Google Git
Sign in
apache / ranger / 4610df1fd126a07f1e19c5bed53e50742bb9f428 / . / ugsync / src / main / java / org / apache / ranger / unixusersync / process / PolicyMgrUserGroupBuilder.java
blob: 6a4661e607cf031f3cf6183adfc42c2f35bf2005 [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.ranger.unixusersync.process;
import java.io.IOException;
import java.lang.reflect.Type;
import java.net.UnknownHostException;
import java.security.KeyStore;
import java.security.PrivilegedAction;
import java.util.Map;
import java.util.Set;
import java.util.List;
import java.util.HashMap;
import java.util.HashSet;
import java.util.ArrayList;
import java.util.StringTokenizer;
import java.util.LinkedHashMap;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.NewCookie;
import com.google.gson.reflect.TypeToken;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.security.SecureClientLogin;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import org.apache.ranger.unixusersync.config.UserGroupSyncConfig;
import org.apache.ranger.unixusersync.model.GetXGroupListResponse;
import org.apache.ranger.unixusersync.model.GetXUserListResponse;
import org.apache.ranger.ugsyncutil.model.*;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import com.sun.jersey.api.client.ClientResponse;
import org.apache.ranger.usergroupsync.AbstractUserGroupSource;
import org.apache.ranger.usergroupsync.UserGroupSink;
public class PolicyMgrUserGroupBuilder extends AbstractUserGroupSource implements UserGroupSink {
private static final Logger LOG = Logger.getLogger(PolicyMgrUserGroupBuilder.class);
private static final String AUTHENTICATION_TYPE = "hadoop.security.authentication";
private String AUTH_KERBEROS = "kerberos";
private static final String PRINCIPAL = "ranger.usersync.kerberos.principal";
private static final String KEYTAB = "ranger.usersync.kerberos.keytab";
private static final String NAME_RULE = "hadoop.security.auth_to_local";
public static final String PM_USER_LIST_URI = "/service/xusers/users/"; // GET
private static final String PM_ADD_USERS_URI = "/service/xusers/ugsync/users"; // POST
private static final String PM_ADD_GROUP_USER_LIST_URI = "/service/xusers/ugsync/groupusers"; // POST
public static final String PM_GROUP_LIST_URI = "/service/xusers/groups/"; // GET
private static final String PM_ADD_GROUPS_URI = "/service/xusers/ugsync/groups/"; // POST
public static final String PM_GET_ALL_GROUP_USER_MAP_LIST_URI = "/service/xusers/ugsync/groupusers"; // GET
private static final String PM_AUDIT_INFO_URI = "/service/xusers/ugsync/auditinfo/"; // POST
public static final String PM_UPDATE_USERS_ROLES_URI = "/service/xusers/users/roleassignments"; // PUT
private static final String SOURCE_EXTERNAL ="1";
private static final String STATUS_ENABLED = "1";
private static String LOCAL_HOSTNAME = "unknown";
private String recordsToPullPerCall = "10";
private boolean isMockRun = false;
private String policyMgrBaseUrl;
private Cookie sessionId=null;
private boolean isValidRangerCookie=false;
List<NewCookie> cookieList=new ArrayList<>();
private boolean isStartupFlag;
private UserGroupSyncConfig config = UserGroupSyncConfig.getInstance();
private volatile RangerUgSyncRESTClient ldapUgSyncClient;
private Map<String, XUserInfo> userCache; // Key is user name as in ranger db
private Map<String, XGroupInfo> groupCache; // Key is group name as in ranger db
private Map<String, Set<String>> groupUsersCache; // Key is group name and value is set of user names (as stored in ranger DB)
private Map<String, String> groupNameMap; // Key is group DN and value is group name as stored in ranger DB
private Map<String, String> userNameMap; // Key is user DN and value is user name as stored in ranger DB
private Map<String, XGroupInfo> deltaGroups;
private Map<String, XUserInfo> deltaUsers;
private Map<String, Set<String>> deltaGroupUsers;
private Set<String> computeRolesForUsers;
private int noOfNewUsers;
private int noOfNewGroups;
private int noOfModifiedUsers;
private int noOfModifiedGroups;
private boolean userNameCaseConversionFlag;
private boolean groupNameCaseConversionFlag;
private boolean userNameLowerCaseFlag = false;
private boolean groupNameLowerCaseFlag = false;
private String authenticationType = null;
String principal;
String keytab;
String nameRules;
Map<String, String> userMap = new LinkedHashMap<String, String>();
Map<String, String> groupMap = new LinkedHashMap<>();
private boolean isRangerCookieEnabled;
private String rangerCookieName;
static {
try {
LOCAL_HOSTNAME = java.net.InetAddress.getLocalHost().getCanonicalHostName();
} catch (UnknownHostException e) {
LOCAL_HOSTNAME = "unknown";
}
}
public static void main(String[] args) throws Throwable {
PolicyMgrUserGroupBuilder ugbuilder = new PolicyMgrUserGroupBuilder();
ugbuilder.init();
}
public PolicyMgrUserGroupBuilder() {
super();
String userNameCaseConversion = config.getUserNameCaseConversion();
if (UserGroupSyncConfig.UGSYNC_NONE_CASE_CONVERSION_VALUE.equalsIgnoreCase(userNameCaseConversion)) {
userNameCaseConversionFlag = false;
}
else {
userNameCaseConversionFlag = true;
userNameLowerCaseFlag = UserGroupSyncConfig.UGSYNC_LOWER_CASE_CONVERSION_VALUE.equalsIgnoreCase(userNameCaseConversion);
}
String groupNameCaseConversion = config.getGroupNameCaseConversion();
if (UserGroupSyncConfig.UGSYNC_NONE_CASE_CONVERSION_VALUE.equalsIgnoreCase(groupNameCaseConversion)) {
groupNameCaseConversionFlag = false;
}
else {
groupNameCaseConversionFlag = true;
groupNameLowerCaseFlag = UserGroupSyncConfig.UGSYNC_LOWER_CASE_CONVERSION_VALUE.equalsIgnoreCase(groupNameCaseConversion);
}
}
synchronized public void init() throws Throwable {
recordsToPullPerCall = config.getMaxRecordsPerAPICall();
