Google Git
Sign in
apache / ranger / c5bf2f6364a97539451656d28fd36e35d8e2736d / . / security-admin / src / main / java / org / apache / ranger / common / ServiceUtil.java
blob: 2b1a3fa306c69d7c33c59a0fa367db235fb4dd4d [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.ranger.common;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.PathParam;
import javax.ws.rs.WebApplicationException;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.biz.ServiceDBStore;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.entity.XXGroup;
import org.apache.ranger.entity.XXUser;
import org.apache.ranger.plugin.model.RangerBaseModelObject;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.RangerServiceNotFoundException;
import org.apache.ranger.plugin.util.SearchFilter;
import org.apache.ranger.view.VXAsset;
import org.apache.ranger.view.VXAuditMap;
import org.apache.ranger.view.VXDataObject;
import org.apache.ranger.view.VXPermMap;
import org.apache.ranger.view.VXPermObj;
import org.apache.ranger.view.VXPolicy;
import org.apache.ranger.view.VXPolicyList;
import org.apache.ranger.view.VXRepository;
import org.apache.ranger.view.VXRepositoryList;
import org.apache.ranger.view.VXResource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
@Component
public class ServiceUtil {
static final Logger LOG = Logger.getLogger(ServiceUtil.class);
private static final String REGEX_PREFIX_STR = "regex:";
private static final int REGEX_PREFIX_STR_LENGTH = REGEX_PREFIX_STR.length();
static Map<String, Integer> mapServiceTypeToAssetType = new HashMap<String, Integer>();
static Map<String, Integer> mapAccessTypeToPermType = new HashMap<String, Integer>();
static String version;
@Autowired
JSONUtil jsonUtil;
@Autowired
RangerDaoManager xaDaoMgr;
@Autowired
RESTErrorUtil restErrorUtil;
@Autowired
ServiceDBStore svcStore;
static {
mapServiceTypeToAssetType.put(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HDFS_NAME, Integer.valueOf(RangerCommonEnums.ASSET_HDFS));
mapServiceTypeToAssetType.put(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HBASE_NAME, Integer.valueOf(RangerCommonEnums.ASSET_HBASE));
mapServiceTypeToAssetType.put(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HIVE_NAME, Integer.valueOf(RangerCommonEnums.ASSET_HIVE));
mapServiceTypeToAssetType.put(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_KNOX_NAME, Integer.valueOf(RangerCommonEnums.ASSET_KNOX));
mapServiceTypeToAssetType.put(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_STORM_NAME, Integer.valueOf(RangerCommonEnums.ASSET_STORM));
mapAccessTypeToPermType.put("Unknown", 0);
mapAccessTypeToPermType.put("Reset", 1);
mapAccessTypeToPermType.put("read", 2);
mapAccessTypeToPermType.put("write", 3);
mapAccessTypeToPermType.put("create", 4);
mapAccessTypeToPermType.put("delete", 5);
mapAccessTypeToPermType.put("admin", 6);
mapAccessTypeToPermType.put("Obfuscate", 7);
mapAccessTypeToPermType.put("Mask", 8);
mapAccessTypeToPermType.put("execute", 9);
mapAccessTypeToPermType.put("select", 10);
mapAccessTypeToPermType.put("update", 11);
mapAccessTypeToPermType.put("drop", 12);
mapAccessTypeToPermType.put("alter", 13);
mapAccessTypeToPermType.put("index", 14);
mapAccessTypeToPermType.put("lock", 15);
mapAccessTypeToPermType.put("all", 16);
mapAccessTypeToPermType.put("allow", 17);
mapAccessTypeToPermType.put("submitTopology", 18);
mapAccessTypeToPermType.put("fileUpload", 19);
mapAccessTypeToPermType.put("getNimbusConf", 20);
mapAccessTypeToPermType.put("getClusterInfo", 21);
mapAccessTypeToPermType.put("fileDownload", 22);
mapAccessTypeToPermType.put("killTopology", 23);
mapAccessTypeToPermType.put("rebalance", 24);
mapAccessTypeToPermType.put("activate", 25);
mapAccessTypeToPermType.put("deactivate", 26);
mapAccessTypeToPermType.put("getTopologyConf", 27);
mapAccessTypeToPermType.put("getTopology", 28);
mapAccessTypeToPermType.put("getUserTopology", 29);
mapAccessTypeToPermType.put("getTopologyInfo", 30);
mapAccessTypeToPermType.put("uploadNewCredentials", 31);
mapAccessTypeToPermType.put("repladmin",32);
mapAccessTypeToPermType.put("serviceadmin",33);
mapAccessTypeToPermType.put("tempudfadmin",34);
version = "0";
}
public RangerService getServiceByName(@PathParam("name") String name) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceUtil.getServiceByName(" + name + ")");
}
RangerService ret = null;
try {
ret = svcStore.getServiceByName(name);
} catch(WebApplicationException excp) {
throw excp;
} catch(Throwable excp) {
LOG.error("getServiceByName(" + name + ") failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
}
if(ret == null) {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, RangerServiceNotFoundException.buildExceptionMsg(name), true);
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== ServiceUtil.getServiceByName(" + name + "): " + ret);
}
return ret;
}
public RangerService toRangerService(VXAsset asset) {
if(asset == null) {
return null;
}
RangerService ret = new RangerService();
dataObjectToRangerObject(asset, ret);
ret.setType(toServiceType(asset.getAssetType()));
ret.setName(asset.getName());
ret.setDescription(asset.getDescription());
ret.setIsEnabled(asset.getActiveStatus() == RangerCommonEnums.STATUS_ENABLED);
ret.setConfigs(jsonUtil.jsonToMap(asset.getConfig()));
return ret;
}
public VXAsset toVXAsset(RangerService service) {
if(service == null || toAssetType(service.getType()) == null) {
return null;
}
VXAsset ret = new VXAsset();
rangerObjectToDataObject(service, ret);
ret.setAssetType(toAssetType(service.getType()));
ret.setName(service.getName());
ret.setDescription(service.getDescription());
ret.setActiveStatus(service.getIsEnabled() ? RangerCommonEnums.STATUS_ENABLED : RangerCommonEnums.STATUS_DISABLED);
ret.setConfig(jsonUtil.readMapToString(service.getConfigs()));
return ret;
}
public VXRepository toVXRepository(RangerService service){
if(service == null || toAssetType(service.getType()) == null) {
return null;
}
VXRepository ret = new VXRepository();
