diff --git a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java index 065b9d33e3..46f16285c4 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java @@ -17,28 +17,7 @@ * under the License. */ - package org.apache.ranger.rest; - -import java.text.SimpleDateFormat; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Map; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.ws.rs.Consumes; -import javax.ws.rs.DELETE; -import javax.ws.rs.Encoded; -import javax.ws.rs.GET; -import javax.ws.rs.POST; -import javax.ws.rs.PUT; -import javax.ws.rs.Path; -import javax.ws.rs.PathParam; -import javax.ws.rs.Produces; -import javax.ws.rs.QueryParam; -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.Context; +package org.apache.ranger.rest; import org.apache.commons.lang.StringUtils; import org.apache.ranger.admin.client.datatype.RESTResponse; @@ -59,15 +38,27 @@ import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.SearchFilter; import org.apache.ranger.security.context.RangerAPIList; +import org.apache.ranger.service.RangerTrxLogV2Service; import org.apache.ranger.service.XAccessAuditService; import org.apache.ranger.service.XAssetService; import org.apache.ranger.service.XCredentialStoreService; import org.apache.ranger.service.XPolicyExportAuditService; import org.apache.ranger.service.XPolicyService; import org.apache.ranger.service.XResourceService; -import org.apache.ranger.service.RangerTrxLogV2Service; import org.apache.ranger.util.RestUtil; -import org.apache.ranger.view.*; +import org.apache.ranger.view.VXAccessAuditList; +import org.apache.ranger.view.VXAsset; +import org.apache.ranger.view.VXAssetList; +import org.apache.ranger.view.VXCredentialStore; +import org.apache.ranger.view.VXCredentialStoreList; +import org.apache.ranger.view.VXLong; +import org.apache.ranger.view.VXPolicy; +import org.apache.ranger.view.VXPolicyExportAuditList; +import org.apache.ranger.view.VXResource; +import org.apache.ranger.view.VXResourceList; +import org.apache.ranger.view.VXResponse; +import org.apache.ranger.view.VXTrxLogList; +import org.apache.ranger.view.VXUgsyncAuditInfoList; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -77,6 +68,27 @@ import org.springframework.transaction.annotation.Propagation; import org.springframework.transaction.annotation.Transactional; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.Consumes; +import javax.ws.rs.DELETE; +import javax.ws.rs.Encoded; +import javax.ws.rs.GET; +import javax.ws.rs.POST; +import javax.ws.rs.PUT; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; +import javax.ws.rs.QueryParam; +import javax.ws.rs.WebApplicationException; +import javax.ws.rs.core.Context; + +import java.text.SimpleDateFormat; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + import static org.apache.ranger.util.RestUtil.convertToTimeZone; @Path("assets") @@ -85,704 +97,589 @@ @RangerAnnotationJSMgrName("AssetMgr") @Transactional(propagation = Propagation.REQUIRES_NEW) public class AssetREST { - private static final Logger logger = LoggerFactory.getLogger(AssetREST.class); - - @Autowired - RangerSearchUtil searchUtil; - - @Autowired - AssetMgr assetMgr; - - @Autowired - XAssetService xAssetService; - - @Autowired - XResourceService xResourceService; - - @Autowired - XPolicyService xPolicyService; - - @Autowired - XCredentialStoreService xCredentialStoreService; - - @Autowired - RESTErrorUtil restErrorUtil; - - @Autowired - XPolicyExportAuditService xPolicyExportAudits; - - @Autowired - RangerTrxLogV2Service xTrxLogService; - - @Autowired - RangerBizUtil msBizUtil; - - @Autowired - XAccessAuditService xAccessAuditService; - - @Autowired - ServiceUtil serviceUtil; - - @Autowired - ServiceREST serviceREST; - - @Autowired - RangerDaoManager daoManager; - - @GET - @Path("/assets/{id}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_ASSET + "\")") - public VXAsset getXAsset(@PathParam("id") Long id) { - if(logger.isDebugEnabled()) { - logger.debug("==> AssetREST.getXAsset(" + id + ")"); - } - - RangerService service = serviceREST.getService(id); - - VXAsset ret = serviceUtil.toVXAsset(service); - - if(logger.isDebugEnabled()) { - logger.debug("<== AssetREST.getXAsset(" + id + "): " + ret); - } - - return ret; - } - - @POST - @Path("/assets") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_ASSET + "\")") - public VXAsset createXAsset(VXAsset vXAsset) { - if(logger.isDebugEnabled()) { - logger.debug("==> AssetREST.createXAsset(" + vXAsset + ")"); - } - - RangerService service = serviceUtil.toRangerService(vXAsset); - - RangerService createdService = serviceREST.createService(service); - - VXAsset ret = serviceUtil.toVXAsset(createdService); - - if(logger.isDebugEnabled()) { - logger.debug("<== AssetREST.createXAsset(" + vXAsset + "): " + ret); - } - - return ret; - } - - @PUT - @Path("/assets/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_ASSET + "\")") - public VXAsset updateXAsset(VXAsset vXAsset) { - if(logger.isDebugEnabled()) { - logger.debug("==> AssetREST.updateXAsset(" + vXAsset + ")"); - } - - RangerService service = serviceUtil.toRangerService(vXAsset); - - RangerService updatedService = serviceREST.updateService(service, null); - - VXAsset ret = serviceUtil.toVXAsset(updatedService); - - if(logger.isDebugEnabled()) { - logger.debug("<== AssetREST.updateXAsset(" + vXAsset + "): " + ret); - } - - return ret; - } - - @DELETE - @Path("/assets/{id}") - @RangerAnnotationClassName(class_name = VXAsset.class) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_ASSET + "\")") - public void deleteXAsset(@PathParam("id") Long id, - @Context HttpServletRequest request) { - if(logger.isDebugEnabled()) { - logger.debug("==> AssetREST.deleteXAsset(" + id + ")"); - } - - serviceREST.deleteService(id); - - if(logger.isDebugEnabled()) { - logger.debug("<== AssetREST.deleteXAsset(" + id + ")"); - } - } - - @POST - @Path("/assets/testConfig") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.TEST_CONFIG + "\")") - public VXResponse configTest(VXAsset vXAsset) { - if(logger.isDebugEnabled()) { - logger.debug("==> AssetREST.configTest(" + vXAsset + ")"); - } - - RangerService service = serviceUtil.toRangerService(vXAsset); - - VXResponse ret = serviceREST.validateConfig(service); - - if(logger.isDebugEnabled()) { - logger.debug("<== AssetREST.testConfig(" + vXAsset + "): " + ret); - } - - return ret; - } - - @GET - @Path("/assets") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_ASSETS + "\")") - public VXAssetList searchXAssets(@Context HttpServletRequest request) { - if(logger.isDebugEnabled()) { - logger.debug("==> AssetREST.searchXAssets()"); - } - - VXAssetList ret = new VXAssetList(); - - SearchFilter filter = searchUtil.getSearchFilterFromLegacyRequestForRepositorySearch(request, xAssetService.sortFields); - - List services = serviceREST.getServices(filter); - - if(services != null) { - List assets = new ArrayList(); - for(RangerService service : services) { - VXAsset asset = serviceUtil.toVXAsset(service); - - if(asset != null) { - assets.add(asset); - } - } - - ret.setVXAssets(assets); - ret.setTotalCount(assets.size()); - ret.setResultSize(assets.size()); - } - - if(logger.isDebugEnabled()) { - logger.debug("<== AssetREST.searchXAssets(): count=" + ret.getListSize()); - } - - return ret; - } - - @GET - @Path("/assets/count") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_ASSETS + "\")") - public VXLong countXAssets(@Context HttpServletRequest request) { - if(logger.isDebugEnabled()) { - logger.debug("==> AssetREST.countXAssets()"); - } - - SearchFilter filter = searchUtil.getSearchFilterFromLegacyRequest(request, xResourceService.sortFields); - - filter.setMaxRows(Integer.MAX_VALUE); - - List services = serviceREST.getServices(filter); - int servicesCount = 0; - - if (services != null) { - for (RangerService service : services) { - VXAsset asset = serviceUtil.toVXAsset(service); - - if (asset != null) { - servicesCount++; - } - } - } - - VXLong ret = new VXLong(); - - ret.setValue(servicesCount); - - if(logger.isDebugEnabled()) { - logger.debug("<== AssetREST.countXAssets(): " + ret); - } - - return ret; - } - - @GET - @Path("/resources/{id}") - @Produces({ "application/json" }) - public VXResource getXResource(@PathParam("id") Long id) { - if(logger.isDebugEnabled()) { - logger.debug("==> AssetREST.getXResource(" + id + ")"); - } - - RangerPolicy policy = null; - RangerService service = null; - - policy = serviceREST.getPolicy(id); - - if(policy != null) { - service = serviceREST.getServiceByName(policy.getService()); - } - - VXResource ret = serviceUtil.toVXResource(policy, service); - - if(logger.isDebugEnabled()) { - logger.debug("<== AssetREST.getXResource(" + id + "): " + ret); - } - - return ret; - } - - @POST - @Path("/resources") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXResource createXResource(VXResource vXResource) { - if(logger.isDebugEnabled()) { - logger.debug("==> AssetREST.createXResource(" + vXResource + ")"); - } - - RangerService service = serviceREST.getService(vXResource.getAssetId()); - RangerPolicy policy = serviceUtil.toRangerPolicy(vXResource, service); - - RangerPolicy createdPolicy = serviceREST.createPolicy(policy, null); - - VXResource ret = serviceUtil.toVXResource(createdPolicy, service); - - if(logger.isDebugEnabled()) { - logger.debug("<== AssetREST.createXResource(" + vXResource + "): " + ret); - } - - return ret; - } - - @PUT - @Path("/resources/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXResource updateXResource(VXResource vXResource , @PathParam("id") Long id) { - if(logger.isDebugEnabled()) { - logger.debug("==> AssetREST.updateXResource(" + vXResource + ")"); - } - - // if vXResource.id is specified, it should be same as the param 