policyMgrBaseUrl = config.getPolicyManagerBaseURL();
isMockRun = config.isMockRunEnabled();
isRangerCookieEnabled = config.isUserSyncRangerCookieEnabled();
rangerCookieName = config.getRangerAdminCookieName();
groupNameMap = new HashMap<>();
userNameMap = new HashMap<>();
userCache = new HashMap<>();
groupCache = new HashMap<>();
isStartupFlag = true;
if (isMockRun) {
LOG.setLevel(Level.DEBUG);
}
sessionId=null;
String keyStoreFile = config.getSSLKeyStorePath();
String trustStoreFile = config.getSSLTrustStorePath();
String keyStoreFilepwd = config.getSSLKeyStorePathPassword();
String trustStoreFilepwd = config.getSSLTrustStorePathPassword();
String keyStoreType = KeyStore.getDefaultType();
String trustStoreType = KeyStore.getDefaultType();
authenticationType = config.getProperty(AUTHENTICATION_TYPE,"simple");
try {
principal = SecureClientLogin.getPrincipal(config.getProperty(PRINCIPAL,""), LOCAL_HOSTNAME);
} catch (IOException ignored) {
// do nothing
}
keytab = config.getProperty(KEYTAB,"");
nameRules = config.getProperty(NAME_RULE,"DEFAULT");
ldapUgSyncClient = new RangerUgSyncRESTClient(policyMgrBaseUrl, keyStoreFile, keyStoreFilepwd, keyStoreType,
trustStoreFile, trustStoreFilepwd, trustStoreType, authenticationType, principal, keytab,
config.getPolicyMgrUserName(), config.getPolicyMgrPassword());
String userGroupRoles = config.getGroupRoleRules();
if (userGroupRoles != null && !userGroupRoles.isEmpty()) {
getRoleForUserGroups(userGroupRoles);
}
buildUserGroupInfo();
if (LOG.isDebugEnabled()) {
LOG.debug("PolicyMgrUserGroupBuilderOld.init()==> PolMgrBaseUrl : "+policyMgrBaseUrl+" KeyStore File : "+keyStoreFile+" TrustStore File : "+trustStoreFile+ "Authentication Type : "+authenticationType);
}
}
@Override
public void postUserGroupAuditInfo(UgsyncAuditInfo ugsyncAuditInfo) throws Throwable {
ugsyncAuditInfo.setNoOfNewUsers(Integer.toUnsignedLong(noOfNewUsers));
ugsyncAuditInfo.setNoOfNewGroups(Integer.toUnsignedLong(noOfNewGroups));
ugsyncAuditInfo.setNoOfModifiedUsers(Integer.toUnsignedLong(noOfModifiedUsers));
ugsyncAuditInfo.setNoOfModifiedGroups(Integer.toUnsignedLong(noOfModifiedGroups));
int noOfCachedUsers = userCache.size();
int noOfCachedGroups = groupCache.size();
switch (ugsyncAuditInfo.getSyncSource()) {
case "LDAP/AD":
ugsyncAuditInfo.getLdapSyncSourceInfo().setTotalUsersSynced(noOfCachedUsers);
ugsyncAuditInfo.getLdapSyncSourceInfo().setTotalGroupsSynced(noOfCachedGroups);
break;
case "Unix":
ugsyncAuditInfo.getUnixSyncSourceInfo().setTotalUsersSynced(noOfCachedUsers);
ugsyncAuditInfo.getUnixSyncSourceInfo().setTotalGroupsSynced(noOfCachedGroups);
break;
case "File" :
ugsyncAuditInfo.getFileSyncSourceInfo().setTotalUsersSynced(noOfCachedUsers);
ugsyncAuditInfo.getFileSyncSourceInfo().setTotalGroupsSynced(noOfCachedGroups);
break;
default:
break;
}
if (!isMockRun) {
addUserGroupAuditInfo(ugsyncAuditInfo);
}
}
@Override
public void addOrUpdateUsersGroups(Map<String, Map<String, String>> sourceGroups,
Map<String, Map<String, String>> sourceUsers,
Map<String, Set<String>> sourceGroupUsers) throws Throwable {
noOfNewUsers = 0;
noOfNewGroups = 0;
noOfModifiedUsers = 0;
noOfModifiedGroups = 0;
computeRolesForUsers = new HashSet<>();
if (MapUtils.isNotEmpty(sourceGroups)) {
addOrUpdateGroups(sourceGroups);
}
if (MapUtils.isNotEmpty(sourceUsers)) {
addOrUpdateUsers(sourceUsers);
}
if (MapUtils.isNotEmpty(sourceGroupUsers)) {
addOrUpdateGroupUsers(sourceGroupUsers);
}
if (isStartupFlag) {
// This is to handle any config changes for role assignments that might impact existing users in ranger db
if (MapUtils.isNotEmpty(userMap)) {
if (LOG.isDebugEnabled()) {
LOG.debug("adding " + userMap.keySet() + " for computing roles during startup");
}
computeRolesForUsers.addAll(userMap.keySet()); // Add all the user defined in the role assignment rules
}
if (MapUtils.isNotEmpty(groupMap)) {
for (String groupName : groupMap.keySet()) {
if (LOG.isDebugEnabled()) {
LOG.debug("adding " + groupUsersCache.get(groupName) + " from " + groupName + " for computing roles during startup");
}
computeRolesForUsers.addAll(groupUsersCache.get(groupName));
}
}
}
if (CollectionUtils.isNotEmpty(computeRolesForUsers)) {
updateUserRoles();
}
isStartupFlag = false;
if (LOG.isDebugEnabled()){
LOG.debug("Update cache");
}
if (MapUtils.isNotEmpty(deltaGroups)) {
groupCache.putAll(deltaGroups);
}
if (MapUtils.isNotEmpty(deltaUsers)) {
userCache.putAll(deltaUsers);
}
if (MapUtils.isNotEmpty(deltaGroupUsers)) {
groupUsersCache.putAll(deltaGroupUsers);
}
}
private void buildUserGroupInfo() throws Throwable {
if(authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)){
if(LOG.isDebugEnabled()) {
LOG.debug("==> Kerberos Environment : Principal is " + principal + " and Keytab is " + keytab);
}
}
if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)) {
try {
LOG.info("Using principal = " + principal + " and keytab = " + keytab);
Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
Subject.doAs(sub, new PrivilegedAction<Void>() {
@Override
public Void run() {
try {
buildGroupList();
buildUserList();
buildGroupUserLinkList();
} catch (Exception e) {
LOG.error("Failed to build Group List : ", e);
}
return null;
}
});
} catch (Exception e) {
LOG.error("Failed to Authenticate Using given Principal and Keytab : ",e);
}
} else {
buildGroupList();
buildUserList();
buildGroupUserLinkList();
}
}
private void buildGroupList() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyMgrUserGroupBuilder.buildGroupList()");
}
int totalCount = 100;
int retrievedCount = 0;
String relativeUrl = PM_GROUP_LIST_URI;
while (retrievedCount < totalCount) {
String response = null;
ClientResponse clientResp = null;
Map<String, String> queryParams = new HashMap<String, String>();