rangerObjectToDataObject(service,ret);
ret.setRepositoryType(service.getType());
ret.setName(service.getName());
ret.setDescription(service.getDescription());
ret.setIsActive(service.getIsEnabled());
ret.setConfig(jsonUtil.readMapToString(service.getConfigs()));
ret.setVersion(Long.toString(service.getVersion()));
return ret;
}
public RangerPolicy toRangerPolicy(VXResource resource, RangerService service) {
if(resource == null) {
return null;
}
RangerPolicy ret = new RangerPolicy();
dataObjectToRangerObject(resource, ret);
if(service != null) {
ret.setService(service.getName());
} else {
ret.setService(resource.getAssetName());
}
ret.setName(StringUtils.trim(resource.getPolicyName()));
ret.setDescription(resource.getDescription());
ret.setIsEnabled(resource.getResourceStatus() == RangerCommonEnums.STATUS_ENABLED);
ret.setIsAuditEnabled(resource.getAuditList() != null && !resource.getAuditList().isEmpty());
Boolean isPathRecursive = resource.getIsRecursive() == RangerCommonEnums.BOOL_TRUE;
Boolean isTableExcludes = resource.getTableType() == RangerCommonEnums.POLICY_EXCLUSION;
Boolean isColumnExcludes = resource.getColumnType() == RangerCommonEnums.POLICY_EXCLUSION;
toRangerResourceList(resource.getName(), "path", Boolean.FALSE, isPathRecursive, ret.getResources());
toRangerResourceList(resource.getTables(), "table", isTableExcludes, Boolean.FALSE, ret.getResources());
toRangerResourceList(resource.getColumnFamilies(), "column-family", Boolean.FALSE, Boolean.FALSE, ret.getResources());
toRangerResourceList(resource.getColumns(), "column", isColumnExcludes, Boolean.FALSE, ret.getResources());
toRangerResourceList(resource.getDatabases(), "database", Boolean.FALSE, Boolean.FALSE, ret.getResources());
toRangerResourceList(resource.getUdfs(), "udf", Boolean.FALSE, Boolean.FALSE, ret.getResources());
toRangerResourceList(resource.getTopologies(), "topology", Boolean.FALSE, Boolean.FALSE, ret.getResources());
toRangerResourceList(resource.getServices(), "service", Boolean.FALSE, Boolean.FALSE, ret.getResources());
toRangerResourceList(resource.getHiveServices(), "hiveservice", Boolean.FALSE, Boolean.FALSE, ret.getResources());
HashMap<String, List<VXPermMap>> sortedPermMap = new HashMap<String, List<VXPermMap>>();
// re-group the list with permGroup as the key
if (resource.getPermMapList() != null) {
for(VXPermMap permMap : resource.getPermMapList()) {
String permGrp = permMap.getPermGroup();
List<VXPermMap> sortedList = sortedPermMap.get(permGrp);
if(sortedList == null) {
sortedList = new ArrayList<VXPermMap>();
sortedPermMap.put(permGrp, sortedList);
}
sortedList.add(permMap);
}
}
Integer assetType = getAssetType(service,ret.getService());
for (Entry<String, List<VXPermMap>> entry : sortedPermMap.entrySet()) {
List<String> userList = new ArrayList<String>();
List<String> groupList = new ArrayList<String>();
List<RangerPolicyItemAccess> accessList = new ArrayList<RangerPolicyItemAccess>();
String ipAddress = null;
RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
for(VXPermMap permMap : entry.getValue()) {
if(permMap.getPermFor() == AppConstants.XA_PERM_FOR_USER) {
String userName = getUserName(permMap);
if (! userList.contains(userName)) {
userList.add(userName);
}
} else if(permMap.getPermFor() == AppConstants.XA_PERM_FOR_GROUP) {
String groupName = getGroupName(permMap);
if (! groupList.contains(groupName)) {
groupList.add(groupName);
}
}
String accessType = toAccessType(permMap.getPermType());
if(StringUtils.equalsIgnoreCase(accessType, "Admin")) {
policyItem.setDelegateAdmin(Boolean.TRUE);
if ( assetType != null && assetType == RangerCommonEnums.ASSET_HBASE) {
accessList.add(new RangerPolicyItemAccess(accessType));
}
} else {
accessList.add(new RangerPolicyItemAccess(accessType));
}
ipAddress = permMap.getIpAddress();
}
policyItem.setUsers(userList);
policyItem.setGroups(groupList);
policyItem.setAccesses(accessList);
if(ipAddress != null && !ipAddress.isEmpty()) {
RangerPolicy.RangerPolicyItemCondition ipCondition = new RangerPolicy.RangerPolicyItemCondition("ipaddress", Collections.singletonList(ipAddress));
policyItem.getConditions().add(ipCondition);
}
ret.getPolicyItems().add(policyItem);
}
return ret;
}
public VXResource toVXResource(RangerPolicy policy, RangerService service) {
if(policy == null || service == null || toAssetType(service.getType()) == null) {
return null;
}
VXResource ret = new VXResource();
rangerObjectToDataObject(policy, ret);
ret.setAssetName(policy.getService());
ret.setAssetId(service.getId());
ret.setAssetType(toAssetType(service.getType()));
ret.setPolicyName(policy.getName());
ret.setDescription(policy.getDescription());
ret.setGuid(policy.getGuid());
ret.setResourceStatus(policy.getIsEnabled() ? RangerCommonEnums.STATUS_ENABLED : RangerCommonEnums.STATUS_DISABLED);
List<VXAuditMap> auditList = null;
if(policy.getIsAuditEnabled()) {
VXAuditMap auditMap = new VXAuditMap();
auditMap.setResourceId(policy.getId());
auditMap.setAuditType(AppConstants.XA_AUDIT_TYPE_ALL);
auditList = new ArrayList<VXAuditMap>();
auditList.add(auditMap);
}
ret.setAuditList(auditList);
for(Map.Entry<String, RangerPolicy.RangerPolicyResource> e : policy.getResources().entrySet()) {
RangerPolicy.RangerPolicyResource res = e.getValue();
String resType = e.getKey();
String resString = getResourceString(res.getValues());
if("path".equalsIgnoreCase(resType)) {
ret.setName(resString);
ret.setIsRecursive(Boolean.TRUE.equals(res.getIsRecursive()) ? RangerCommonEnums.BOOL_TRUE : RangerCommonEnums.BOOL_FALSE);
} else if("table".equalsIgnoreCase(resType)) {
ret.setTables(resString);
ret.setTableType(Boolean.TRUE.equals(res.getIsExcludes()) ? RangerCommonEnums.POLICY_EXCLUSION : RangerCommonEnums.POLICY_INCLUSION);
} else if("column-family".equalsIgnoreCase(resType)) {
ret.setColumnFamilies(resString);
} else if("column".equalsIgnoreCase(resType)) {
ret.setColumns(resString);
ret.setColumnType(Boolean.TRUE.equals(res.getIsExcludes()) ? RangerCommonEnums.POLICY_EXCLUSION : RangerCommonEnums.POLICY_INCLUSION);