'id' - if (vXResource.getId() == null) { - vXResource.setId(id); - } else if(!vXResource.getId().equals(id)) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "resource Id mismatch", true); - } - - RangerService service = serviceREST.getService(vXResource.getAssetId()); - RangerPolicy policy = serviceUtil.toRangerPolicy(vXResource, service); + private static final Logger logger = LoggerFactory.getLogger(AssetREST.class); + + @Autowired + RangerSearchUtil searchUtil; + + @Autowired + AssetMgr assetMgr; + + @Autowired + XAssetService xAssetService; + + @Autowired + XResourceService xResourceService; + + @Autowired + XPolicyService xPolicyService; + + @Autowired + XCredentialStoreService xCredentialStoreService; + + @Autowired + RESTErrorUtil restErrorUtil; + + @Autowired + XPolicyExportAuditService xPolicyExportAudits; + + @Autowired + RangerTrxLogV2Service xTrxLogService; + + @Autowired + RangerBizUtil msBizUtil; + + @Autowired + XAccessAuditService xAccessAuditService; + + @Autowired + ServiceUtil serviceUtil; + + @Autowired + ServiceREST serviceREST; + + @Autowired + RangerDaoManager daoManager; + + @GET + @Path("/assets/{id}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_ASSET + "\")") + public VXAsset getXAsset(@PathParam("id") Long id) { + logger.debug("==> AssetREST.getXAsset({})", id); + + RangerService service = serviceREST.getService(id); + VXAsset ret = serviceUtil.toVXAsset(service); + + logger.debug("<== AssetREST.getXAsset({}): {}", id, ret); + + return ret; + } + + @POST + @Path("/assets") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_ASSET + "\")") + public VXAsset createXAsset(VXAsset vXAsset) { + logger.debug("==> AssetREST.createXAsset({})", vXAsset); + + RangerService service = serviceUtil.toRangerService(vXAsset); + RangerService createdService = serviceREST.createService(service); + VXAsset ret = serviceUtil.toVXAsset(createdService); + + logger.debug("<== AssetREST.createXAsset({}):{}", vXAsset, ret); + + return ret; + } + + @PUT + @Path("/assets/{id}") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_ASSET + "\")") + public VXAsset updateXAsset(VXAsset vXAsset) { + logger.debug("==> AssetREST.updateXAsset({})", vXAsset); + + RangerService service = serviceUtil.toRangerService(vXAsset); + RangerService updatedService = serviceREST.updateService(service, null); + VXAsset ret = serviceUtil.toVXAsset(updatedService); + + logger.debug("<== AssetREST.updateXAsset({}):{}", vXAsset, ret); + + return ret; + } + + @DELETE + @Path("/assets/{id}") + @RangerAnnotationClassName(class_name = VXAsset.class) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_ASSET + "\")") + public void deleteXAsset(@PathParam("id") Long id, @Context HttpServletRequest request) { + logger.debug("==> AssetREST.deleteXAsset({})", id); + + serviceREST.deleteService(id); + + logger.debug("<== AssetREST.deleteXAsset({})", id); + } + + @POST + @Path("/assets/testConfig") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.TEST_CONFIG + "\")") + public VXResponse configTest(VXAsset vXAsset) { + logger.debug("==> AssetREST.configTest({})", vXAsset); + + RangerService service = serviceUtil.toRangerService(vXAsset); + VXResponse ret = serviceREST.validateConfig(service); + + logger.debug("<== AssetREST.testConfig({}):{}", vXAsset, ret); + + return ret; + } + + @GET + @Path("/assets") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_ASSETS + "\")") + public VXAssetList searchXAssets(@Context HttpServletRequest request) { + logger.debug("==> AssetREST.searchXAssets()"); + + VXAssetList ret = new VXAssetList(); + SearchFilter filter = searchUtil.getSearchFilterFromLegacyRequestForRepositorySearch(request, xAssetService.sortFields); + List services = serviceREST.getServices(filter); + + if (services != null) { + List assets = new ArrayList<>(); + + for (RangerService service : services) { + VXAsset asset = serviceUtil.toVXAsset(service); + + if (asset != null) { + assets.add(asset); + } + } + + ret.setVXAssets(assets); + ret.setTotalCount(assets.size()); + ret.setResultSize(assets.size()); + } + + logger.debug("<== AssetREST.searchXAssets(): count={}", ret.getListSize()); + + return ret; + } + + @GET + @Path("/assets/count") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_ASSETS + "\")") + public VXLong countXAssets(@Context HttpServletRequest request) { + logger.debug("==> AssetREST.countXAssets()"); + + SearchFilter filter = searchUtil.getSearchFilterFromLegacyRequest(request, xResourceService.sortFields); + + filter.setMaxRows(Integer.MAX_VALUE); + + List services = serviceREST.getServices(filter); + int servicesCount = 0; + + if (services != null) { + for (RangerService service : services) { + VXAsset asset = serviceUtil.toVXAsset(service); + + if (asset != null) { + servicesCount++; + } + } + } + + VXLong ret = new VXLong(); + + ret.setValue(servicesCount); + + logger.debug("<== AssetREST.countXAssets(): {}", ret); + + return ret; + } + + @GET + @Path("/resources/{id}") + @Produces("application/json") + public VXResource getXResource(@PathParam("id") Long id) { + logger.debug("==> AssetREST.getXResource({})", id); + + RangerService service = null; + RangerPolicy policy = serviceREST.getPolicy(id); + + if (policy != null) { + service = serviceREST.getServiceByName(policy.getService()); + } + + VXResource ret = serviceUtil.toVXResource(policy, service); + + logger.debug("<== AssetREST.getXResource({}): {}", id, ret); + + return ret; + } + + @POST + @Path("/resources") + @Consumes("application/json") + @Produces("application/json") + public VXResource createXResource(VXResource vXResource) { + logger.debug("==> AssetREST.createXResource({})", vXResource); + + RangerService service = serviceREST.getService(vXResource.getAssetId()); + RangerPolicy policy = serviceUtil.toRangerPolicy(vXResource, service); + RangerPolicy createdPolicy = serviceREST.createPolicy(policy, null); + VXResource ret = serviceUtil.toVXResource(createdPolicy, service); + + logger.debug("<== AssetREST.createXResource({}): {}", vXResource, ret); + + return ret; + } + + @PUT + @Path("/resources/{id}") + @Consumes("application/json") + @Produces("application/json") + public VXResource updateXResource(VXResource vXResource, @PathParam("id") Long id) { + logger.debug("==> AssetREST.updateXResource({})", vXResource); + + // if vXResource.id is specified, it should be same as the param 'id' + if (vXResource.getId() == null) { + vXResource.setId(id); + } else if (!vXResource.getId().equals(id)) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "resource Id mismatch", true); + } + + RangerService service = serviceREST.getService(vXResource.getAssetId()); + RangerPolicy policy = serviceUtil.toRangerPolicy(vXResource, service); + RangerPolicy updatedPolicy = serviceREST.updatePolicy(policy, policy.getId()); + VXResource ret = serviceUtil.toVXResource(updatedPolicy, service); + + logger.debug("<== AssetREST.updateXResource({}): {}", vXResource, ret); + + return ret; + } + + @DELETE + @Path("/resources/{id}") + @RangerAnnotationClassName(class_name = VXResource.class) + public void deleteXResource(@PathParam("id") Long id, @Context HttpServletRequest request) { + logger.debug("==> AssetREST.deleteXResource({})", id); + + serviceREST.deletePolicy(id); + + logger.debug("<== AssetREST.deleteXResource({})", id); + } + + @GET + @Path("/resources") + @Produces("application/json") + public VXResourceList searchXResources(@Context HttpServletRequest request) { + logger.debug("==> AssetREST.searchXResources()"); + + VXResourceList ret = new VXResourceList(); + SearchFilter filter = searchUtil.getSearchFilterFromLegacyRequest(request, xResourceService.sortFields); + List policies = serviceREST.getPolicies(filter); + + if (policies != null) { + List resources = new ArrayList<>(); - RangerPolicy updatedPolicy = serviceREST.updatePolicy(policy, policy.getId()); - - VXResource ret = serviceUtil.toVXResource(updatedPolicy, service); + for (RangerPolicy policy : policies) { + RangerService service = serviceREST.getServiceByName(policy.getService()); + VXResource resource = serviceUtil.toVXResource(policy, service); - if(logger.isDebugEnabled()) { - logger.debug("<== AssetREST.updateXResource(" + vXResource + "): " + ret); - } + if (resource != null) { + resources.add(resource); + } + } - return ret; - } + ret.setVXResources(resources); + ret.setTotalCount(resources.size()); + ret.setResultSize(resources.size()); + } - @DELETE - @Path("/resources/{id}") - @RangerAnnotationClassName(class_name = VXResource.class) - public void deleteXResource(@PathParam("id") Long id, - @Context HttpServletRequest request) { - if(logger.isDebugEnabled()) { - logger.debug("==> AssetREST.deleteXResource(" + id + ")"); - } + logger.debug("<== AssetREST.searchXResources(): count={}", ret.getResultSize()); + + return ret; + } - serviceREST.deletePolicy(id); - - if(logger.isDebugEnabled()) { - logger.debug("<== AssetREST.deleteXResource(" + id + ")"); - } - } - - @GET - @Path("/resources") - @Produces({ "application/json" }) - public VXResourceList searchXResources(@Context HttpServletRequest request) { - if(logger.isDebugEnabled()) { - logger.debug("==> AssetREST.searchXResources()"); - } - - VXResourceList ret = new VXResourceList(); - - SearchFilter filter = searchUtil.getSearchFilterFromLegacyRequest(request, xResourceService.sortFields); - - List policies = serviceREST.getPolicies(filter); - - if(policies != null) { - List resources = new ArrayList(); - for(RangerPolicy policy : policies) { - RangerService service = serviceREST.getServiceByName(policy.getService()); - - VXResource resource = serviceUtil.toVXResource(policy, service); - - if(resource != null) { - resources.add(resource); - } - } - - ret.setVXResources(resources); - ret.setTotalCount(resources.size()); - ret.setResultSize(resources.size()); - } - - if(logger.isDebugEnabled()) { - logger.debug("<== AssetREST.searchXResources(): count=" + ret.getResultSize()); - } - - return ret; - } - - @GET - @Path("/resources/count") - @Produces({ "application/json" }) - public VXLong countXResources(@Context HttpServletRequest request) { - if(logger.isDebugEnabled()) { - logger.debug("==> AssetREST.countXResources()"); - } - - SearchFilter filter = searchUtil.getSearchFilterFromLegacyRequest(request, xResourceService.sortFields); - - filter.setMaxRows(Integer.MAX_VALUE); - - List policies = serviceREST.getPolicies(filter); - int policiesCount = 0; - - if (policies != null) { - Map services = new HashMap<>(); - - for (RangerPolicy policy : policies) { - RangerService service = services.get(policy.getService()); - - if (service == null) { - service = serviceREST.getServiceByName(policy.getService()); - - services.put(policy.getService(), service); - } - - VXResource resource = serviceUtil.toVXResource(policy, service); - - if (resource != null) { - policiesCount++; - } - } - } - - VXLong ret = new VXLong(); - - ret.setValue(policiesCount); - - if(logger.isDebugEnabled()) { - logger.debug("<== AssetREST.countXResources(): " + ret); - } - - return ret; - } - - @GET - @Path("/credstores/{id}") - @Produces({ "application/json" }) - public VXCredentialStore getXCredentialStore(@PathParam("id") Long id) { - return assetMgr.getXCredentialStore(id); - } - - @POST - @Path("/credstores") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXCredentialStore createXCredentialStore( - VXCredentialStore vXCredentialStore) { - return assetMgr.createXCredentialStore(vXCredentialStore); - } - - @PUT - @Path("/credstores") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXCredentialStore updateXCredentialStore( - VXCredentialStore vXCredentialStore) { - return assetMgr.updateXCredentialStore(vXCredentialStore); - } - - @DELETE - @Path("/credstores/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - @RangerAnnotationClassName(class_name = VXCredentialStore.class) - public void deleteXCredentialStore(@PathParam("id") Long id, - @Context HttpServletRequest request) { - boolean force = false; - assetMgr.deleteXCredentialStore(id, force); - } - - @GET - @Path("/credstores") - @Produces({ "application/json" }) - public VXCredentialStoreList searchXCredentialStores( - @Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xCredentialStoreService.sortFields); - return assetMgr.searchXCredentialStores(searchCriteria); - } - - @GET - @Path("/credstores/count") - @Produces({ "application/json" }) - public VXLong countXCredentialStores(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xCredentialStoreService.sortFields); - return assetMgr.getXCredentialStoreSearchCount(searchCriteria); - } - - @GET - @Path("/exportAudit") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_POLICY_EXPORT_AUDITS + "\")") - public VXPolicyExportAuditList searchXPolicyExportAudits( - @Context HttpServletRequest request) { - - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xPolicyExportAudits.sortFields); - searchUtil.extractString(request, searchCriteria, "agentId", - "The XA agent id pulling the policies.", - StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "clientIP", - "The XA agent ip pulling the policies.", - StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "repositoryName", - "Repository name for which export was done.", - StringUtil.VALIDATION_TEXT); - searchUtil.extractInt(request, searchCriteria, "httpRetCode", - "HTTP response code for exported policy."); - searchUtil.extractDate(request, searchCriteria, "startDate", - "Start Date", null); - searchUtil.extractDate(request, searchCriteria, "endDate", - "End Date", null); - searchUtil.extractString(request, searchCriteria, "cluster", - "Cluster Name", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "zoneName", - "Zone Name", StringUtil.VALIDATION_TEXT); - return assetMgr.searchXPolicyExportAudits(searchCriteria); - } - - @GET - @Path("/report") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_REPORT_LOGS + "\")") - public VXTrxLogList getReportLogs(@Context HttpServletRequest request){ - - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xTrxLogService.getSortFields()); - searchUtil.extractInt(request, searchCriteria, "objectClassType", "audit type."); - searchUtil.extractInt(request, searchCriteria, "objectId", "Object ID"); - searchUtil.extractString(request, searchCriteria, "attributeName", - "Attribute Name", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "action", - "CRUD Action Type", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "sessionId", - "Session Id", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "owner", - "Owner", StringUtil.VALIDATION_TEXT); - searchUtil.extractDate(request, searchCriteria, "startDate", "Trasaction date since", "MM/dd/yyyy"); - searchUtil.extractDate(request, searchCriteria, "endDate", "Trasaction date till", "MM/dd/yyyy"); - return assetMgr.getReportLogs(searchCriteria); - } - - @GET - @Path("/report/{transactionId}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_TRANSACTION_REPORT + "\")") - public VXTrxLogList getTransactionReport(@Context HttpServletRequest request, - @PathParam("transactionId") String transactionId){ - return assetMgr.getTransactionReport(transactionId); - } - - @GET - @Path("/accessAudit") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_ACCESS_LOGS + "\")") - public VXAccessAuditList getAccessLogs(@Context HttpServletRequest request, @QueryParam("timeZone") String timeZone){ - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xAccessAuditService.sortFields); - searchUtil.extractString(request, searchCriteria, "accessType", - "Access Type", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "aclEnforcer", - "Access Enforcer", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "agentId", - "Application", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "repoName", - "Service Name", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "sessionId", - "Session ID", StringUtil.VALIDATION_TEXT); - searchUtil.extractStringList(request, searchCriteria, "requestUser", - "Users", "requestUser", null, StringUtil.VALIDATION_TEXT); - searchUtil.extractStringList(request, searchCriteria, "excludeUser", - "Exclude Users", "-requestUser", null, StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "requestData", - "Request Data", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "resourcePath", - "Resource Name", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "clientIP", - "Client IP", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "resourceType", - "Resource Type", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request,searchCriteria,"excludeServiceUser", - "Exclude Service User",StringUtil.VALIDATION_TEXT); - - searchUtil.extractInt(request, searchCriteria, "auditType", "Audit Type"); - searchUtil.extractInt(request, searchCriteria, "accessResult", "Result"); - searchUtil.extractInt(request, searchCriteria, "assetId", "Asset ID"); - searchUtil.extractLong(request, searchCriteria, "policyId", "Policy ID"); - searchUtil.extractInt(request, searchCriteria, "repoType", "Service Type"); - - searchUtil.extractDate(request, searchCriteria, "startDate","Start Date", "MM/dd/yyyy"); - searchUtil.extractDate(request, searchCriteria, "endDate", "End Date", "MM/dd/yyyy"); - - searchUtil.extractString(request, searchCriteria, "tags", "tags", null); - searchUtil.extractString(request, searchCriteria, "cluster", "Cluster Name", StringUtil.VALIDATION_TEXT); - searchUtil.extractStringList(request, searchCriteria, "zoneName", "Zone Name List", "zoneName", null, null); - - searchUtil.extractString(request, searchCriteria, "agentHost", "Agent Host Name", StringUtil.VALIDATION_TEXT); - - searchUtil.extractString(request, searchCriteria, "eventId", "Event Id", null); - - boolean isKeyAdmin = msBizUtil.isKeyAdmin(); - boolean isAuditKeyAdmin = msBizUtil.isAuditKeyAdmin(); - XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_KMS_NAME); - if(isKeyAdmin && xxServiceDef != null || isAuditKeyAdmin && xxServiceDef != null){ - searchCriteria.getParamList().put("repoType", xxServiceDef.getId()); - } - else if (xxServiceDef != null) { - searchCriteria.getParamList().put("-repoType", xxServiceDef.getId()); - } - VXAccessAuditList vxAccessAuditList = assetMgr.getAccessLogs(searchCriteria); - - if (timeZone != null && !StringUtils.isBlank(timeZone)) { - vxAccessAuditList.getVXAccessAudits().forEach(vxAccessAudit -> { - String zonedEventTime = convertToTimeZone(vxAccessAudit.getEventTime(), timeZone); - if (zonedEventTime == null || zonedEventTime.isEmpty()) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "Passed timeZone value is invalid", true); - } - vxAccessAudit.setZonedEventTime(zonedEventTime); - }); - } else { - vxAccessAuditList.getVXAccessAudits().forEach(vxAccessAudit -> { - vxAccessAudit.setZonedEventTime(new SimpleDateFormat(RestUtil.ZONED_EVENT_TIME_FORMAT).format(vxAccessAudit.getEventTime())); - }); - } - return vxAccessAuditList; - } - - @POST - @Path("/resources/grant") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXPolicy grantPermission(@Context HttpServletRequest request,VXPolicy vXPolicy) { - - RESTResponse ret = null; - - if(logger.isDebugEnabled()) { - logger.debug("==> AssetREST.grantPermission(" + vXPolicy + ")"); - } - - if ( vXPolicy != null) { - String serviceName = vXPolicy.getRepositoryName(); - GrantRevokeRequest grantRevokeRequest = serviceUtil.toGrantRevokeRequest(vXPolicy); - try { - ret = serviceREST.grantAccess(serviceName, grantRevokeRequest, request); - } catch(WebApplicationException