queryParams.put("pageSize", recordsToPullPerCall);
queryParams.put("startIndex", String.valueOf(retrievedCount));
Gson gson = new GsonBuilder().create();
if (isRangerCookieEnabled) {
response = cookieBasedGetEntity(relativeUrl, retrievedCount);
} else {
try {
clientResp = ldapUgSyncClient.get(relativeUrl, queryParams);
if (clientResp != null) {
response = clientResp.getEntity(String.class);
}
} catch (Exception e) {
LOG.error("Failed to get response, Error is : " + e.getMessage());
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("RESPONSE: [" + response + "]");
}
GetXGroupListResponse groupList = gson.fromJson(response, GetXGroupListResponse.class);
totalCount = groupList.getTotalCount();
if (groupList.getXgroupInfoList() != null) {
for (XGroupInfo g : groupList.getXgroupInfoList()) {
if (LOG.isDebugEnabled()) {
LOG.debug("GROUP: Id:" + g.getId() + ", Name: " + g.getName() + ", Description: "
+ g.getDescription());
}
groupCache.put(g.getName(), g);
}
retrievedCount = groupCache.size();
}
LOG.info("PolicyMgrUserGroupBuilder.buildGroupList(): No. of groups retrieved from ranger admin " + retrievedCount);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyMgrUserGroupBuilder.buildGroupList()");
}
}
private void buildUserList() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyMgrUserGroupBuilder.buildUserList()");
}
int totalCount = 100;
int retrievedCount = 0;
String relativeUrl = PM_USER_LIST_URI;
while (retrievedCount < totalCount) {
String response = null;
ClientResponse clientResp = null;
Map<String, String> queryParams = new HashMap<String, String>();
queryParams.put("pageSize", recordsToPullPerCall);
queryParams.put("startIndex", String.valueOf(retrievedCount));
Gson gson = new GsonBuilder().create();
if (isRangerCookieEnabled) {
response = cookieBasedGetEntity(relativeUrl, retrievedCount);
} else {
try {
clientResp = ldapUgSyncClient.get(relativeUrl, queryParams);
if (clientResp != null) {
response = clientResp.getEntity(String.class);
}
} catch (Exception e) {
LOG.error("Failed to get response, Error is : "+e.getMessage());
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("RESPONSE: [" + response + "]");
}
GetXUserListResponse userList = gson.fromJson(response, GetXUserListResponse.class);
totalCount = userList.getTotalCount();
if (userList.getXuserInfoList() != null) {
for (XUserInfo u : userList.getXuserInfoList()) {
if (LOG.isDebugEnabled()) {
LOG.debug("USER: Id:" + u.getId() + ", Name: " + u.getName() + ", Description: "
+ u.getDescription());
}
userCache.put(u.getName(), u);
}
retrievedCount = userCache.size();
}
LOG.info("PolicyMgrUserGroupBuilder.buildUserList(): No. of users retrieved from ranger admin = " + retrievedCount);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyMgrUserGroupBuilder.buildUserList()");
}
}
private void buildGroupUserLinkList() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyMgrUserGroupBuilder.buildGroupUserLinkList()");
}
String relativeUrl = PM_GET_ALL_GROUP_USER_MAP_LIST_URI;
String response = null;
ClientResponse clientResp = null;
Gson gson = new GsonBuilder().create();
if (isRangerCookieEnabled) {
response = cookieBasedGetEntity(relativeUrl, 0);
} else {
try {
clientResp = ldapUgSyncClient.get(relativeUrl, null);
if (clientResp != null) {
response = clientResp.getEntity(String.class);
}
} catch (Exception e) {
LOG.error("Failed to get response, Error is : " + e.getMessage());
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("RESPONSE: [" + response + "]");
}
groupUsersCache = gson.fromJson(response, Map.class);
if (MapUtils.isEmpty(groupUsersCache)) {
groupUsersCache = new HashMap<>();
}
if (LOG.isDebugEnabled()) {
LOG.debug("Group User List : " + groupUsersCache.values());
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyMgrUserGroupBuilder.buildGroupUserLinkList()");
}
}
private void addOrUpdateUsers(Map<String, Map<String, String>> sourceUsers) throws Throwable {
computeUserDelta(sourceUsers);
if (MapUtils.isNotEmpty(deltaUsers)) {
if (addOrUpdateDeltaUsers() == 0) {
String msg = "Failed to addorUpdate users to ranger admin";
LOG.error(msg);
throw new Exception(msg);
}
}
}
private void addOrUpdateGroups(Map<String, Map<String, String>> sourceGroups) throws Throwable {
computeGroupDelta(sourceGroups);
if (MapUtils.isNotEmpty(deltaGroups)) {
if (addOrUpdateDeltaGroups() == 0) {
String msg = "Failed to addorUpdate groups to ranger admin";
LOG.error(msg);
throw new Exception(msg);
}
}
}
private void addOrUpdateGroupUsers(Map<String, Set<String>> sourceGroupUsers) throws Throwable {
List<GroupUserInfo> groupUserInfoList = computeGroupUsersDelta(sourceGroupUsers);
if (CollectionUtils.isNotEmpty(groupUserInfoList)) {
noOfModifiedGroups += groupUserInfoList.size();
if (addOrUpdateDeltaGroupUsers(groupUserInfoList) == 0) {
String msg = "Failed to addorUpdate group memberships to ranger admin";
LOG.error(msg);
throw new Exception(msg);
}
}
}
private void updateUserRoles() throws Throwable {
if (MapUtils.isNotEmpty(groupMap) || MapUtils.isNotEmpty(userMap)) {
UsersGroupRoleAssignments ugRoleAssignments = new UsersGroupRoleAssignments();
List<String> allUsers = new ArrayList<>(computeRolesForUsers);
ugRoleAssignments.setUsers(allUsers);
ugRoleAssignments.setGroupRoleAssignments(groupMap);
ugRoleAssignments.setUserRoleAssignments(userMap);
if (updateRoles(ugRoleAssignments) == null) {
String msg = "Unable to update roles for " + allUsers;
LOG.error(msg);
throw new Exception(msg);
}
}
}
private void computeGroupDelta(Map<String, Map<String, String>> sourceGroups) {
if (LOG.isDebugEnabled()) {
LOG.debug("PolicyMgrUserGroupBuilder.computeGroupDelta(" + sourceGroups.keySet() + ")");
}
deltaGroups = new HashMap<>();
// Check if the group exists in cache. If not, mark as new group.