} else if("database".equalsIgnoreCase(resType)) {
ret.setDatabases(resString);
} else if("udf".equalsIgnoreCase(resType)) {
ret.setUdfs(resString);
} else if("topology".equalsIgnoreCase(resType)) {
ret.setTopologies(resString);
} else if("service".equalsIgnoreCase(resType)) {
ret.setServices(resString);
} else if(resType.equalsIgnoreCase("hiveservice")) {
ret.setHiveServices(resString);
}
}
updateResourceName(ret);
List<VXPermMap> permMapList = getVXPermMapList(policy);
ret.setPermMapList(permMapList);
return ret;
}
public VXAsset publicObjecttoVXAsset(VXRepository vXRepository) {
VXAsset ret = new VXAsset();
publicDataObjectTovXDataObject(vXRepository,ret);
Integer assetType = toAssetType(vXRepository.getRepositoryType());
ret.setAssetType(assetType == null ? -1 : assetType.intValue());
ret.setName(vXRepository.getName());
ret.setDescription(vXRepository.getDescription());
ret.setActiveStatus(vXRepository.getIsActive() ? RangerCommonEnums.STATUS_ENABLED : RangerCommonEnums.STATUS_DISABLED);
ret.setConfig(vXRepository.getConfig());
return ret;
}
public VXRepository vXAssetToPublicObject(VXAsset asset) {
VXRepository ret = new VXRepository();
vXDataObjectToPublicDataObject(ret,asset);
ret.setRepositoryType(toServiceType(asset.getAssetType()));
ret.setName(asset.getName());
ret.setDescription(asset.getDescription());
ret.setIsActive(asset.getActiveStatus() == RangerCommonEnums.STATUS_ENABLED ? true : false);
ret.setConfig(asset.getConfig());
ret.setVersion(version);
return ret;
}
private Map<String, RangerPolicy.RangerPolicyResource> toRangerResourceList(String resourceString, String resourceType, Boolean isExcludes, Boolean isRecursive, Map<String, RangerPolicy.RangerPolicyResource> resources) {
Map<String, RangerPolicy.RangerPolicyResource> ret = resources == null ? new HashMap<String, RangerPolicy.RangerPolicyResource>() : resources;
if(StringUtils.isNotBlank(resourceString)) {
RangerPolicy.RangerPolicyResource resource = ret.get(resourceType);
if(resource == null) {
resource = new RangerPolicy.RangerPolicyResource();
resource.setIsExcludes(isExcludes);
resource.setIsRecursive(isRecursive);
ret.put(resourceType, resource);
}
Collections.addAll(resource.getValues(), resourceString.split(","));
}
return ret;
}
private static String toServiceType(int assetType) {
String ret = null;
for(Map.Entry<String, Integer> e : mapServiceTypeToAssetType.entrySet()) {
if(e.getValue().intValue() == assetType) {
ret = e.getKey();
break;
}
}
return ret;
}
private static Integer toAssetType(String serviceType) {
Integer ret = null;
if(serviceType != null) {
ret = mapServiceTypeToAssetType.get(serviceType.toLowerCase());
}
return ret;
}
public static String toAccessType(int permType) {
String ret = null;
for(Map.Entry<String, Integer> e : mapAccessTypeToPermType.entrySet()) {
if(e.getValue().intValue() == permType) {
ret = e.getKey();
break;
}
}
return ret;
}
private static Integer toPermType(String accessType) {
Integer ret = null;
for(Map.Entry<String, Integer> e : mapAccessTypeToPermType.entrySet()) {
if(e.getKey().equalsIgnoreCase(accessType)) {
ret = e.getValue();
break;
}
}
return ret == null ? 0 : ret;
}
private RangerBaseModelObject dataObjectToRangerObject(VXDataObject dataObject,RangerBaseModelObject rangerObject) {
RangerBaseModelObject ret = rangerObject;
ret.setId(dataObject.getId());
ret.setCreateTime(dataObject.getCreateDate());
ret.setUpdateTime(dataObject.getUpdateDate());
ret.setCreatedBy(dataObject.getOwner());
ret.setUpdatedBy(dataObject.getUpdatedBy());
return ret;
}
private VXDataObject rangerObjectToDataObject(RangerBaseModelObject rangerObject, VXDataObject dataObject) {
VXDataObject ret = dataObject;
ret.setId(rangerObject.getId());
ret.setCreateDate(rangerObject.getCreateTime());
ret.setUpdateDate(rangerObject.getUpdateTime());
ret.setOwner(rangerObject.getCreatedBy());
ret.setUpdatedBy(rangerObject.getUpdatedBy());
return ret;
}
private String toVxPolicyIncExc(int policyIncExc) {
String ret = "";
switch(policyIncExc) {
case 0:
ret = "Inclusion";
break;
case 1:
ret = "Exclusion";
break;
}
return ret;
}
private void updateResourceName(VXPolicy policy) {
if(policy == null || toAssetType(policy.getRepositoryType()) == null) {
return;
}
String resourceName = getResourceName(toAssetType(policy.getRepositoryType()),
policy.getResourceName(),
policy.getTables(),
policy.getColumnFamilies(),
policy.getColumns(),
policy.getDatabases(),
policy.getTopologies(),
policy.getServices());
policy.setResourceName(resourceName);
}
private void updateResourceName(VXResource resource) {
if(resource == null) {
return;
}
String resourceName = getResourceName(resource.getAssetType(),
resource.getName(),
resource.getTables(),
resource.getColumnFamilies(),
resource.getColumns(),
resource.getDatabases(),
resource.getTopologies(),
resource.getServices());
resource.setName(resourceName);
}
private String getResourceName(int assetType, String paths, String tables, String columnFamilies, String columns, String databases, String topologies, String services) {
StringBuilder sb = new StringBuilder();
switch(assetType) {
case RangerCommonEnums.ASSET_HDFS:
paths = emptyIfNull(paths);
sb.append(paths);
break;
case RangerCommonEnums.ASSET_HBASE:
{
tables = emptyIfNull(tables);
columnFamilies = emptyIfNull(columnFamilies);
columns = emptyIfNull(columns);
for(String column : columns.split(",")) {
for(String columnFamily : columnFamilies.split(",")) {
for(String table : tables.split(",")) {
if(sb.length() > 0) {
sb.append(",");
}
sb.append("/").append(table).append("/").append(columnFamily).append("/").append(column);
}
}
}
}
break;
case RangerCommonEnums.ASSET_HIVE:
{
databases = emptyIfNull(databases);
tables = emptyIfNull(tables);
columns = emptyIfNull(columns);
for(String column : columns.split(",")) {
for(String table : tables.split(",")) {
for(String database : databases.split(",")) {
if(sb.length() > 0) {
sb.append(",");
}