excp) { - throw excp; - } catch (Throwable e) { - logger.error( HttpServletResponse.SC_BAD_REQUEST + "Grant Access Failed for the request " + vXPolicy, e); - throw restErrorUtil.createRESTException("Grant Access Failed for the request: " + vXPolicy + ". " + e.getMessage()); - } - } else { - logger.error( HttpServletResponse.SC_BAD_REQUEST + "Bad Request parameter"); - throw restErrorUtil.createRESTException("Bad Request parameter"); - } - - if(logger.isDebugEnabled()) { - logger.debug("<== AssetREST.grantPermission(" + ret + ")"); - } - - // TO DO Current Grant REST doesn't return a policy so returning a null value. Has to be replace with VXpolicy. - return vXPolicy; - } - - @POST - @Path("/resources/revoke") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXPolicy revokePermission(@Context HttpServletRequest request,VXPolicy vXPolicy) { - - RESTResponse ret = null; - - if(logger.isDebugEnabled()) { - logger.debug("==> AssetREST.revokePermission(" + vXPolicy + ")"); - } - - if ( vXPolicy != null) { - String serviceName = vXPolicy.getRepositoryName(); - GrantRevokeRequest grantRevokeRequest = serviceUtil.toGrantRevokeRequest(vXPolicy); - try { - ret = serviceREST.revokeAccess(serviceName, grantRevokeRequest, request); - } catch(WebApplicationException excp) { - throw excp; - } catch (Throwable e) { - logger.error( HttpServletResponse.SC_BAD_REQUEST + "Revoke Access Failed for the request " + vXPolicy, e); - throw restErrorUtil.createRESTException("Revoke Access Failed for the request: " + vXPolicy + ". " + e.getMessage()); - } - } else { - logger.error( HttpServletResponse.SC_BAD_REQUEST + "Bad Request parameter"); - throw restErrorUtil.createRESTException("Bad Request parameter"); - } - - if(logger.isDebugEnabled()) { - logger.debug("<== AssetREST.revokePermission(" + ret + ")"); - } - return vXPolicy; - } - - @GET - @Path("/ugsyncAudits") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_UGSYNC_AUDITS + "\")") - public VXUgsyncAuditInfoList getUgsyncAudits(@Context HttpServletRequest request){ - - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xAccessAuditService.sortFields); - searchUtil.extractString(request, searchCriteria, "userName", - "User Name", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "sessionId", - "Session Id", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "syncSource", - "Sync Source", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "syncSourceInfo", - "Sync Source Info", StringUtil.VALIDATION_TEXT); - searchUtil.extractLong(request, searchCriteria, "noOfUsers", "No of Users"); - searchUtil.extractLong(request, searchCriteria, "noOfGroups", "No of Groups"); - - searchUtil.extractDate(request, searchCriteria, "startDate", - "Start Date", "MM/dd/yyyy"); - searchUtil.extractDate(request, searchCriteria, "endDate", "End Date", - "MM/dd/yyyy"); - return assetMgr.getUgsyncAudits(searchCriteria); - } - - @GET - @Path("/ugsyncAudits/{syncSource}") - @Encoded - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_UGSYNC_AUDITS_BY_SYNCSOURCE + "\")") - public VXUgsyncAuditInfoList getUgsyncAuditsBySyncSource(@PathParam("syncSource") String syncSource){ - VXUgsyncAuditInfoList vxUgsyncAuditInfoList = new VXUgsyncAuditInfoList(); - vxUgsyncAuditInfoList = assetMgr.getUgsyncAuditsBySyncSource(syncSource); - return vxUgsyncAuditInfoList; - } + @GET + @Path("/resources/count") + @Produces("application/json") + public VXLong countXResources(@Context HttpServletRequest request) { + logger.debug("==> AssetREST.countXResources()"); + + SearchFilter filter = searchUtil.getSearchFilterFromLegacyRequest(request, xResourceService.sortFields); + + filter.setMaxRows(Integer.MAX_VALUE); + + List policies = serviceREST.getPolicies(filter); + int policiesCount = 0; + + if (policies != null) { + Map services = new HashMap<>(); + + for (RangerPolicy policy : policies) { + RangerService service = services.get(policy.getService()); + + if (service == null) { + service = serviceREST.getServiceByName(policy.getService()); + + services.put(policy.getService(), service); + } + + VXResource resource = serviceUtil.toVXResource(policy, service); + + if (resource != null) { + policiesCount++; + } + } + } + + VXLong ret = new VXLong(); + + ret.setValue(policiesCount); + + logger.debug("<== AssetREST.countXResources(): {}", ret); + + return ret; + } + + @GET + @Path("/credstores/{id}") + @Produces("application/json") + public VXCredentialStore getXCredentialStore(@PathParam("id") Long id) { + return assetMgr.getXCredentialStore(id); + } + + @POST + @Path("/credstores") + @Consumes("application/json") + @Produces("application/json") + public VXCredentialStore createXCredentialStore(VXCredentialStore vXCredentialStore) { + return assetMgr.createXCredentialStore(vXCredentialStore); + } + + @PUT + @Path("/credstores") + @Consumes("application/json") + @Produces("application/json") + public VXCredentialStore updateXCredentialStore(VXCredentialStore vXCredentialStore) { + return assetMgr.updateXCredentialStore(vXCredentialStore); + } + + @DELETE + @Path("/credstores/{id}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @RangerAnnotationClassName(class_name = VXCredentialStore.class) + public void deleteXCredentialStore(@PathParam("id") Long id, @Context HttpServletRequest request) { + boolean force = false; + + assetMgr.deleteXCredentialStore(id, force); + } + + @GET + @Path("/credstores") + @Produces("application/json") + public VXCredentialStoreList searchXCredentialStores(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xCredentialStoreService.sortFields); + + return assetMgr.searchXCredentialStores(searchCriteria); + } + + @GET + @Path("/credstores/count") + @Produces("application/json") + public VXLong countXCredentialStores(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xCredentialStoreService.sortFields); + + return assetMgr.getXCredentialStoreSearchCount(searchCriteria); + } + + @GET + @Path("/exportAudit") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_POLICY_EXPORT_AUDITS + "\")") + public VXPolicyExportAuditList searchXPolicyExportAudits(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xPolicyExportAudits.sortFields); + + searchUtil.extractString(request, searchCriteria, "agentId", "The XA agent id pulling the policies.", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "clientIP", "The XA agent ip pulling the policies.", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "repositoryName", "Repository name for which export was done.", StringUtil.VALIDATION_TEXT); + searchUtil.extractInt(request, searchCriteria, "httpRetCode", "HTTP response code for exported policy."); + searchUtil.extractDate(request, searchCriteria, "startDate", "Start Date", null); + searchUtil.extractDate(request, searchCriteria, "endDate", "End Date", null); + searchUtil.extractString(request, searchCriteria, "cluster", "Cluster Name", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "zoneName", "Zone Name", StringUtil.VALIDATION_TEXT); + + return assetMgr.searchXPolicyExportAudits(searchCriteria); + } + + @GET + @Path("/report") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_REPORT_LOGS + "\")") + public VXTrxLogList getReportLogs(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xTrxLogService.getSortFields()); + + searchUtil.extractInt(request, searchCriteria, "objectClassType", "audit type."); + searchUtil.extractInt(request, searchCriteria, "objectId", "Object ID"); + searchUtil.extractString(request, searchCriteria, "attributeName", "Attribute Name", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "action", "CRUD Action Type", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "sessionId", "Session Id", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "owner", "Owner", StringUtil.VALIDATION_TEXT); + searchUtil.extractDate(request, searchCriteria, "startDate", "Trasaction date since", "MM/dd/yyyy"); + searchUtil.extractDate(request, searchCriteria, "endDate", "Trasaction date till", "MM/dd/yyyy"); + + return assetMgr.getReportLogs(searchCriteria); + } + + @GET + @Path("/report/{transactionId}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_TRANSACTION_REPORT + "\")") + public VXTrxLogList getTransactionReport(@Context HttpServletRequest request, @PathParam("transactionId") String transactionId) { + return assetMgr.getTransactionReport(transactionId); + } + + @GET + @Path("/accessAudit") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_ACCESS_LOGS + "\")") + public VXAccessAuditList getAccessLogs(@Context HttpServletRequest request, @QueryParam("timeZone") String timeZone) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xAccessAuditService.sortFields); + + searchUtil.extractString(request, searchCriteria, "accessType", "Access Type", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "aclEnforcer", "Access Enforcer", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "agentId", "Application", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "repoName", "Service Name", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "sessionId", "Session ID", StringUtil.VALIDATION_TEXT); + searchUtil.extractStringList(request, searchCriteria, "requestUser", "Users", "requestUser", null, StringUtil.VALIDATION_TEXT); + searchUtil.extractStringList(request, searchCriteria, "excludeUser", "Exclude Users", "-requestUser", null, StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "requestData", "Request Data", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "resourcePath", "Resource Name", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "clientIP", "Client IP", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "resourceType", "Resource Type", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "excludeServiceUser", "Exclude