// else check if other attributes are updated and mark as updated group
for (String groupDN : sourceGroups.keySet()) {
Map<String, String> newGroupAttrs = sourceGroups.get(groupDN);
Gson gson = new Gson();
String newGroupAttrsStr = gson.toJson(newGroupAttrs);
String groupName = groupNameMap.get(groupDN);
if (StringUtils.isEmpty(groupName)) {
groupName = groupNameTransform(newGroupAttrs.get("original_name"));
groupNameMap.put(groupDN, groupName);
}
if (!groupCache.containsKey(groupName)) {
XGroupInfo newGroup = addXGroupInfo(groupName, newGroupAttrsStr);
deltaGroups.put(groupName, newGroup);
noOfNewGroups++;
} else {
XGroupInfo oldGroup = groupCache.get(groupName);
String oldGroupAttrs = oldGroup.getOtherAttributes();
if (!StringUtils.equalsIgnoreCase(oldGroupAttrs, newGroupAttrsStr)) {
oldGroup.setOtherAttributes(newGroupAttrsStr);
deltaGroups.put(groupName, oldGroup);
noOfModifiedGroups++;
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyMgrUserGroupBuilder.computeGroupDelta(" + deltaGroups.keySet() + ")");
}
}
private void computeUserDelta(Map<String, Map<String, String>> sourceUsers) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyMgrUserGroupBuilder.computeUserDelta(" + sourceUsers.keySet() + ")");
}
deltaUsers = new HashMap<>();
// Check if the user exists in cache. If not, mark as new user.
// else check if other attributes are updated and mark as updated user
for (String userDN : sourceUsers.keySet()) {
Map<String, String> newUserAttrs = sourceUsers.get(userDN);
Gson gson = new Gson();
String newUserAttrsStr = gson.toJson(newUserAttrs);
String userName = userNameMap.get(userDN);
if (StringUtils.isEmpty(userName)) {
userName = userNameTransform(newUserAttrs.get("original_name"));
userNameMap.put(userDN, userName);
}
if (!userCache.containsKey(userName)) {
XUserInfo newUser = addXUserInfo(userName, newUserAttrsStr);
deltaUsers.put(userName, newUser);
noOfNewUsers++;
} else {
// Update other attributes if changed
XUserInfo oldUser = userCache.get(userName);
String oldUserAttrs = oldUser.getOtherAttributes();
if (!StringUtils.equalsIgnoreCase(oldUserAttrs, newUserAttrsStr)) {
oldUser.setOtherAttributes(newUserAttrsStr);
deltaUsers.put(userName, oldUser);
noOfModifiedUsers++;
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyMgrUserGroupBuilder.computeUserDelta(" + deltaUsers.keySet() + ")");
}
}
private List<GroupUserInfo> computeGroupUsersDelta(Map<String, Set<String>> sourceGroupUsers) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyMgrUserGroupBuilder.computeGroupUsersDelta(" + sourceGroupUsers.keySet() + ")");
}
deltaGroupUsers = new HashMap<>();
List<GroupUserInfo> deltaGroupUserInfoList = new ArrayList<>();
for (String groupDN : sourceGroupUsers.keySet()) {
String groupName = groupNameMap.get(groupDN);
if (StringUtils.isEmpty(groupName)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Ignoring group membership update for " + groupDN);
}
continue;
}
Set<String> oldUsers = new HashSet<>();
Set<String> newUsers = new HashSet<>();
Set<String> addUsers = new HashSet<>();
Set<String> delUsers = new HashSet<>();
if (CollectionUtils.isNotEmpty(groupUsersCache.get(groupName))) {
oldUsers = new HashSet<>(groupUsersCache.get(groupName));
}
for (String userDN : sourceGroupUsers.get(groupDN)) {
String userName = userNameMap.get(userDN);
if (!StringUtils.isEmpty(userName)) {
newUsers.add(userName);
if (CollectionUtils.isEmpty(oldUsers) || !oldUsers.contains(userName)) {
addUsers.add(userName);
}
}
}
if (CollectionUtils.isNotEmpty(oldUsers)) {
for (String userName : oldUsers) {
if (CollectionUtils.isEmpty(newUsers)|| !newUsers.contains(userName)) {
delUsers.add(userName);
}
}
}
if (CollectionUtils.isNotEmpty(addUsers) || CollectionUtils.isNotEmpty(delUsers)) {
GroupUserInfo groupUserInfo = new GroupUserInfo();
groupUserInfo.setGroupName(groupName);
if (CollectionUtils.isNotEmpty(addUsers)) {
groupUserInfo.setAddUsers(addUsers);
if (groupMap.containsKey(groupName)) {
// Add users to the computeRole list only if there is a rule defined for the group.
computeRolesForUsers.addAll(addUsers);
}
}
if (CollectionUtils.isNotEmpty(delUsers)) {
groupUserInfo.setDelUsers(delUsers);
if (groupMap.containsKey(groupName)) {
// Add users to the computeRole list only if there is a rule defined for the group.