sb.append("/").append(database).append("/").append(table).append("/").append(column);
}
}
}
}
break;
case RangerCommonEnums.ASSET_KNOX:
{
topologies = emptyIfNull(topologies);
services = emptyIfNull(services);
for(String service : services.split(",")) {
for(String topology : topologies.split(",")) {
if(sb.length() > 0) {
sb.append(",");
}
sb.append("/").append(topology).append("/").append(service);
}
}
}
break;
case RangerCommonEnums.ASSET_STORM:
topologies = emptyIfNull(topologies);
sb.append(topologies);
break;
}
return sb.toString();
}
private String emptyIfNull(String str) {
return str == null ? "" : str;
}
private String getResourceString(List<String> values) {
String ret = null;
if(values != null) {
for(String value : values) {
if(ret == null) {
ret = value;
} else if(value != null) {
ret += ("," + value);
}
}
}
return ret;
}
private String getUserName(VXPermMap permMap) {
String userName = permMap.getUserName();
if(userName == null || userName.isEmpty()) {
Long userId = permMap.getUserId();
if(userId != null) {
XXUser xxUser = xaDaoMgr.getXXUser().getById(userId);
if(xxUser != null) {
userName = xxUser.getName();
}
}
}
return userName;
}
private String getGroupName(VXPermMap permMap) {
String groupName = permMap.getGroupName();
if(groupName == null || groupName.isEmpty()) {
Long groupId = permMap.getGroupId();
if(groupId != null) {
XXGroup xxGroup = xaDaoMgr.getXXGroup().getById(groupId);
if(xxGroup != null) {
groupName = xxGroup.getName();
}
}
}
return groupName;
}
private Long getUserId(String userName) {
Long userId = null;
if(userName != null) {
XXUser xxUser = xaDaoMgr.getXXUser().findByUserName(userName);
if(xxUser != null) {
userId = xxUser.getId();
}
}
return userId;
}
private Long getGroupId(String groupName) {
Long groupId = null;
if(groupName != null) {
XXGroup xxGroup = xaDaoMgr.getXXGroup().findByGroupName(groupName);
if(xxGroup != null) {
groupId = xxGroup.getId();
}
}
return groupId;
}
public SearchCriteria getMappedSearchParams(HttpServletRequest request,
SearchCriteria searchCriteria) {
Object typeObj = searchCriteria.getParamValue("type");
Object statusObj = searchCriteria.getParamValue("status");
ArrayList<Integer> statusList = new ArrayList<Integer>();
if (statusObj == null) {
statusList.add(RangerCommonEnums.STATUS_DISABLED);
statusList.add(RangerCommonEnums.STATUS_ENABLED);
} else {
Boolean status = restErrorUtil.parseBoolean(
request.getParameter("status"), "Invalid value for "
+ "status", MessageEnums.INVALID_INPUT_DATA, null,
"status");
int statusEnum = (status == null || status == false) ? AppConstants.STATUS_DISABLED
: AppConstants.STATUS_ENABLED;
statusList.add(statusEnum);
}
searchCriteria.addParam("status", statusList);
if (typeObj != null) {
String type = typeObj.toString();
int typeEnum = AppConstants.getEnumFor_AssetType(type);
searchCriteria.addParam("type", typeEnum);
}
return searchCriteria;
}
public VXRepositoryList rangerServiceListToPublicObjectList(List<RangerService> serviceList) {
List<VXRepository> repoList = new ArrayList<VXRepository>();
for (RangerService service : serviceList) {
VXRepository vXRepo = toVXRepository(service);
if(vXRepo != null) {
repoList.add(vXRepo);
}
}
VXRepositoryList vXRepositoryList = new VXRepositoryList(repoList);
return vXRepositoryList;
}
private VXDataObject vXDataObjectToPublicDataObject(VXDataObject publicDataObject, VXDataObject vXdataObject) {
VXDataObject ret = publicDataObject;
ret.setId(vXdataObject.getId());
ret.setCreateDate(vXdataObject.getCreateDate());
ret.setUpdateDate(vXdataObject.getUpdateDate());
ret.setOwner(vXdataObject.getOwner());
ret.setUpdatedBy(vXdataObject.getUpdatedBy());
return ret;
}
protected VXDataObject publicDataObjectTovXDataObject(VXDataObject publicDataObject,VXDataObject vXDataObject) {
VXDataObject ret = vXDataObject;
ret.setId(publicDataObject.getId());
ret.setCreateDate(publicDataObject.getCreateDate());
ret.setUpdateDate(publicDataObject.getUpdateDate());
ret.setOwner(publicDataObject.getOwner());
ret.setUpdatedBy(publicDataObject.getUpdatedBy());
return ret;
}
public VXPolicy toVXPolicy(RangerPolicy policy, RangerService service) {
if(policy == null || service == null || toAssetType(service.getType()) == null) {
return null;
}
VXPolicy ret = new VXPolicy();
rangerObjectToDataObject(policy, ret);
ret.setPolicyName(StringUtils.trim(policy.getName()));
ret.setDescription(policy.getDescription());
ret.setRepositoryName(policy.getService());
ret.setIsEnabled(policy.getIsEnabled() ? true : false);
ret.setRepositoryType(service.getType());
ret.setIsAuditEnabled(policy.getIsAuditEnabled());
if (policy.getVersion() != null ) {
ret.setVersion(policy.getVersion().toString());
} else {
ret.setVersion(version);
}
for(Map.Entry<String, RangerPolicy.RangerPolicyResource> e : policy.getResources().entrySet()) {
RangerPolicy.RangerPolicyResource res = e.getValue();
String resType = e.getKey();
String resString = getResourceString(res.getValues());
if("path".equalsIgnoreCase(resType)) {
ret.setResourceName(resString);
ret.setIsRecursive(Boolean.TRUE.equals(res.getIsRecursive()) ? true : false);
} else if("table".equalsIgnoreCase(resType)) {
ret.setTables(resString);
ret.setTableType(Boolean.TRUE.equals(res.getIsExcludes()) ? toVxPolicyIncExc(RangerCommonEnums.POLICY_EXCLUSION):toVxPolicyIncExc(RangerCommonEnums.POLICY_INCLUSION));
} else if("column-family".equalsIgnoreCase(resType)) {
ret.setColumnFamilies(resString);
} else if("column".equalsIgnoreCase(resType)) {
ret.setColumns(resString);
ret.setColumnType(Boolean.TRUE.equals(res.getIsExcludes()) ? toVxPolicyIncExc(RangerCommonEnums.POLICY_EXCLUSION):toVxPolicyIncExc(RangerCommonEnums.POLICY_INCLUSION));
} else if("database".equalsIgnoreCase(resType)) {
ret.setDatabases(resString);
} else if("udf".equalsIgnoreCase(resType)) {
ret.setUdfs(resString);
} else if("topology".equalsIgnoreCase(resType)) {
ret.setTopologies(resString);
} else if("service".equalsIgnoreCase(resType)) {
ret.setServices(resString);