Service User", StringUtil.VALIDATION_TEXT); + + searchUtil.extractInt(request, searchCriteria, "auditType", "Audit Type"); + searchUtil.extractInt(request, searchCriteria, "accessResult", "Result"); + searchUtil.extractInt(request, searchCriteria, "assetId", "Asset ID"); + searchUtil.extractLong(request, searchCriteria, "policyId", "Policy ID"); + searchUtil.extractInt(request, searchCriteria, "repoType", "Service Type"); + searchUtil.extractDate(request, searchCriteria, "startDate", "Start Date", "MM/dd/yyyy"); + searchUtil.extractDate(request, searchCriteria, "endDate", "End Date", "MM/dd/yyyy"); + searchUtil.extractString(request, searchCriteria, "tags", "tags", null); + searchUtil.extractString(request, searchCriteria, "cluster", "Cluster Name", StringUtil.VALIDATION_TEXT); + searchUtil.extractStringList(request, searchCriteria, "zoneName", "Zone Name List", "zoneName", null, null); + searchUtil.extractString(request, searchCriteria, "agentHost", "Agent Host Name", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "eventId", "Event Id", null); + + boolean isKeyAdmin = msBizUtil.isKeyAdmin(); + boolean isAuditKeyAdmin = msBizUtil.isAuditKeyAdmin(); + XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_KMS_NAME); + + if (isKeyAdmin && xxServiceDef != null || isAuditKeyAdmin && xxServiceDef != null) { + searchCriteria.getParamList().put("repoType", xxServiceDef.getId()); + } else if (xxServiceDef != null) { + searchCriteria.getParamList().put("-repoType", xxServiceDef.getId()); + } + + VXAccessAuditList vxAccessAuditList = assetMgr.getAccessLogs(searchCriteria); + + if (timeZone != null && !StringUtils.isBlank(timeZone)) { + vxAccessAuditList.getVXAccessAudits().forEach(vxAccessAudit -> { + String zonedEventTime = convertToTimeZone(vxAccessAudit.getEventTime(), timeZone); + + if (zonedEventTime == null || zonedEventTime.isEmpty()) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Passed timeZone value is invalid", true); + } + + vxAccessAudit.setZonedEventTime(zonedEventTime); + }); + } else { + vxAccessAuditList.getVXAccessAudits().forEach(vxAccessAudit -> vxAccessAudit.setZonedEventTime(new SimpleDateFormat(RestUtil.ZONED_EVENT_TIME_FORMAT).format(vxAccessAudit.getEventTime()))); + } + + return vxAccessAuditList; + } + + @POST + @Path("/resources/grant") + @Consumes("application/json") + @Produces("application/json") + public VXPolicy grantPermission(@Context HttpServletRequest request, VXPolicy vXPolicy) { + RESTResponse ret; + + logger.debug("==> AssetREST.grantPermission({})", vXPolicy); + + if (vXPolicy != null) { + String serviceName = vXPolicy.getRepositoryName(); + GrantRevokeRequest grantRevokeRequest = serviceUtil.toGrantRevokeRequest(vXPolicy); + + try { + ret = serviceREST.grantAccess(serviceName, grantRevokeRequest, request); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable e) { + logger.error("{} Grant Access Failed for the request {}", HttpServletResponse.SC_BAD_REQUEST, vXPolicy, e); + + throw restErrorUtil.createRESTException("Grant Access Failed for the request: " + vXPolicy + ". " + e.getMessage()); + } + } else { + logger.error("{} Bad Request parameter", HttpServletResponse.SC_BAD_REQUEST); + + throw restErrorUtil.createRESTException("Bad Request parameter"); + } + + logger.debug("<== AssetREST.grantPermission({})", ret); + + // TO DO Current Grant REST doesn't return a policy so returning a null value. Has to be replace with VXpolicy. + return vXPolicy; + } + + @POST + @Path("/resources/revoke") + @Consumes("application/json") + @Produces("application/json") + public VXPolicy revokePermission(@Context HttpServletRequest request, VXPolicy vXPolicy) { + RESTResponse ret; + + logger.debug("==> AssetREST.revokePermission({})", vXPolicy); + + if (vXPolicy != null) { + String serviceName = vXPolicy.getRepositoryName(); + GrantRevokeRequest grantRevokeRequest = serviceUtil.toGrantRevokeRequest(vXPolicy); + + try { + ret = serviceREST.revokeAccess(serviceName, grantRevokeRequest, request); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable e) { + logger.error("{} Revoke Access Failed for the request {}", HttpServletResponse.SC_BAD_REQUEST, vXPolicy, e); + + throw restErrorUtil.createRESTException("Revoke Access Failed for the request: " + vXPolicy + ". " + e.getMessage()); + } + } else { + logger.error("{} Bad Request parameter", HttpServletResponse.SC_BAD_REQUEST); + + throw restErrorUtil.createRESTException("Bad Request parameter"); + } + + logger.debug("<== AssetREST.revokePermission({})", ret); + + return vXPolicy; + } + + @GET + @Path("/ugsyncAudits") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_UGSYNC_AUDITS + "\")") + public VXUgsyncAuditInfoList getUgsyncAudits(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xAccessAuditService.sortFields); + + searchUtil.extractString(request, searchCriteria, "userName", "User Name", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "sessionId", "Session Id", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "syncSource", "Sync Source", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "syncSourceInfo", "Sync Source Info", StringUtil.VALIDATION_TEXT); + searchUtil.extractLong(request, searchCriteria, "noOfUsers", "No of Users"); + searchUtil.extractLong(request, searchCriteria, "noOfGroups", "No of Groups"); + searchUtil.extractDate(request, searchCriteria, "startDate", "Start Date", "MM/dd/yyyy"); + searchUtil.extractDate(request, searchCriteria, "endDate", "End Date", "MM/dd/yyyy"); + + return assetMgr.getUgsyncAudits(searchCriteria); + } + + @GET + @Path("/ugsyncAudits/{syncSource}") + @Encoded + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_UGSYNC_AUDITS_BY_SYNCSOURCE + "\")") + public VXUgsyncAuditInfoList getUgsyncAuditsBySyncSource(@PathParam("syncSource") String syncSource) { + return assetMgr.getUgsyncAuditsBySyncSource(syncSource); + } } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java b/security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java index 87eb6ea4d0..0d3ef3d767 100755 --- a/security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java @@ -20,7 +20,6 @@ package org.apache.ranger.rest; import org.apache.commons.collections4.CollectionUtils; -import java.util.function.Predicate; import org.apache.commons.lang.ArrayUtils; import org.apache.commons.lang.StringUtils; import org.apache.hadoop.thirdparty.com.google.common.annotations.VisibleForTesting; @@ -34,17 +33,16 @@ import org.apache.ranger.common.RangerSearchUtil; import org.apache.ranger.common.ServiceUtil; import org.apache.ranger.plugin.model.RangerGds; -import org.apache.ranger.plugin.model.RangerGds.DatasetSummary; -import org.apache.ranger.plugin.model.RangerGds.DataShareSummary; import org.apache.ranger.plugin.model.RangerGds.DataShareInDatasetSummary; +import org.apache.ranger.plugin.model.RangerGds.DataShareSummary; +import org.apache.ranger.plugin.model.RangerGds.DatasetSummary; +import org.apache.ranger.plugin.model.RangerGds.RangerDataShare; +import org.apache.ranger.plugin.model.RangerGds.RangerDataShareInDataset; import org.apache.ranger.plugin.model.RangerGds.RangerDataset; import org.apache.ranger.plugin.model.RangerGds.RangerDatasetInProject; -import org.apache.ranger.plugin.model.RangerGds.RangerDataShareInDataset; -import org.apache.ranger.plugin.model.RangerGds.RangerDataShare; import org.apache.ranger.plugin.model.RangerGds.RangerProject; import org.apache.ranger.plugin.model.RangerGds.RangerSharedResource; import org.apache.ranger.plugin.model.RangerGrant; - import org.apache.ranger.plugin.model.RangerPluginInfo; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; @@ -61,13 +59,12 @@ import org.apache.ranger.plugin.util.SearchFilter; import org.apache.ranger.plugin.util.ServiceGdsInfo; import org.apache.ranger.security.context.RangerAPIList; -import org.apache.ranger.service.RangerGdsDatasetInProjectService; import org.apache.ranger.service.RangerGdsDataShareInDatasetService; import org.apache.ranger.service.RangerGdsDataShareService; +import org.apache.ranger.service.RangerGdsDatasetInProjectService; import org.apache.ranger.service.RangerGdsDatasetService; import org.apache.ranger.service.RangerGdsProjectService; import org.apache.ranger.service.RangerGdsSharedResourceService; - import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -79,8 +76,19 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.ws.rs.