computeRolesForUsers.addAll(delUsers);
}
}
deltaGroupUserInfoList.add(groupUserInfo);
deltaGroupUsers.put(groupName, newUsers);
}
}
if (CollectionUtils.isNotEmpty(deltaGroupUserInfoList)) {
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyMgrUserGroupBuilder.computeGroupUsersDelta(" + deltaGroupUserInfoList + ")");
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyMgrUserGroupBuilder.computeGroupUsersDelta(0)");
}
}
return deltaGroupUserInfoList;
}
private XUserInfo addXUserInfo(String aUserName, String otherAttributes) {
XUserInfo xuserInfo = new XUserInfo();
xuserInfo.setName(aUserName);
xuserInfo.setDescription(aUserName + " - add from Unix box");
xuserInfo.setUserSource(SOURCE_EXTERNAL);
xuserInfo.setStatus(STATUS_ENABLED);
List<String> roleList = new ArrayList<String>();
if (userMap.containsKey(aUserName)) {
roleList.add(userMap.get(aUserName));
}else{
roleList.add("ROLE_USER");
}
xuserInfo.setUserRoleList(roleList);
xuserInfo.setOtherAttributes(otherAttributes);
return xuserInfo;
}
private XGroupInfo addXGroupInfo(String aGroupName, String otherAttributes) {
XGroupInfo addGroup = new XGroupInfo();
addGroup.setName(aGroupName);
addGroup.setDescription(aGroupName + " - add from Unix box");
addGroup.setGroupType("1");
addGroup.setGroupSource(SOURCE_EXTERNAL);
addGroup.setOtherAttributes(otherAttributes);
return addGroup;
}
private int addOrUpdateDeltaUsers() throws Throwable{
if (LOG.isDebugEnabled()) {
LOG.debug("PolicyMgrUserGroupBuilder.addOrUpdateDeltaUsers(" + deltaUsers.keySet() + ")");
}
int ret = 0;
GetXUserListResponse xUserList = new GetXUserListResponse();
xUserList.setTotalCount(deltaUsers.size());
xUserList.setXuserInfoList(new ArrayList<>(deltaUsers.values()));
if (authenticationType != null
&& AUTH_KERBEROS.equalsIgnoreCase(authenticationType)
&& SecureClientLogin.isKerberosCredentialExists(principal,
keytab)) {
try {
Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
final GetXUserListResponse xUserListFinal = xUserList;
ret = Subject.doAs(sub, new PrivilegedAction<Integer>() {
@Override
public Integer run() {
try {
return getUsers(xUserListFinal);
} catch (Throwable e) {
LOG.error("Failed to add or update Users : ", e);
}
return 0;
}
});
} catch (Exception e) {
LOG.error("Failed to add or update Users : " , e);
throw new Exception(e);
}
} else {
ret = getUsers(xUserList);
}
if (LOG.isDebugEnabled()) {
LOG.debug("PolicyMgrUserGroupBuilder.addOrUpdateDeltaUsers(" + deltaUsers.keySet() + ")");
}
return ret;
}
private int getUsers(GetXUserListResponse xUserList) throws Throwable{
if(LOG.isDebugEnabled()){
LOG.debug("==> PolicyMgrUserGroupBuilder.getUsers()");
}
int ret = 0;
int totalCount = xUserList.getTotalCount();
int uploadedCount = -1;
int pageSize = Integer.valueOf(recordsToPullPerCall);
while (uploadedCount < totalCount) {
String response = null;
ClientResponse clientRes = null;
String relativeUrl = PM_ADD_USERS_URI;
GetXUserListResponse pagedXUserList = new GetXUserListResponse();
int pagedXUserListLen = uploadedCount+pageSize;
pagedXUserList.setXuserInfoList(xUserList.getXuserInfoList().subList(uploadedCount+1,
pagedXUserListLen>totalCount?totalCount:pagedXUserListLen));
pagedXUserList.setTotalCount(pageSize);
if (pagedXUserList.getXuserInfoList().size() == 0) {
LOG.info("PolicyMgrUserGroupBuilder.getUsers() done updating users");
return 1;
}
if (isRangerCookieEnabled) {
response = cookieBasedUploadEntity(pagedXUserList, relativeUrl);
} else {
try {
clientRes = ldapUgSyncClient.post(relativeUrl, null, pagedXUserList);
if (clientRes != null) {
response = clientRes.getEntity(String.class);
}
} catch (Throwable t) {
LOG.error("Failed to get response, Error is : ", t);
throw new Exception(t);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("RESPONSE[" + response + "]");
}
if (response != null) {
ret = Integer.valueOf(response);
uploadedCount += pageSize;
} else {
LOG.error("Failed to addOrUpdateUsers " + uploadedCount );
ret = 0;
}
LOG.info("ret = " + ret + " No. of users uploaded to ranger admin= " + (uploadedCount>totalCount?totalCount:uploadedCount));
}
if(LOG.isDebugEnabled()){
LOG.debug("<== PolicyMgrUserGroupBuilder.getUsers()");
}
return ret;
}
private int addOrUpdateDeltaGroups() throws Throwable{
if (LOG.isDebugEnabled()) {
LOG.debug("PolicyMgrUserGroupBuilder.addOrUpdateDeltaGroups(" + deltaGroups.keySet() + ")");
}
int ret = 0;
GetXGroupListResponse xGroupList = new GetXGroupListResponse();
xGroupList.setTotalCount(deltaGroups.size());
xGroupList.setXgroupInfoList(new ArrayList<>(deltaGroups.values()));
if (authenticationType != null
&& AUTH_KERBEROS.equalsIgnoreCase(authenticationType)
&& SecureClientLogin.isKerberosCredentialExists(principal,
keytab)) {
try {
Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
final GetXGroupListResponse xGroupListFinal = xGroupList;
ret = Subject.doAs(sub, new PrivilegedAction<Integer>() {
@Override
public Integer run() {
try {
return getGroups(xGroupListFinal);
} catch (Throwable e) {
LOG.error("Failed to add or update groups : ", e);
}
return 0;
}
});
} catch (Exception e) {
LOG.error("Failed to add or update groups : " , e);
throw new Exception(e);
}
} else {
ret = getGroups(xGroupList);
}
if (LOG.isDebugEnabled()) {
LOG.debug("PolicyMgrUserGroupBuilder.addOrUpdateDeltaGroups(" + deltaGroups.keySet() + ")");
}
return ret;
}
private int getGroups(GetXGroupListResponse xGroupList) throws Throwable{
if(LOG.isDebugEnabled()){
LOG.debug("==> PolicyMgrUserGroupBuilder.getGroups()");
}
int ret = 0;
int totalCount = xGroupList.getTotalCount();
int uploadedCount = -1;
int pageSize = Integer.valueOf(recordsToPullPerCall);
while (uploadedCount < totalCount) {
String response = null;
ClientResponse clientRes = null;
String relativeUrl = PM_ADD_GROUPS_URI;
GetXGroupListResponse pagedXGroupList = new GetXGroupListResponse();
int pagedXGroupListLen = uploadedCount+pageSize;
pagedXGroupList.setXgroupInfoList(xGroupList.getXgroupInfoList().subList(uploadedCount+1,
pagedXGroupListLen>totalCount?totalCount:pagedXGroupListLen));