} else if(resType.equalsIgnoreCase("hiveservice")) {
ret.setHiveServices(resString);
}
}
updateResourceName(ret);
List<VXPermMap> vXPermMapList = getVXPermMapList(policy);
List<VXPermObj> vXPermObjList = mapPermMapToPermObj(vXPermMapList);
ret.setPermMapList(vXPermObjList);
return ret;
}
public List<VXPermMap> getVXPermMapList(RangerPolicy policy) {
List<VXPermMap> permMapList = new ArrayList<VXPermMap>();
int permGroup = 0;
for(RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) {
String ipAddress = null;
for (RangerPolicy.RangerPolicyItemCondition condition : policyItem.getConditions()) {
if ("ipaddress".equalsIgnoreCase(condition.getType())) {
List<String> values = condition.getValues();
if (CollectionUtils.isNotEmpty(values)) {
// TODO changes this to properly deal with collection for now just returning 1st item
ipAddress = values.get(0);
}
}
if (ipAddress != null && !ipAddress.isEmpty()) {
break; // only 1 IP-address per permMap
}
}
for(String userName : policyItem.getUsers()) {
for(RangerPolicyItemAccess access : policyItem.getAccesses()) {
if(! access.getIsAllowed()) {
continue;
}
VXPermMap permMap = new VXPermMap();
permMap.setPermFor(AppConstants.XA_PERM_FOR_USER);
permMap.setPermGroup(Integer.valueOf(permGroup).toString());
permMap.setUserName(userName);
permMap.setUserId(getUserId(userName));
permMap.setPermType(toPermType(access.getType()));
permMap.setIpAddress(ipAddress);
permMapList.add(permMap);
}
if(policyItem.getDelegateAdmin()) {
VXPermMap permMap = new VXPermMap();
permMap.setPermFor(AppConstants.XA_PERM_FOR_USER);
permMap.setPermGroup(Integer.valueOf(permGroup).toString());
permMap.setUserName(userName);
permMap.setUserId(getUserId(userName));
permMap.setPermType(toPermType("Admin"));
permMap.setIpAddress(ipAddress);
permMapList.add(permMap);
}
}
permGroup++;
for(String groupName : policyItem.getGroups()) {
for(RangerPolicyItemAccess access : policyItem.getAccesses()) {
if(! access.getIsAllowed()) {
continue;
}
VXPermMap permMap = new VXPermMap();
permMap.setPermFor(AppConstants.XA_PERM_FOR_GROUP);
permMap.setPermGroup(Integer.valueOf(permGroup).toString());
permMap.setGroupName(groupName);
permMap.setGroupId(getGroupId(groupName));
permMap.setPermType(toPermType(access.getType()));
permMap.setIpAddress(ipAddress);
permMapList.add(permMap);
}
if(policyItem.getDelegateAdmin()) {
VXPermMap permMap = new VXPermMap();
permMap.setPermFor(AppConstants.XA_PERM_FOR_GROUP);
permMap.setPermGroup(Integer.valueOf(permGroup).toString());
permMap.setGroupName(groupName);
permMap.setGroupId(getGroupId(groupName));
permMap.setPermType(toPermType("Admin"));
permMap.setIpAddress(ipAddress);
permMapList.add(permMap);
}
}
permGroup++;
}
return permMapList;
}
public List<VXPermObj> mapPermMapToPermObj(List<VXPermMap> permMapList) {
List<VXPermObj> permObjList = new ArrayList<VXPermObj>();
HashMap<String, List<VXPermMap>> sortedPemMap = new HashMap<String, List<VXPermMap>>();
if (permMapList != null) {
for (VXPermMap vXPermMap : permMapList) {
String permGrp = vXPermMap.getPermGroup();
List<VXPermMap> sortedList = sortedPemMap.get(permGrp);
if (sortedList == null) {
sortedList = new ArrayList<VXPermMap>();
sortedPemMap.put(permGrp, sortedList);
}
sortedList.add(vXPermMap);
}
}
for (Entry<String, List<VXPermMap>> entry : sortedPemMap.entrySet()) {
VXPermObj vXPermObj = new VXPermObj();
List<String> userList = new ArrayList<String>();
List<String> groupList = new ArrayList<String>();
List<String> permList = new ArrayList<String>();
String ipAddress = "";
List<VXPermMap> permListForGrp = entry.getValue();
for (VXPermMap permMap : permListForGrp) {
if (permMap.getPermFor() == AppConstants.XA_PERM_FOR_USER) {
if (!userList.contains(permMap.getUserName())) {
userList.add(permMap.getUserName());
}
} else if (permMap.getPermFor() == AppConstants.XA_PERM_FOR_GROUP) {
if (!groupList.contains(permMap.getGroupName())) {
groupList.add(permMap.getGroupName());
}
}
String perm = AppConstants.getLabelFor_XAPermType(permMap
.getPermType());
if (!permList.contains(perm)) {
permList.add(perm);
}
ipAddress = permMap.getIpAddress();
}
vXPermObj.setUserList(userList);
vXPermObj.setGroupList(groupList);
vXPermObj.setPermList(permList);
vXPermObj.setIpAddress(ipAddress);
permObjList.add(vXPermObj);
}
return permObjList;
}
public RangerPolicy toRangerPolicy(VXPolicy vXPolicy, RangerService service ) {
if(vXPolicy == null || service == null || toAssetType(service.getType()) == null) {
return null;
}
RangerPolicy ret = new RangerPolicy();
ret = (RangerPolicy) dataObjectToRangerObject(vXPolicy, ret);
ret.setService(service.getName());
ret.setName(StringUtils.trim(vXPolicy.getPolicyName()));
ret.setDescription(vXPolicy.getDescription());
ret.setIsEnabled(vXPolicy.getIsEnabled() == true);
ret.setIsAuditEnabled(vXPolicy.getIsAuditEnabled());
Integer assetType = toAssetType(service.getType());
Boolean isRecursive = Boolean.FALSE;
if (assetType == RangerCommonEnums.ASSET_HDFS && vXPolicy.getIsRecursive() != null) {
isRecursive = vXPolicy.getIsRecursive();
}
Boolean isTableExcludes = Boolean.FALSE;
if ( vXPolicy.getTableType() != null) {
isTableExcludes = vXPolicy.getTableType().equals(RangerCommonEnums.getLabelFor_PolicyType(RangerCommonEnums.POLICY_EXCLUSION));
}
Boolean isColumnExcludes = Boolean.FALSE;
if ( vXPolicy.getColumnType() != null) {
isColumnExcludes = vXPolicy.getColumnType().equals(RangerCommonEnums.getLabelFor_PolicyType(RangerCommonEnums.POLICY_EXCLUSION));
}
if (assetType == RangerCommonEnums.ASSET_HDFS && vXPolicy.getResourceName() != null ) {
toRangerResourceList(vXPolicy.getResourceName(), "path", Boolean.FALSE, isRecursive, ret.getResources());
}
if (vXPolicy.getTables() != null) {
toRangerResourceList(vXPolicy.getTables(), "table", isTableExcludes, isRecursive, ret.getResources());
}
if (vXPolicy.getColumnFamilies() != null) {
toRangerResourceList(vXPolicy.getColumnFamilies(), "column-family", Boolean.FALSE, isRecursive, ret.getResources());
}
if (vXPolicy.getColumns() != null) {