*; +import javax.ws.rs.Consumes; +import javax.ws.rs.DELETE; +import javax.ws.rs.DefaultValue; +import javax.ws.rs.GET; +import javax.ws.rs.POST; +import javax.ws.rs.PUT; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; +import javax.ws.rs.QueryParam; +import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.Context; + import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; @@ -89,6 +97,7 @@ import java.util.List; import java.util.Map; import java.util.Set; +import java.util.function.Predicate; import java.util.stream.Collectors; @Path("gds") @@ -99,20 +108,15 @@ public class GdsREST { private static final Logger LOG = LoggerFactory.getLogger(GdsREST.class); private static final Logger PERF_LOG = RangerPerfTracer.getPerfLogger("rest.GdsREST"); - private final RangerAdminConfig config = RangerAdminConfig.getInstance(); - - private final int SHARED_RESOURCES_MAX_BATCH_SIZE = config.getInt("ranger.admin.rest.gds.shared.resources.max.batch.size", 100); - - private static final String PRINCIPAL_TYPE_USER = RangerPrincipal.PrincipalType.USER.name().toLowerCase(); - - private static final String PRINCIPAL_TYPE_GROUP = RangerPrincipal.PrincipalType.GROUP.name().toLowerCase(); - - private static final String PRINCIPAL_TYPE_ROLE = RangerPrincipal.PrincipalType.ROLE.name().toLowerCase(); - - private static final String DEFAULT_PRINCIPAL_TYPE = PRINCIPAL_TYPE_USER; - public static final String GDS_POLICY_EXPR_CONDITION = "expression"; + private static final String PRINCIPAL_TYPE_USER = RangerPrincipal.PrincipalType.USER.name().toLowerCase(); + private static final String PRINCIPAL_TYPE_GROUP = RangerPrincipal.PrincipalType.GROUP.name().toLowerCase(); + private static final String PRINCIPAL_TYPE_ROLE = RangerPrincipal.PrincipalType.ROLE.name().toLowerCase(); + private static final String DEFAULT_PRINCIPAL_TYPE = PRINCIPAL_TYPE_USER; + private static final RangerAdminConfig config = RangerAdminConfig.getInstance(); + private static final int SHARED_RESOURCES_MAX_BATCH_SIZE = config.getInt("ranger.admin.rest.gds.shared.resources.max.batch.size", 100); + @Autowired GdsDBStore gdsStore; @@ -152,11 +156,10 @@ public class GdsREST { @Autowired AssetMgr assetMgr; - @POST @Path("/dataset") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_DATASET + "\")") public RangerDataset createDataset(RangerDataset dataset) { LOG.debug("==> GdsREST.createDataset({})", dataset); @@ -165,14 +168,14 @@ public RangerDataset createDataset(RangerDataset dataset) { RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.createDataset(datasetName=" + dataset.getName() + ")"); } ret = gdsStore.createDataset(dataset); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("createDataset({}) failed", dataset, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -187,32 +190,37 @@ public RangerDataset createDataset(RangerDataset dataset) { @POST @Path("/dataset/{id}/resources/{serviceName}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.ADD_SHARED_RESOURCES + "\")") - public List addDatasetResources(@PathParam("id") Long datasetId, - @PathParam("serviceName") String serviceName, - @QueryParam("zoneName") @DefaultValue("") String zoneName, - List resources) { + public List addDatasetResources(@PathParam("id") Long datasetId, @PathParam("serviceName") String serviceName, @QueryParam("zoneName") @DefaultValue("") String zoneName, List resources) { LOG.debug("==> GdsREST.addDatasetResources(datasetId={} serviceName={} zoneNam={} resources={})", datasetId, serviceName, zoneName, resources); List ret = new ArrayList<>(); RangerPerfTracer perf = null; try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.addDatasetResources(datasetId=" + datasetId + ")"); + } + Long serviceId = validateAndGetServiceId(serviceName); Long zoneId = validateAndGetZoneId(zoneName); Long dataShareId = getOrCreateDataShare(datasetId, serviceId, zoneId, serviceName); + // Add resources to DataShare for (RangerSharedResource resource : resources) { resource.setDataShareId(dataShareId); + RangerSharedResource rangerSharedResource = addSharedResource(resource); + ret.add(rangerSharedResource); } - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("GdsREST.addDatasetResources(datasetId={} serviceName={} zoneName={} resources={}) failed!", datasetId, serviceName, zoneName, resources, excp); + throw restErrorUtil.createRESTException(excp.getMessage()); } finally { RangerPerfTracer.log(perf); @@ -225,8 +233,8 @@ public List addDatasetResources(@PathParam("id") Long data @POST @Path("/dataset/{id}/datashare") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.ADD_DATASHARE_IN_DATASET + "\")") public List addDataSharesInDataset(@PathParam("id") Long datasetId, List dataSharesInDataset) { LOG.debug("==> GdsREST.addDataSharesInDataset({}, {})", datasetId, dataSharesInDataset); @@ -236,7 +244,7 @@ public List addDataSharesInDataset(@PathParam("id") Lo try { if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.addDataSharesInDataset(" + datasetId + ")"); + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.addDataSharesInDataset(" + datasetId + ")"); } if (CollectionUtils.isNotEmpty(dataSharesInDataset)) { @@ -252,9 +260,9 @@ public List addDataSharesInDataset(@PathParam("id") Lo } ret = gdsStore.addDataSharesInDataset(dataSharesInDataset); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("addDataShareInDataset({}) failed", datasetId, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -269,8 +277,8 @@ public List addDataSharesInDataset(@PathParam("id") Lo @PUT @Path("/dataset/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_DATASET + "\")") public RangerDataset updateDataset(@PathParam("id") Long datasetId, RangerDataset dataset) { LOG.debug("==> GdsREST.updateDataset({}, {})", datasetId, dataset); @@ -279,16 +287,16 @@ public RangerDataset updateDataset(@PathParam("id") Long datasetId, RangerDatase RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.updateDataset(datasetId=" + datasetId + ", datasetName=" + dataset.getName() + ")"); } dataset.setId(datasetId); ret = gdsStore.updateDataset(dataset); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("updateDataset({}, {}) failed", datasetId, dataset, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -303,7 +311,7 @@ public RangerDataset updateDataset(@PathParam("id") Long datasetId, RangerDatase @DELETE @Path("/dataset/{id}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_DATASET + "\")") public void deleteDataset(@PathParam("id") Long datasetId, @Context HttpServletRequest request) { LOG.debug("==> deleteDataset({})", datasetId); @@ -311,16 +319,16 @@ public void deleteDataset(@PathParam("id") Long datasetId, @Context HttpServletR RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.deleteDataset(datasetId=" + datasetId + ")"); } boolean forceDelete = Boolean.parseBoolean(request.getParameter("forceDelete")); gdsStore.deleteDataset(datasetId, forceDelete); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("deleteDataset({}) failed", datasetId, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -333,7 +341,7 @@ public void deleteDataset(@PathParam("id") Long datasetId, @Context HttpServletR @GET @Path("/dataset/{id}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_DATASET + "\")") public RangerDataset getDataset(@PathParam("id") Long datasetId) { LOG.debug("==> GdsREST.getDataset({})", datasetId); @@ -342,7 +350,7 @@ public RangerDataset getDataset(@PathParam("id") Long datasetId) { RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.getDataset(datasetId=" + datasetId + ")"); } @@ -351,9 +359,9 @@ public RangerDataset getDataset(@PathParam("id") Long datasetId) { if (ret == null) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "no dataset with id=" + datasetId, false); } - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("getDataset({}) failed", datasetId, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -368,7 +376,7 @@ public RangerDataset getDataset(@PathParam("id") Long datasetId) { @GET @Path("/dataset") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_DATASETS + "\")") public PList searchDatasets(@Context HttpServletRequest request) { LOG.debug("==> GdsREST.searchDatasets()"); @@ -378,7 +386,7 @@ public PList searchDatasets(@Context HttpServletRequest request) SearchFilter filter = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.searchDatasets()"); } @@ -388,9 +396,9 @@ public PList searchDatasets(@Context HttpServletRequest request) searchUtil.extractStringList(request, filter, SearchFilter.DATASET_KEYWORD, "Dataset Keyword List", "datasetKeywords", null, null); ret = gdsStore.searchDatasets(filter); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("searchDatasets({}) failed", filter, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -405,7 +413,7 @@ public PList searchDatasets(@Context HttpServletRequest request) @GET @Path("/dataset/names") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.LIST_DATASET_NAMES + "\")") public PList listDatasetNames(@Context HttpServletRequest request) { LOG.debug("==> GdsREST.listDatasetNames()"); @@ -418,9 +426,9 @@ public PList listDatasetNames(@Context HttpServletRequest request) { filter = searchUtil.getSearchFilter(request, datasetService.sortFields); ret = gdsStore.getDatasetNames(filter); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("listDatasetNames({}) failed", filter, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -435,7 +443,7 @@ public PList listDatasetNames(@Context HttpServletRequest request) { @GET @Path("/dataset/summary") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_DATASET_SUMMARY + "\")") public PList getDatasetSummary(@Context HttpServletRequest request) { LOG.debug("==> GdsREST.getDatasetSummary()"); @@ -465,8 +473,8 @@ public PList getDatasetSummary(@Context HttpServletRequest reque @POST @Path(("/dataset/{id}/policy")) - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DATASET_POLICY + "\")") public RangerPolicy addDatasetPolicy(@PathParam("id") Long datasetId, RangerPolicy policy) { LOG.debug("==> GdsREST.addDatasetPolicy({}, {})", datasetId, policy); @@ -493,8 +501,8 @@ public RangerPolicy addDatasetPolicy(@PathParam("id") Long datasetId, RangerPoli @PUT @Path(("/dataset/{id}/policy/{policyId}")) - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DATASET_POLICY + "\")") public RangerPolicy updateDatasetPolicy(@PathParam("id") Long datasetId, @PathParam("policyId") Long policyId, RangerPolicy policy) { LOG.debug("==> GdsREST.updateDatasetPolicy({}, {})", datasetId, policy); @@ -504,6 +512,7 @@ public RangerPolicy updateDatasetPolicy(@PathParam("id") Long datasetId, @PathPa try { policy.setId(policyId); + ret = gdsStore.updateDatasetPolicy(datasetId, policy); } catch (WebApplicationException excp) { throw excp; @@ -545,7 +554,7 @@ public void deleteDatasetPolicy(@PathParam("id") Long datasetId, @PathParam("pol @GET @Path(("/dataset/{id}/policy/{policyId}")) - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DATASET_POLICY + "\")") public RangerPolicy getDatasetPolicy(@PathParam("id") Long