ranger.common.RangerValidatorFactory;
import org.apache.ranger.common.ServiceUtil;
import org.apache.ranger.common.UserSessionBase;
-import org.apache.ranger.common.RangerConstants;
import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.db.RangerDaoManager;
@@ -67,7 +66,6 @@
import org.apache.ranger.service.RangerRoleService;
import org.apache.ranger.service.XUserService;
import org.apache.ranger.view.RangerRoleList;
-import org.apache.ranger.view.VXUser;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Scope;
import org.springframework.stereotype.Component;
@@ -879,7 +877,7 @@
UserSessionBase usb = ContextUtil.getCurrentUserSession();
String loggedInUser = usb != null ? usb.getLoginId() : null;
if (!StringUtil.equals(userName, loggedInUser)) {
- if (!userIsRangerAdmin(loggedInUser) && !userIsSrvAdmOrSrvUser(serviceName, loggedInUser)) {
+ if (!bizUtil.isUserRangerAdmin(loggedInUser) && !userIsSrvAdmOrSrvUser(serviceName, loggedInUser)) {
throw new Exception("User does not have permission for this operation");
}
effectiveUser = userName != null ? userName : loggedInUser;
@@ -887,7 +885,7 @@
effectiveUser = loggedInUser;
}
- if (!userIsRangerAdmin(effectiveUser)) {
+ if (!bizUtil.isUserRangerAdmin(effectiveUser)) {
throw new Exception("User " + effectiveUser + " does not have permission for this operation");
}
}
@@ -906,7 +904,7 @@
UserSessionBase usb = ContextUtil.getCurrentUserSession();
String loggedInUser = usb != null ? usb.getLoginId() : null;
if (!StringUtil.equals(userName, loggedInUser)) {
- if (!userIsRangerAdmin(loggedInUser) && !userIsSrvAdmOrSrvUser(serviceName, loggedInUser)) {
+ if (!bizUtil.isUserRangerAdmin(loggedInUser) && !userIsSrvAdmOrSrvUser(serviceName, loggedInUser)) {
LOG.error("User does not have permission for this operation");
return null;
}
@@ -915,7 +913,7 @@
effectiveUser = loggedInUser;
}
try {
- if (!userIsRangerAdmin(effectiveUser)) {
+ if (!bizUtil.isUserRangerAdmin(effectiveUser)) {
existingRole = roleStore.getRole(roleName);
ensureRoleAccess(effectiveUser, userGroups, existingRole);
@@ -930,19 +928,6 @@
return existingRole;
}
- private boolean userIsRangerAdmin(String username) {
- boolean isAdmin = false;
- try {
- VXUser vxUser = xUserService.getXUserByUserName(username);
- if (vxUser != null && (vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN) || vxUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN))) {
- isAdmin = true;
- }
- } catch (Exception ex) {
- LOG.error("User " + username + " does not have permissions for this operation" + ex.getMessage());
- }
- return isAdmin;
- }
-
private boolean userIsSrvAdmOrSrvUser(String serviceName, String username) {
boolean isServiceAdmin = false;
@@ -1300,4 +1285,3 @@
}
}
}
-
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index f27be59..8618f32 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -1281,7 +1281,10 @@
vXResponse.setMsgDesc("Operation denied. LoggedInUser=" + vxUser.getId() + " is not permitted to perform the action.");
throw restErrorUtil.generateRESTException(vXResponse);
}
- boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
+ RangerService rangerService = svcStore.getServiceByName(serviceName);
+
+ boolean isAdmin = bizUtil.isUserRangerAdmin(userName) || bizUtil.isUserServiceAdmin(rangerService, userName) || hasAdminAccess(serviceName, userName, userGroups, resource);
+
if(!isAdmin) {
throw restErrorUtil.createGrantRevokeRESTException( "User doesn't have necessary permission to grant access");
@@ -1397,7 +1400,7 @@
isAllowed = true;
}
} else {
- isAllowed = hasAdminPrivilege || hasAdminAccess(serviceName, userName, userGroups, resource);
+ isAllowed = bizUtil.isUserRangerAdmin(userName) || bizUtil.isUserServiceAdmin(rangerService, userName) || hasAdminAccess(serviceName, userName, userGroups, resource);
}
if (isAllowed) {
@@ -1511,7 +1514,9 @@
vXResponse.setMsgDesc("Operation denied. LoggedInUser=" + vxUser.getId() + " is not permitted to perform the action.");
throw restErrorUtil.generateRESTException(vXResponse);
}
- boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
+ RangerService rangerService = svcStore.getServiceByName(serviceName);
+
+ boolean isAdmin = bizUtil.isUserRangerAdmin(userName) || bizUtil.isUserServiceAdmin(rangerService, userName) || hasAdminAccess(serviceName, userName, userGroups, resource);
if(!isAdmin) {
throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to revoke access");
@@ -1591,7 +1596,7 @@
isAllowed = true;
}
} else {
- isAllowed = hasAdminPrivilege || hasAdminAccess(serviceName, userName, userGroups, resource);
+ isAllowed = bizUtil.isUserRangerAdmin(userName) || bizUtil.isUserServiceAdmin(rangerService, userName) || hasAdminAccess(serviceName, userName, userGroups, resource);
}
if (isAllowed) {
@@ -2265,7 +2270,9 @@
if (CollectionUtils.isNotEmpty(serviceNameList) && serviceNameList.contains(serviceName) && !sourceServices.contains(serviceName) && !destinationServices.contains(serviceName)) {
sourceServices.add(serviceName);
destinationServices.add(serviceName);
- } else if (CollectionUtils.isEmpty(serviceNameList) && !sourceServices.contains(serviceName) && !destinationServices.contains(serviceName)) {
+ } else if (CollectionUtils.isEmpty(serviceNameList)
+ && !sourceServices.contains(serviceName)
+ && !destinationServices.contains(serviceName)) {
sourceServices.add(serviceName);
destinationServices.add(serviceName);
}
@@ -3608,6 +3615,7 @@
if(userGroups == null) {
userGroups = daoManager.getXXGroupUser().findGroupNamesByUserName(userName);
}
+
Set<String> roles = policyAdmin.getRolesFromUserAndGroups(userName, userGroups);
for (RangerPolicy policy : listToFilter) {