toRangerResourceList(vXPolicy.getColumns(), "column", isColumnExcludes, isRecursive, ret.getResources());
}
if (vXPolicy.getDatabases() != null) {
toRangerResourceList(vXPolicy.getDatabases(), "database", Boolean.FALSE, isRecursive, ret.getResources());
}
if (vXPolicy.getUdfs() != null) {
toRangerResourceList(vXPolicy.getUdfs(), "udf", Boolean.FALSE, isRecursive, ret.getResources());
}
if (vXPolicy.getTopologies() != null) {
toRangerResourceList(vXPolicy.getTopologies(), "topology", Boolean.FALSE, isRecursive, ret.getResources());
}
if (vXPolicy.getServices() != null) {
toRangerResourceList(vXPolicy.getServices(), "service", Boolean.FALSE, isRecursive, ret.getResources());
}
if (vXPolicy.getHiveServices() != null) {
toRangerResourceList(vXPolicy.getHiveServices(), "hiveservice", Boolean.FALSE, isRecursive, ret.getResources());
}
if ( vXPolicy.getPermMapList() != null) {
List<VXPermObj> vXPermObjList = vXPolicy.getPermMapList();
for(VXPermObj vXPermObj : vXPermObjList ) {
List<String> userList = new ArrayList<String>();
List<String> groupList = new ArrayList<String>();
List<RangerPolicyItemAccess> accessList = new ArrayList<RangerPolicyItemAccess>();
String ipAddress = null;
boolean delegatedAdmin = false;
if (vXPermObj.getUserList() != null) {
for (String user : vXPermObj.getUserList() ) {
if ( user.contains(getUserName(user))) {
userList.add(user);
}
}
}
if (vXPermObj.getGroupList() != null) {
for (String group : vXPermObj.getGroupList()) {
if ( group.contains(getGroupName(group))) {
groupList.add(group);
}
}
}
if (vXPermObj.getPermList() != null) {
for (String perm : vXPermObj.getPermList()) {
if ( AppConstants.getEnumFor_XAPermType(perm) != 0 ) {
if ("Admin".equalsIgnoreCase(perm)) {
delegatedAdmin=true;
if (assetType != RangerCommonEnums.ASSET_HBASE) {
continue;
}
}
accessList.add(new RangerPolicyItemAccess(perm));
}
}
}
if (vXPermObj.getIpAddress() != null ) {
ipAddress = vXPermObj.getIpAddress();
}
RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
policyItem.setUsers(userList);
policyItem.setGroups(groupList);
policyItem.setAccesses(accessList);
if (delegatedAdmin) {
policyItem.setDelegateAdmin(Boolean.TRUE);
} else {
policyItem.setDelegateAdmin(Boolean.FALSE);
}
if(ipAddress != null && !ipAddress.isEmpty()) {
RangerPolicy.RangerPolicyItemCondition ipCondition = new RangerPolicy.RangerPolicyItemCondition("ipaddress", Collections.singletonList(ipAddress));
policyItem.getConditions().add(ipCondition);
}
ret.getPolicyItems().add(policyItem);
}
}
return ret;
}
private String getUserName(String userName) {
if(userName == null || userName.isEmpty()) {
XXUser xxUser = xaDaoMgr.getXXUser().findByUserName(userName);
if(xxUser != null) {
userName = xxUser.getName();
}
}
return userName;
}
private String getGroupName(String groupName) {
if(groupName == null || groupName.isEmpty()) {
XXGroup xxGroup = xaDaoMgr.getXXGroup().findByGroupName(groupName);
if(xxGroup != null) {
groupName = xxGroup.getName();
}
}
return groupName;
}
public VXPolicyList rangerPolicyListToPublic(List<RangerPolicy> rangerPolicyList,SearchFilter filter) {
RangerService service = null;
List<VXPolicy> vXPolicyList = new ArrayList<VXPolicy>();
VXPolicyList vXPolicyListObj = new VXPolicyList(new ArrayList<VXPolicy>());
if(CollectionUtils.isNotEmpty(rangerPolicyList)) {
int totalCount = rangerPolicyList.size();
int startIndex = filter.getStartIndex();
int pageSize = filter.getMaxRows();
int toIndex = Math.min(startIndex + pageSize, totalCount);
String sortType = filter.getSortType();
String sortBy = filter.getSortBy();
for(int i = startIndex; i < toIndex; i++) {
RangerPolicy policy =rangerPolicyList.get(i);
try {
service = svcStore.getServiceByName(policy.getService());
} catch(Exception excp) {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true);
}
if(service == null) {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, RangerServiceNotFoundException.buildExceptionMsg(policy.getService()), true);
}
VXPolicy vXPolicy = toVXPolicy(policy,service);
if(vXPolicy != null) {
vXPolicyList.add(vXPolicy);
}
}
vXPolicyListObj = new VXPolicyList(vXPolicyList);
vXPolicyListObj.setPageSize(pageSize);
vXPolicyListObj.setResultSize(vXPolicyList.size());
vXPolicyListObj.setStartIndex(startIndex);
vXPolicyListObj.setTotalCount(totalCount);
vXPolicyListObj.setSortBy(sortBy);
vXPolicyListObj.setSortType(sortType);
}
return vXPolicyListObj;
}
public GrantRevokeRequest toGrantRevokeRequest(VXPolicy vXPolicy) {
String serviceType = null;
RangerService service = null;
GrantRevokeRequest ret = new GrantRevokeRequest();
if ( vXPolicy != null) {
String serviceName = vXPolicy.getRepositoryName();
try {
service = svcStore.getServiceByName(serviceName);
} catch (Exception e) {
LOG.error( HttpServletResponse.SC_BAD_REQUEST + "No Service Found for ServiceName:" + serviceName );
throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, e.getMessage() + serviceName, true);
}
if ( service != null) {
serviceType = service.getType();
} else {
LOG.error( HttpServletResponse.SC_BAD_REQUEST + "No Service Found for ServiceName" + serviceName );
throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "No Service Found for ServiceName" + serviceName, true);
}
if (vXPolicy.getGrantor() != null) {
ret.setGrantor(vXPolicy.getGrantor());
}
ret.setEnableAudit(Boolean.TRUE);
ret.setIsRecursive(Boolean.FALSE);
ret.setReplaceExistingPermissions(toBooleanReplacePerm(vXPolicy.isReplacePerm()));
Integer assetType = toAssetType(serviceType);
if (assetType == RangerCommonEnums.ASSET_HIVE) {
String database = StringUtils.isEmpty(vXPolicy.getDatabases()) ? "*" : vXPolicy.getDatabases();
String table = getTableOrUdf(vXPolicy);
String column = StringUtils.isEmpty(vXPolicy.getColumns()) ? "*" : vXPolicy.getColumns();
Map<String, String> mapResource = new HashMap<String, String>();
mapResource.put("database", database);
mapResource.put("table", table);
mapResource.put("column", column);
ret.setResource(mapResource);
}
else if ( assetType == RangerCommonEnums.ASSET_HBASE) {