pagedXGroupList.setTotalCount(pageSize);
if (isRangerCookieEnabled) {
response = cookieBasedUploadEntity(pagedXGroupList, relativeUrl);
} else {
try {
clientRes = ldapUgSyncClient.post(relativeUrl, null, pagedXGroupList);
if (clientRes != null) {
response = clientRes.getEntity(String.class);
}
} catch (Throwable t) {
LOG.error("Failed to get response, Error is : ", t);
throw new Exception(t);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("RESPONSE[" + response + "]");
}
if (response != null) {
ret = Integer.valueOf(response);
uploadedCount += pageSize;
} else {
LOG.error("Failed to addOrUpdateGroups " + uploadedCount );
ret = 0;
}
LOG.info("ret = " + ret + " No. of groups uploaded to ranger admin= " + (uploadedCount>totalCount?totalCount:uploadedCount));
}
if(LOG.isDebugEnabled()){
LOG.debug("<== PolicyMgrUserGroupBuilder.getGroups()");
}
return ret;
}
private int addOrUpdateDeltaGroupUsers(List<GroupUserInfo> groupUserInfoList) throws Throwable{
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyMgrUserGroupBuilder.addOrUpdateDeltaGroupUsers(" + groupUserInfoList + ")");
}
int ret = 0;
if (authenticationType != null
&& AUTH_KERBEROS.equalsIgnoreCase(authenticationType)
&& SecureClientLogin.isKerberosCredentialExists(principal,
keytab)) {
try {
Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
final List<GroupUserInfo> groupUserInfoListFinal = groupUserInfoList;
ret = Subject.doAs(sub, new PrivilegedAction<Integer>() {
@Override
public Integer run() {
try {
return getGroupUsers(groupUserInfoListFinal);
} catch (Throwable e) {
LOG.error("Failed to add or update group memberships : ", e);
}
return 0;
}
});
} catch (Exception e) {
LOG.error("Failed to add or update group memberships : " , e);
throw new Exception(e);
}
} else {
ret = getGroupUsers(groupUserInfoList);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyMgrUserGroupBuilder.addOrUpdateDeltaGroupUsers(" + groupUserInfoList + ")");
}
return ret;
}
private int getGroupUsers(List<GroupUserInfo> groupUserInfoList) throws Throwable{
if(LOG.isDebugEnabled()){
LOG.debug("==> PolicyMgrUserGroupBuilder.getGroupUsers()");
}
int ret = 0;
int totalCount = groupUserInfoList.size();
int uploadedCount = -1;
int pageSize = Integer.valueOf(recordsToPullPerCall);
while (uploadedCount < totalCount) {
String response = null;
ClientResponse clientRes = null;
String relativeUrl = PM_ADD_GROUP_USER_LIST_URI;
int pagedGroupUserInfoListLen = uploadedCount+pageSize;
List<GroupUserInfo> pagedGroupUserInfoList = groupUserInfoList.subList(uploadedCount+1,
pagedGroupUserInfoListLen>totalCount?totalCount:pagedGroupUserInfoListLen);
if (isRangerCookieEnabled) {
response = cookieBasedUploadEntity(pagedGroupUserInfoList, relativeUrl);
} else {
try {
clientRes = ldapUgSyncClient.post(relativeUrl, null, pagedGroupUserInfoList);
if (clientRes != null) {
response = clientRes.getEntity(String.class);
}
} catch (Throwable t) {
LOG.error("Failed to get response, Error is : ", t);
throw new Exception(t);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("RESPONSE[" + response + "]");
}
if (response != null) {
ret = Integer.valueOf(response);
uploadedCount += pageSize;
} else {
LOG.error("Failed to addOrUpdateGroups " + uploadedCount );
ret = 0;
}
LOG.info("ret = " + ret + " No. of group memberships uploaded to ranger admin= " + (uploadedCount>totalCount?totalCount:uploadedCount));
}
if(LOG.isDebugEnabled()){
LOG.debug("<== PolicyMgrUserGroupBuilder.getGroupUsers()");
}
return ret;
}
private List<String> updateRoles(UsersGroupRoleAssignments ugRoleAssignments) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyMgrUserGroupBuilder.updateUserRole(" + ugRoleAssignments.getUsers() + ")");
}
if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)){
try {
Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
final UsersGroupRoleAssignments result = ugRoleAssignments;
List<String> ret = Subject.doAs(sub, new PrivilegedAction<List<String>>() {
@Override
public List<String> run() {
try {
return updateUsersRoles(result);
} catch (Exception e) {
LOG.error("Failed to add User Group Info : ", e);
}
return null;
}
});
return ret;
} catch (Exception e) {
LOG.error("Failed to Authenticate Using given Principal and Keytab : " , e);
}
return null;
}else{
return updateUsersRoles(ugRoleAssignments);
}
}
private List<String> updateUsersRoles(UsersGroupRoleAssignments ugRoleAssignments) {
if(LOG.isDebugEnabled()){
LOG.debug("==> PolicyMgrUserGroupBuilder.updateUserRoles(" + ugRoleAssignments.getUsers() + ")");
}
List<String> ret = null;
try {
int totalCount = ugRoleAssignments.getUsers().size();
int uploadedCount = -1;
int pageSize = Integer.valueOf(recordsToPullPerCall);
while (uploadedCount < totalCount) {
int pagedUgRoleAssignmentsListLen = uploadedCount + pageSize;
UsersGroupRoleAssignments pagedUgRoleAssignmentsList = new UsersGroupRoleAssignments();
pagedUgRoleAssignmentsList.setUsers(ugRoleAssignments.getUsers().subList(uploadedCount + 1,
pagedUgRoleAssignmentsListLen > totalCount ? totalCount : pagedUgRoleAssignmentsListLen));
pagedUgRoleAssignmentsList.setGroupRoleAssignments(ugRoleAssignments.getGroupRoleAssignments());
pagedUgRoleAssignmentsList.setUserRoleAssignments(ugRoleAssignments.getUserRoleAssignments());
String response = null;
ClientResponse clientRes = null;
Gson gson = new GsonBuilder().create();
String jsonString = gson.toJson(pagedUgRoleAssignmentsList);
String url = PM_UPDATE_USERS_ROLES_URI;
if (LOG.isDebugEnabled()) {
LOG.debug("USER role MAPPING" + jsonString);
}
if (isRangerCookieEnabled) {
response = cookieBasedUploadEntity(pagedUgRoleAssignmentsList, url);
} else {
try {
clientRes = ldapUgSyncClient.post(url, null, ugRoleAssignments);
if (clientRes != null) {
response = clientRes.getEntity(String.class);
}
} catch (Throwable t) {
LOG.error("Failed to get response, Error is : ", t);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("RESPONSE: [" + response + "]");
}
Type listType = new TypeToken<ArrayList<String>>() {