datasetId, @PathParam("policyId") Long policyId) { LOG.debug("==> GdsREST.getDatasetPolicy({}, {})", datasetId, policyId); @@ -572,7 +581,7 @@ public RangerPolicy getDatasetPolicy(@PathParam("id") Long datasetId, @PathParam @GET @Path(("/dataset/{id}/policy")) - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DATASET_POLICY + "\")") public List getDatasetPolicies(@PathParam("id") Long datasetId, @Context HttpServletRequest request) { LOG.debug("==> GdsREST.getDatasetPolicies({})", datasetId); @@ -599,8 +608,8 @@ public List getDatasetPolicies(@PathParam("id") Long datasetId, @C @POST @Path("/project") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_PROJECT + "\")") public RangerProject createProject(RangerProject project) { LOG.debug("==> GdsREST.createProject({})", project); @@ -609,14 +618,14 @@ public RangerProject createProject(RangerProject project) { RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.createProject(projectName=" + project.getName() + ")"); } ret = gdsStore.createProject(project); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("createProject({}) failed", project, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -631,8 +640,8 @@ public RangerProject createProject(RangerProject project) { @PUT @Path("/project/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_PROJECT + "\")") public RangerProject updateProject(@PathParam("id") Long projectId, RangerProject project) { LOG.debug("==> GdsREST.updateProject({}, {})", projectId, project); @@ -641,16 +650,16 @@ public RangerProject updateProject(@PathParam("id") Long projectId, RangerProjec RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.updateProject(projectId=" + projectId + ", projectName=" + project.getName() + ")"); } project.setId(projectId); ret = gdsStore.updateProject(project); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("updateProject({}, {}) failed", projectId, project, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -665,7 +674,7 @@ public RangerProject updateProject(@PathParam("id") Long projectId, RangerProjec @DELETE @Path("/project/{id}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_PROJECT + "\")") public void deleteProject(@PathParam("id") Long projectId, @Context HttpServletRequest request) { LOG.debug("==> deleteProject({})", projectId); @@ -673,16 +682,16 @@ public void deleteProject(@PathParam("id") Long projectId, @Context HttpServletR RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.deleteProject(projectId=" + projectId + ")"); } boolean forceDelete = Boolean.parseBoolean(request.getParameter("forceDelete")); gdsStore.deleteProject(projectId, forceDelete); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("deleteProject({}) failed", projectId, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -695,7 +704,7 @@ public void deleteProject(@PathParam("id") Long projectId, @Context HttpServletR @GET @Path("/project/{id}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_PROJECT + "\")") public RangerProject getProject(@PathParam("id") Long projectId) { LOG.debug("==> GdsREST.getProject({})", projectId); @@ -704,7 +713,7 @@ public RangerProject getProject(@PathParam("id") Long projectId) { RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.getProject(projectId=" + projectId + ")"); } @@ -713,9 +722,9 @@ public RangerProject getProject(@PathParam("id") Long projectId) { if (ret == null) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "no project with id=" + projectId, false); } - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("getProject({}) failed", projectId, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -730,7 +739,7 @@ public RangerProject getProject(@PathParam("id") Long projectId) { @GET @Path("/project") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_PROJECTS + "\")") public PList searchProjects(@Context HttpServletRequest request) { LOG.debug("==> GdsREST.searchProjects()"); @@ -743,9 +752,9 @@ public PList searchProjects(@Context HttpServletRequest request) filter = searchUtil.getSearchFilter(request, projectService.sortFields); ret = gdsStore.searchProjects(filter); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("searchProjects({}) failed", filter, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -760,7 +769,7 @@ public PList searchProjects(@Context HttpServletRequest request) @GET @Path("/project/names") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.LIST_PROJECT_NAMES + "\")") public PList listProjectNames(@Context HttpServletRequest request) { LOG.debug("==> GdsREST.listProjectNames()"); @@ -773,9 +782,9 @@ public PList listProjectNames(@Context HttpServletRequest request) { filter = searchUtil.getSearchFilter(request, projectService.sortFields); ret = gdsStore.getProjectNames(filter); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("listProjectNames({}) failed", filter, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -790,8 +799,8 @@ public PList listProjectNames(@Context HttpServletRequest request) { @POST @Path(("/project/{id}/policy")) - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.PROJECT_POLICY + "\")") public RangerPolicy addProjectPolicy(@PathParam("id") Long projectId, RangerPolicy policy) { LOG.debug("==> GdsREST.addProjectPolicy({}, {})", projectId, policy); @@ -818,8 +827,8 @@ public RangerPolicy addProjectPolicy(@PathParam("id") Long projectId, RangerPoli @PUT @Path(("/project/{id}/policy/{policyId}")) - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.PROJECT_POLICY + "\")") public RangerPolicy updateProjectPolicy(@PathParam("id") Long projectId, @PathParam("policyId") Long policyId, RangerPolicy policy) { LOG.debug("==> GdsREST.updateProjectPolicy({}, {})", projectId, policy); @@ -829,6 +838,7 @@ public RangerPolicy updateProjectPolicy(@PathParam("id") Long projectId, @PathPa try { policy.setId(policyId); + ret = gdsStore.updateProjectPolicy(projectId, policy); } catch (WebApplicationException excp) { throw excp; @@ -870,7 +880,7 @@ public void deleteProjectPolicy(@PathParam("id") Long projectId, @PathParam("pol @GET @Path(("/project/{id}/policy/{policyId}")) - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.PROJECT_POLICY + "\")") public RangerPolicy getProjectPolicy(@PathParam("id") Long projectId, @PathParam("policyId") Long policyId) { LOG.debug("==> GdsREST.getProjectPolicy({}, {})", projectId, policyId); @@ -897,7 +907,7 @@ public RangerPolicy getProjectPolicy(@PathParam("id") Long projectId, @PathParam @GET @Path(("/project/{id}/policy")) - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.PROJECT_POLICY + "\")") public List getProjectPolicies(@PathParam("id") Long projectId, @Context HttpServletRequest request) { LOG.debug("==> GdsREST.getProjectPolicies({})", projectId); @@ -924,8 +934,8 @@ public List getProjectPolicies(@PathParam("id") Long projectId, @C @POST @Path("/datashare") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_DATA_SHARE + "\")") public RangerDataShare createDataShare(RangerDataShare dataShare) { LOG.debug("==> GdsREST.createDataShare({})", dataShare); @@ -934,14 +944,14 @@ public RangerDataShare createDataShare(RangerDataShare dataShare) { RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.createDataShare(" + dataShare + ")"); } ret = gdsStore.createDataShare(dataShare); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("createDataShare({}) failed", dataShare, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -956,8 +966,8 @@ public RangerDataShare createDataShare(RangerDataShare dataShare) { @PUT @Path("/datashare/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_DATA_SHARE + "\")") public RangerDataShare updateDataShare(@PathParam("id") Long dataShareId, RangerDataShare dataShare) { LOG.debug("==> GdsREST.updateDataShare({}, {})", dataShareId, dataShare); @@ -966,16 +976,16 @@ public RangerDataShare updateDataShare(@PathParam("id") Long dataShareId, Ranger RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.updateDataShare(" + dataShare + ")"); } dataShare.setId(dataShareId); ret = gdsStore.updateDataShare(dataShare); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("updateDataShare({}, {}) failed", dataShareId, dataShare, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -990,7 +1000,7 @@ public RangerDataShare updateDataShare(@PathParam("id") Long dataShareId, Ranger @DELETE @Path("/datashare/{id}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_DATA_SHARE + "\")") public void deleteDataShare(@PathParam("id") Long dataShareId, @Context HttpServletRequest request) { LOG.debug("==> GdsREST.deleteDataShare({})", dataShareId); @@ -998,17 +1008,17 @@ public void deleteDataShare(@PathParam("id") Long dataShareId, @Context HttpServ RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.deleteDataShare(" + dataShareId + ")"); } - String forceDeleteStr = request.getParameter("forceDelete"); - boolean forceDelete = !StringUtils.isEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr); + String forceDeleteStr = request.getParameter("forceDelete"); + boolean forceDelete = !StringUtils.isEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr); gdsStore.deleteDataShare(dataShareId, forceDelete); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("deleteDataShare({}) failed", dataShareId, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1021,7 +1031,7 @@ public void deleteDataShare(@PathParam("id") Long dataShareId, @Context HttpServ @GET @Path("/datashare/{id}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_DATA_SHARE + "\")") public RangerDataShare getDataShare(@PathParam("id") Long dataShareId) { LOG.debug("==> GdsREST.getDataShare({})", dataShareId); @@ -1030,7 +1040,7 @@ public RangerDataShare getDataShare(@PathParam("id") Long