String tableName = vXPolicy.getTables();
tableName = StringUtil.isEmpty(tableName) ? "*" : tableName;
String colFamily = vXPolicy.getColumnFamilies();
colFamily = StringUtil.isEmpty(colFamily) ? "*": colFamily;
String qualifier = vXPolicy.getColumns();
qualifier = StringUtil.isEmpty(qualifier) ? "*" : qualifier;
Map<String, String> mapResource = new HashMap<String, String>();
mapResource.put("table", tableName);
mapResource.put("column-family", colFamily);
mapResource.put("column", qualifier);
ret.setResource(mapResource);
}
List<VXPermObj> vXPermObjList = vXPolicy.getPermMapList();
if (vXPermObjList != null) {
for(VXPermObj vXPermObj : vXPermObjList ) {
boolean delegatedAdmin = false;
if (vXPermObj.getUserList() != null ) {
for (String user : vXPermObj.getUserList() ) {
if ( user.contains(getUserName(user))) {
ret.getUsers().add(user);
}
}
}
if (vXPermObj.getGroupList() != null) {
for (String group : vXPermObj.getGroupList()) {
if ( group.contains(getGroupName(group))) {
ret.getGroups().add(group);
}
}
}
if(vXPermObj.getPermList() != null) {
for (String perm : vXPermObj.getPermList()) {
if ( AppConstants.getEnumFor_XAPermType(perm) != 0 ) {
if ("Admin".equalsIgnoreCase(perm)) {
delegatedAdmin=true;
if (assetType!=null && assetType.intValue() != RangerCommonEnums.ASSET_HBASE) {
continue;
}
}
ret.getAccessTypes().add(perm);
}
}
}
if (delegatedAdmin) {
ret.setDelegateAdmin(Boolean.TRUE);
} else {
ret.setDelegateAdmin(Boolean.FALSE);
}
}
}
}
return ret;
}
private String getTableOrUdf(VXPolicy vXPolicy) {
String ret = null;
String table = vXPolicy.getTables();
String udf = vXPolicy.getUdfs();
if (!StringUtils.isEmpty(table)) {
ret = table;
} else if (!StringUtils.isEmpty(udf)) {
ret = udf;
}
return ret;
}
public boolean isValidateHttpsAuthentication( String serviceName, HttpServletRequest request) {
boolean isValidAuthentication=false;
boolean httpEnabled = PropertiesUtil.getBooleanProperty("ranger.service.http.enabled",true);
X509Certificate[] certchain = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
String ipAddress = request.getHeader("X-FORWARDED-FOR");
if (ipAddress == null) {
ipAddress = request.getRemoteAddr();
}
boolean isSecure = request.isSecure();
if (serviceName == null || serviceName.isEmpty()) {
LOG.error("ServiceName not provided");
throw restErrorUtil.createRESTException("Unauthorized access.",
MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
RangerService service = null;
try {
service = svcStore.getServiceByName(serviceName);
} catch (Exception e) {
LOG.error("Requested Service not found. serviceName=" + serviceName);
throw restErrorUtil.createRESTException("Service:" + serviceName + " not found",
MessageEnums.DATA_NOT_FOUND);
}
if(service==null){
LOG.error("Requested Service not found. serviceName=" + serviceName);
throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, RangerServiceNotFoundException.buildExceptionMsg(serviceName),
false);
}
if(!service.getIsEnabled()){
LOG.error("Requested Service is disabled. serviceName=" + serviceName);
throw restErrorUtil.createRESTException("Unauthorized access.",
MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
}
if (!httpEnabled) {
if (!isSecure) {
LOG.error("Unauthorized access. Only https is allowed. serviceName=" + serviceName);
throw restErrorUtil.createRESTException("Unauthorized access -"
+ " only https allowed",
MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
if (certchain == null || certchain.length == 0) {
LOG.error("Unauthorized access. Unable to get client certificate. serviceName=" + serviceName);
throw restErrorUtil.createRESTException("Unauthorized access -"
+ " unable to get client certificate",
MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
// Check if common name is found in service config
Map<String, String> configMap = service.getConfigs();
String cnFromConfig = configMap.get("commonNameForCertificate");
if (cnFromConfig == null || "".equals(cnFromConfig.trim())) {
LOG.error("Unauthorized access. No common name for certificate set. Please check your service config");
throw restErrorUtil.createRESTException("Unauthorized access. No common name for certificate set. Please check your service config",
MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
String cnFromConfigForTest = cnFromConfig;
boolean isRegEx = cnFromConfig.toLowerCase().startsWith(REGEX_PREFIX_STR);
if (isRegEx) {
cnFromConfigForTest = cnFromConfig.substring(REGEX_PREFIX_STR_LENGTH);
}
// Perform SAN validation
try {
Collection<List<?>> subjectAltNames = certchain[0].getSubjectAlternativeNames();
if (subjectAltNames != null) {
for (List<?> sanItem : subjectAltNames) {
if (sanItem.size() == 2) {
Integer sanType = (Integer) sanItem.get(0);
String sanValue = (String) sanItem.get(1);
if ( (sanType == 2 || sanType == 7) && (matchNames(sanValue, cnFromConfigForTest,isRegEx)) ) {
if (LOG.isDebugEnabled()) LOG.debug("Client Cert verification successful, matched SAN:" + sanValue);
isValidAuthentication=true;
break;
}
}
}
}
} catch (Throwable e) {
LOG.error("Unauthorized access. Error getting SAN from certificate", e);
throw restErrorUtil.createRESTException("Unauthorized access - Error getting SAN from client certificate", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
// Perform common name validation only if SAN validation did not succeed
if (!isValidAuthentication) {
String commonName = null;
if (certchain != null) {
X509Certificate clientCert = certchain[0];
String dn = clientCert.getSubjectX500Principal().getName();
try {
LdapName ln = new LdapName(dn);
for (Rdn rdn : ln.getRdns()) {
if ("CN".equalsIgnoreCase(rdn.getType())) {
commonName = rdn.getValue() + "";
break;
}
}
if (commonName == null) {
LOG.error("Unauthorized access. CName is null. serviceName=" + serviceName);
throw restErrorUtil.createRESTException(
"Unauthorized access - Unable to find Common Name from ["
+ dn + "]",
MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
} catch (InvalidNameException e) {