}.getType();
ret = new Gson().fromJson(response, listType);
uploadedCount += pageSize;
}
} catch (Exception e) {
LOG.warn( "ERROR: Unable to update roles for: " + ugRoleAssignments.getUsers(), e);
}
if(LOG.isDebugEnabled()){
LOG.debug("<== PolicyMgrUserGroupBuilder.updateUserRoles(" + ret + ")");
}
return ret;
}
private void addUserGroupAuditInfo(UgsyncAuditInfo auditInfo) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyMgrUserGroupBuilder.addAuditInfo(" + auditInfo.getNoOfNewUsers() + ", " + auditInfo.getNoOfNewGroups() +
", " + auditInfo.getNoOfModifiedUsers() + ", " + auditInfo.getNoOfModifiedGroups() +
", " + auditInfo.getSyncSource() + ")");
}
if (authenticationType != null
&& AUTH_KERBEROS.equalsIgnoreCase(authenticationType)
&& SecureClientLogin.isKerberosCredentialExists(principal,
keytab)) {
try {
Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
final UgsyncAuditInfo auditInfoFinal = auditInfo;
Subject.doAs(sub, new PrivilegedAction<Void>() {
@Override
public Void run() {
try {
getUserGroupAuditInfo(auditInfoFinal);
} catch (Exception e) {
LOG.error("Failed to add User : ", e);
}
return null;
}
});
return;
} catch (Exception e) {
LOG.error("Failed to Authenticate Using given Principal and Keytab : " , e);
}
return;
} else {
getUserGroupAuditInfo(auditInfo);
}
}
private void getUserGroupAuditInfo(UgsyncAuditInfo userInfo) {
if(LOG.isDebugEnabled()){
LOG.debug("==> PolicyMgrUserGroupBuilder.getUserGroupAuditInfo()");
}
String response = null;
ClientResponse clientRes = null;
Gson gson = new GsonBuilder().create();
String relativeUrl = PM_AUDIT_INFO_URI;
if(isRangerCookieEnabled){
response = cookieBasedUploadEntity(userInfo, relativeUrl);
}
else {
try {
clientRes = ldapUgSyncClient.post(relativeUrl, null, userInfo);
if (clientRes != null) {
response = clientRes.getEntity(String.class);
}
}
catch(Throwable t){
LOG.error("Failed to get response, Error is : ", t);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("RESPONSE[" + response + "]");
}
gson.fromJson(response, UgsyncAuditInfo.class);
if(LOG.isDebugEnabled()){
LOG.debug("AuditInfo Creation successful ");
LOG.debug("<== PolicyMgrUserGroupBuilder.getUserGroupAuditInfo()");
}
}
private String cookieBasedUploadEntity(Object obj, String apiURL ) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyMgrUserGroupBuilder.cookieBasedUploadEntity()");
}
String response = null;
if (sessionId != null && isValidRangerCookie) {
response = tryUploadEntityWithCookie(obj, apiURL);
}
else{
response = tryUploadEntityWithCred(obj, apiURL);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyMgrUserGroupBuilder.cookieBasedUploadEntity()");
}
return response;
}
private String cookieBasedGetEntity(String apiURL ,int retrievedCount) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyMgrUserGroupBuilder.cookieBasedGetEntity()");
}
String response = null;
if (sessionId != null && isValidRangerCookie) {
response = tryGetEntityWithCookie(apiURL,retrievedCount);
}
else{
response = tryGetEntityWithCred(apiURL,retrievedCount);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyMgrUserGroupBuilder.cookieBasedGetEntity()");
}
return response;
}
private String tryUploadEntityWithCookie(Object obj, String apiURL) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyMgrUserGroupBuilder.tryUploadEntityWithCookie()");
}
String response = null;
ClientResponse clientResp = null;
try {
clientResp = ldapUgSyncClient.post(apiURL, null, obj, sessionId);
}
catch(Throwable t){
LOG.error("Failed to get response, Error is : ", t);
}
if (clientResp != null) {
if (!(clientResp.toString().contains(apiURL))) {
clientResp.setStatus(HttpServletResponse.SC_NOT_FOUND);
sessionId = null;
isValidRangerCookie = false;
} else if (clientResp.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) {
sessionId = null;
isValidRangerCookie = false;
} else if (clientResp.getStatus() == HttpServletResponse.SC_NO_CONTENT || clientResp.getStatus() == HttpServletResponse.SC_OK) {
List<NewCookie> respCookieList = clientResp.getCookies();
for (NewCookie cookie : respCookieList) {
if (cookie.getName().equalsIgnoreCase(rangerCookieName)) {
if (!(sessionId.getValue().equalsIgnoreCase(cookie.toCookie().getValue()))) {
sessionId = cookie.toCookie();
}
isValidRangerCookie = true;
break;
}
}
}
if (clientResp.getStatus() != HttpServletResponse.SC_OK && clientResp.getStatus() != HttpServletResponse.SC_NO_CONTENT
&& clientResp.getStatus() != HttpServletResponse.SC_BAD_REQUEST) {
sessionId = null;
isValidRangerCookie = false;
}
clientResp.bufferEntity();
response = clientResp.getEntity(String.class);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyMgrUserGroupBuilder.tryUploadEntityWithCookie()");
}
return response;
}
private String tryUploadEntityWithCred(Object obj, String apiURL){
if(LOG.isDebugEnabled()){
LOG.debug("==> PolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred()");
}
String response = null;
ClientResponse clientResp = null;
Gson gson = new GsonBuilder().create();
String jsonString = gson.toJson(obj);
if ( LOG.isDebugEnabled() ) {
LOG.debug("USER GROUP MAPPING" + jsonString);
}
try{
clientResp = ldapUgSyncClient.post(apiURL, null, obj);
}
catch(Throwable t){
LOG.error("Failed to get response, Error is : ", t);
}
if (clientResp != null) {
if (!(clientResp.toString().contains(apiURL))) {
clientResp.setStatus(HttpServletResponse.SC_NOT_FOUND);
} else if (clientResp.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) {
LOG.warn("Credentials response from ranger is 401.");
} else if (clientResp.getStatus() == HttpServletResponse.SC_OK || clientResp.getStatus() == HttpServletResponse.SC_NO_CONTENT) {
cookieList = clientResp.getCookies();
for (NewCookie cookie : cookieList) {
if (cookie.getName().equalsIgnoreCase(rangerCookieName)) {
sessionId = cookie.toCookie();
isValidRangerCookie = true;
LOG.info("valid cookie saved ");
break;
}
}
}
if (clientResp.getStatus() != HttpServletResponse.SC_OK && clientResp.getStatus() != HttpServletResponse.SC_NO_CONTENT
&& clientResp.getStatus() != HttpServletResponse.SC_BAD_REQUEST) {
sessionId = null;
isValidRangerCookie = false;
}
clientResp.bufferEntity();
response = clientResp.getEntity(String.class);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred()");
}
return response;
}
private String tryGetEntityWithCred(String apiURL, int retrievedCount) {
if(LOG.isDebugEnabled()){
LOG.debug("==> PolicyMgrUserGroupBuilder.tryGetEntityWithCred()");
}
String response = null;
ClientResponse clientResp = null;
Map<String, String> queryParams = new HashMap<String, String>();
queryParams.put("pageSize", recordsToPullPerCall);
queryParams.put("startIndex", String.valueOf(retrievedCount));
try{
clientResp = ldapUgSyncClient.get(apiURL, queryParams);
}
catch(Throwable t){
LOG.error("Failed to get response, Error is : ", t);
}
if (clientResp != null) {
if (!(clientResp.toString().contains(apiURL))) {
clientResp.setStatus(HttpServletResponse.SC_NOT_FOUND);
} else if (clientResp.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) {
LOG.warn("Credentials response from ranger is 401.");
} else if (clientResp.getStatus() == HttpServletResponse.SC_OK || clientResp.getStatus() == HttpServletResponse.SC_NO_CONTENT) {
cookieList = clientResp.getCookies();
for (NewCookie cookie : cookieList) {
if (cookie.getName().equalsIgnoreCase(rangerCookieName)) {
sessionId = cookie.toCookie();
isValidRangerCookie = true;
LOG.info("valid cookie saved ");
break;
}
}
}
if (clientResp.getStatus() != HttpServletResponse.SC_OK && clientResp.getStatus() != HttpServletResponse.SC_NO_CONTENT
&& clientResp.getStatus() != HttpServletResponse.SC_BAD_REQUEST) {
sessionId = null;
isValidRangerCookie = false;
}
clientResp.bufferEntity();
response = clientResp.getEntity(String.class);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyMgrUserGroupBuilder.tryGetEntityWithCred()");
}
return response;
}
private String tryGetEntityWithCookie(String apiURL, int retrievedCount) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyMgrUserGroupBuilder.tryGetEntityWithCookie()");
}
String response = null;
ClientResponse clientResp = null;
Map<String, String> queryParams = new HashMap<String, String>();
queryParams.put("pageSize", recordsToPullPerCall);
queryParams.put("startIndex", String.valueOf(retrievedCount));
try {
clientResp = ldapUgSyncClient.get(apiURL, queryParams, sessionId);
}
catch(Throwable t){
LOG.error("Failed to get response, Error is : ", t);
}
if (clientResp != null) {
if (!(clientResp.toString().contains(apiURL))) {
clientResp.setStatus(HttpServletResponse.SC_NOT_FOUND);
sessionId = null;
isValidRangerCookie = false;
} else if (clientResp.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) {
sessionId = null;
isValidRangerCookie = false;
} else if (clientResp.getStatus() == HttpServletResponse.SC_NO_CONTENT || clientResp.getStatus() == HttpServletResponse.SC_OK) {
List<NewCookie> respCookieList = clientResp.getCookies();
for (NewCookie cookie : respCookieList) {
if (cookie.getName().equalsIgnoreCase(rangerCookieName)) {
if (!(sessionId.getValue().equalsIgnoreCase(cookie.toCookie().getValue()))) {
sessionId = cookie.toCookie();
}
isValidRangerCookie = true;
break;
}
}
}
if (clientResp.getStatus() != HttpServletResponse.SC_OK && clientResp.getStatus() != HttpServletResponse.SC_NO_CONTENT
&& clientResp.getStatus() != HttpServletResponse.SC_BAD_REQUEST) {
sessionId = null;
isValidRangerCookie = false;
}
clientResp.bufferEntity();
response = clientResp.getEntity(String.class);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== PolicyMgrUserGroupBuilder.tryGetEntityWithCookie()");
}
return response;
}
private void getRoleForUserGroups(String userGroupRolesData) {
String roleDelimiter = config.getRoleDelimiter();
String userGroupDelimiter = config.getUserGroupDelimiter();
String userNameDelimiter = config.getUserGroupNameDelimiter();
if (roleDelimiter == null || roleDelimiter.isEmpty()) {
roleDelimiter = "&";
}
if (userGroupDelimiter == null || userGroupDelimiter.isEmpty()) {
userGroupDelimiter = ":";
}
if (userNameDelimiter == null || userNameDelimiter.isEmpty()) {
userNameDelimiter = ",";
}
StringTokenizer str = new StringTokenizer(userGroupRolesData,
roleDelimiter);
int flag = 0;
String userGroupCheck = null;
String roleName = null;
while (str.hasMoreTokens()) {
flag = 0;
String tokens = str.nextToken();
if (tokens != null && !tokens.isEmpty()) {
StringTokenizer userGroupRoles = new StringTokenizer(tokens,
userGroupDelimiter);
if (userGroupRoles != null) {
while (userGroupRoles.hasMoreElements()) {
String userGroupRolesTokens = userGroupRoles
.nextToken();
if (userGroupRolesTokens != null
&& !userGroupRolesTokens.isEmpty()) {
flag++;
switch (flag) {
case 1:
roleName = userGroupRolesTokens;
break;
case 2:
userGroupCheck = userGroupRolesTokens;
break;
case 3:
StringTokenizer userGroupNames = new StringTokenizer(
userGroupRolesTokens, userNameDelimiter);
if (userGroupNames != null) {
while (userGroupNames.hasMoreElements()) {
String userGroup = userGroupNames
.nextToken();
if (userGroup != null
&& !userGroup.isEmpty()) {
if (userGroupCheck.trim().equalsIgnoreCase("u")) {
userMap.put(userGroup.trim(), roleName.trim());
} else if (userGroupCheck.trim().equalsIgnoreCase("g")) {
groupMap.put(userGroup.trim(),
roleName.trim());
}
}
}
}
break;
default:
userMap.clear();
groupMap.clear();
break;
}
}
}
}
}
}
}
protected String userNameTransform(String userName) {
if (userNameCaseConversionFlag) {
if (userNameLowerCaseFlag) {
userName = userName.toLowerCase();
}
else {
userName = userName.toUpperCase();
}
}
if (userNameRegExInst != null) {
userName = userNameRegExInst.transform(userName);
}
return userName;
}
protected String groupNameTransform(String groupName) {
if (groupNameCaseConversionFlag) {
if (groupNameLowerCaseFlag) {
groupName = groupName.toLowerCase();
}
else {
groupName = groupName.toUpperCase();
}
}
if (groupNameRegExInst != null) {
groupName = groupNameRegExInst.transform(groupName);
}
return groupName;
}
}