LOG.error("Invalid Common Name. CName=" + commonName + ", serviceName=" + serviceName, e);
throw restErrorUtil.createRESTException(
"Unauthorized access - Invalid Common Name",
MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
}
if (commonName != null) {
if (matchNames(commonName, cnFromConfigForTest,isRegEx)) {
if (LOG.isDebugEnabled()) LOG.debug("Client Cert verification successful, matched CN " + commonName + " with " + cnFromConfigForTest + ", wildcard match = " + isRegEx);
isValidAuthentication=true;
}
if (!isValidAuthentication) {
LOG.error("Unauthorized access. expected [" + cnFromConfigForTest + "], found ["
+ commonName + "], serviceName=" + serviceName);
throw restErrorUtil.createRESTException(
"Unauthorized access. expected [" + cnFromConfigForTest
+ "], found [" + commonName + "]",
MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
}
}
} else {
isValidAuthentication = true;
}
return isValidAuthentication;
}
public boolean isValidService(String serviceName, HttpServletRequest request){
boolean isValid = true;
if (serviceName == null || serviceName.isEmpty()) {
LOG.error("ServiceName not provided");
isValid = false;
throw restErrorUtil.createRESTException("Unauthorized access.",
MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
RangerService service = null;
try {
if(null != request.getAttribute("downloadPolicy") && StringUtils.equalsIgnoreCase(request.getAttribute("downloadPolicy").toString(), "secure")){
service = svcStore.getServiceByNameForDP(serviceName);
}else{
service = svcStore.getServiceByName(serviceName);
}
} catch (Exception e) {
isValid = false;
LOG.error("Requested Service not found. serviceName=" + serviceName);
throw restErrorUtil.createRESTException("Service:" + serviceName + " not found",
MessageEnums.DATA_NOT_FOUND);
}
if(service==null){
isValid = false;
LOG.error("Requested Service not found. serviceName=" + serviceName);
throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, RangerServiceNotFoundException.buildExceptionMsg(serviceName),
false);
}
if(!service.getIsEnabled()){
isValid = false;
LOG.error("Requested Service is disabled. serviceName=" + serviceName);
throw restErrorUtil.createRESTException("Unauthorized access.",
MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
}
return isValid;
}
private boolean matchNames(String target, String source, boolean wildcardMatch) {
boolean matched = false;
if(target != null && source != null) {
String names[] = (wildcardMatch ? new String[] { source } : source.split(","));
for (String n:names) {
if (wildcardMatch) {
if(LOG.isDebugEnabled()) LOG.debug("Wildcard Matching [" + target + "] with [" + n + "]");
if (wildcardMatch(target,n)) {
if(LOG.isDebugEnabled()) LOG.debug("Matched target:" + target + " with " + n);
matched = true;
break;
}
} else {
if(LOG.isDebugEnabled()) LOG.debug("Matching [" + target + "] with [" + n + "]");
if (target.equalsIgnoreCase(n)) {
if(LOG.isDebugEnabled()) LOG.debug("Matched target:" + target + " with " + n);
matched = true;
break;
}
}
}
} else {
if(LOG.isDebugEnabled()) LOG.debug("source=[" + source + "],target=[" + target +"], returning false.");
}
return matched;
}
private boolean wildcardMatch(String target, String source) {
boolean matched = false;
if(target != null && source != null) {
try {
matched = target.matches(source);
} catch (Throwable e) {
LOG.error("Error doing wildcard match..", e);
}
} else {
if(LOG.isDebugEnabled()) LOG.debug("source=[" + source + "],target=[" + target +"], returning false.");
}
return matched;
}
private Boolean toBooleanReplacePerm(boolean isReplacePermission) {
Boolean ret;
if (isReplacePermission) {
ret = Boolean.TRUE;
} else {
ret = Boolean.FALSE;
}
return ret;
}
private Integer getAssetType(RangerService service, String serviceName) {
if(service == null || StringUtils.isEmpty(service.getType())) {
try {
service = svcStore.getServiceByName(serviceName);
} catch (Exception e) {
LOG.info( HttpServletResponse.SC_BAD_REQUEST + "No Service Found for ServiceName:" + serviceName );
throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, e.getMessage() + serviceName, true);
}
}
String serviceType = service != null ? service.getType() : null;
Integer assetType = toAssetType(serviceType);
return assetType;
}
public List<RangerPolicy> getMatchingPoliciesForResource(HttpServletRequest request,
List<RangerPolicy> policyLists) {
List<RangerPolicy> policies = new ArrayList<RangerPolicy>();
final String serviceTypeForTag = EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME;
if (request != null) {
String resource = request.getParameter(SearchFilter.POL_RESOURCE);
String serviceType = request.getParameter(SearchFilter.SERVICE_TYPE);
if (!StringUtil.isEmpty(resource) && !StringUtil.isEmpty(serviceType)) {
List<String> resourceList = null;
Map<String, RangerPolicy.RangerPolicyResource> rangerPolicyResourceMap = null;
RangerPolicy.RangerPolicyResource rangerPolicyResource = null;
for (RangerPolicy rangerPolicy : policyLists) {
if (rangerPolicy != null) {
if(serviceTypeForTag.equals(rangerPolicy.getServiceType())) {
policies.add(rangerPolicy);
}else {
rangerPolicyResourceMap = rangerPolicy.getResources();
if (rangerPolicyResourceMap != null) {
if (rangerPolicyResourceMap.containsKey("path")) {
rangerPolicyResource = rangerPolicyResourceMap.get("path");
if (rangerPolicyResource != null) {
resourceList = rangerPolicyResource.getValues();
if (CollectionUtils.isNotEmpty(resourceList) && resourceList.contains(resource)) {
policies.add(rangerPolicy);
}
}
} else if (rangerPolicyResourceMap.containsKey("database")) {
rangerPolicyResource = rangerPolicyResourceMap.get("database");
if (rangerPolicyResource != null) {
resourceList = rangerPolicyResource.getValues();
if (CollectionUtils.isNotEmpty(resourceList) && resourceList.contains(resource)) {
policies.add(rangerPolicy);
}
}
}
}
}
}
}
policyLists.clear();
if (CollectionUtils.isNotEmpty(policies)) {
policyLists.addAll(policies);
}
}
}
return policyLists;
}
}