dataShareId) { RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.getDataShare(" + dataShareId + ")"); } @@ -1039,9 +1049,9 @@ public RangerDataShare getDataShare(@PathParam("id") Long dataShareId) { if (ret == null) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "no dataShare with id=" + dataShareId, false); } - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("getDataShare({}) failed", dataShareId, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1056,7 +1066,7 @@ public RangerDataShare getDataShare(@PathParam("id") Long dataShareId) { @GET @Path("/datashare") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_DATA_SHARES + "\")") public PList searchDataShares(@Context HttpServletRequest request) { LOG.debug("==> GdsREST.searchDataShares()"); @@ -1069,9 +1079,9 @@ public PList searchDataShares(@Context HttpServletRequest reque filter = searchUtil.getSearchFilter(request, dataShareService.sortFields); ret = gdsStore.searchDataShares(filter); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("searchDataShares({}) failed", filter, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1086,7 +1096,7 @@ public PList searchDataShares(@Context HttpServletRequest reque @GET @Path("/datashare/summary") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_DATA_SHARE_SUMMARY + "\")") public PList getDataShareSummary(@Context HttpServletRequest request) { LOG.debug("==> GdsREST.getDataShareSummary()"); @@ -1115,8 +1125,8 @@ public PList getDataShareSummary(@Context HttpServletRequest r @POST @Path("/resource") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.ADD_SHARED_RESOURCE + "\")") public RangerSharedResource addSharedResource(RangerSharedResource resource) { LOG.debug("==> GdsREST.addSharedResource({})", resource); @@ -1125,16 +1135,16 @@ public RangerSharedResource addSharedResource(RangerSharedResource resource) { RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.addSharedResource(" + resource + ")"); } - List sharedResources = gdsStore.addSharedResources(Arrays.asList(resource)); + List sharedResources = gdsStore.addSharedResources(Collections.singletonList(resource)); ret = CollectionUtils.isNotEmpty(sharedResources) ? sharedResources.get(0) : null; - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("addSharedResource({}) failed", resource, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1149,8 +1159,8 @@ public RangerSharedResource addSharedResource(RangerSharedResource resource) { @POST @Path("/resources") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.ADD_SHARED_RESOURCES + "\")") public List addSharedResources(List resources) { LOG.debug("==> GdsREST.addSharedResources({})", resources); @@ -1168,9 +1178,9 @@ public List addSharedResources(List } ret = gdsStore.addSharedResources(resources); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("addSharedResources({}) failed", resources, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1185,26 +1195,26 @@ public List addSharedResources(List @PUT @Path("/resource/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_SHARED_RESOURCE + "\")") public RangerSharedResource updateSharedResource(@PathParam("id") Long resourceId, RangerSharedResource resource) { LOG.debug("==> GdsREST.updateSharedResource({}, {})", resourceId, resource); - RangerSharedResource ret; - RangerPerfTracer perf = null; + RangerSharedResource ret; + RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.updateSharedResource(" + resource + ")"); } resource.setId(resourceId); ret = gdsStore.updateSharedResource(resource); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("updateSharedResource({}, {}) failed", resourceId, resource, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1219,7 +1229,7 @@ public RangerSharedResource updateSharedResource(@PathParam("id") Long resourceI @DELETE @Path("/resource/{id}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.REMOVE_SHARED_RESOURCE + "\")") public void removeSharedResource(@PathParam("id") Long resourceId) { LOG.debug("==> GdsREST.removeSharedResource({})", resourceId); @@ -1227,14 +1237,14 @@ public void removeSharedResource(@PathParam("id") Long resourceId) { RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.removeSharedResource(" + resourceId + ")"); } - gdsStore.removeSharedResources(Arrays.asList(resourceId)); - } catch(WebApplicationException excp) { + gdsStore.removeSharedResources(Collections.singletonList(resourceId)); + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("removeSharedResource({}) failed", resourceId, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1263,9 +1273,9 @@ public void removeSharedResources(List resourceIds) { } gdsStore.removeSharedResources(resourceIds); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("removeSharedResources({}) failed", resourceIds, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1278,16 +1288,16 @@ public void removeSharedResources(List resourceIds) { @GET @Path("/resource/{id}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SHARED_RESOURCE + "\")") public RangerSharedResource getSharedResource(@PathParam("id") Long resourceId) { LOG.debug("==> GdsREST.getSharedResource({})", resourceId); - RangerSharedResource ret; - RangerPerfTracer perf = null; + RangerSharedResource ret; + RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.getSharedResource(" + resourceId + ")"); } @@ -1296,9 +1306,9 @@ public RangerSharedResource getSharedResource(@PathParam("id") Long resourceId) if (ret == null) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "no shared-resource with id=" + resourceId, false); } - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("getSharedResource({}) failed", resourceId, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1313,7 +1323,7 @@ public RangerSharedResource getSharedResource(@PathParam("id") Long resourceId) @GET @Path("/resource") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_SHARED_RESOURCES + "\")") public PList searchSharedResources(@Context HttpServletRequest request) { LOG.debug("==> GdsREST.searchSharedResources()"); @@ -1326,9 +1336,9 @@ public PList searchSharedResources(@Context HttpServletReq filter = searchUtil.getSearchFilter(request, sharedResourceService.sortFields); ret = gdsStore.searchSharedResources(filter); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("searchSharedResources({}) failed", filter, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1343,8 +1353,8 @@ public PList searchSharedResources(@Context HttpServletReq @POST @Path("/datashare/dataset") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.ADD_DATASHARE_IN_DATASET + "\")") public RangerDataShareInDataset addDataShareInDataset(RangerDataShareInDataset datasetData) { LOG.debug("==> GdsREST.addDataShareInDataset({})", datasetData); @@ -1353,14 +1363,14 @@ public RangerDataShareInDataset addDataShareInDataset(RangerDataShareInDataset d RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.addDataShareInDataset(" + datasetData + ")"); + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.addDataShareInDataset(" + datasetData + ")"); } ret = gdsStore.addDataShareInDataset(datasetData); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("addDataShareInDataset({}) failed", datasetData, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1375,8 +1385,8 @@ public RangerDataShareInDataset addDataShareInDataset(RangerDataShareInDataset d @PUT @Path("/datashare/dataset/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_DATASHARE_IN_DATASET + "\")") public RangerDataShareInDataset updateDataShareInDataset(@PathParam("id") Long id, RangerDataShareInDataset dataShareInDataset) { LOG.debug("==> GdsREST.updateDataShareInDataset({}, {})", id, dataShareInDataset); @@ -1385,16 +1395,16 @@ public RangerDataShareInDataset updateDataShareInDataset(@PathParam("id") Long i RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.updateDataShareInDataset(" + dataShareInDataset + ")"); + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.updateDataShareInDataset(" + dataShareInDataset + ")"); } dataShareInDataset.setId(id); ret = gdsStore.updateDataShareInDataset(dataShareInDataset); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("updateDataShareInDataset({}) failed", dataShareInDataset, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1416,14 +1426,14 @@ public void removeDataShareInDataset(@PathParam("id") Long id) { RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.removeDatasetData(" + id + ")"); + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.removeDatasetData(" + id + ")"); } gdsStore.removeDataShareInDataset(id); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("removeDatasetData({}) failed", id, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1436,7 +1446,7 @@ public void removeDataShareInDataset(@PathParam("id") Long id) { @GET @Path("/datashare/dataset/{id}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_DATASHARE_IN_DATASET + "\")") public RangerDataShareInDataset getDataShareInDataset(@PathParam("id") Long id) { LOG.debug("==> GdsREST.updateDataShareInDataset({})", id); @@ -1445,14 +1455,14 @@ public RangerDataShareInDataset getDataShareInDataset(@PathParam("id") Long id) RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.getDataShareInDataset(" + id + ")"); + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.getDataShareInDataset(" + id + ")"); } ret = gdsStore.getDataShareInDataset(id); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("getDataShareInDataset({}) failed", id, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1467,22 +1477,22 @@ public RangerDataShareInDataset getDataShareInDataset(@PathParam("id") Long id) @GET @Path("/datashare/dataset") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_DATASHARE_IN_DATASET + "\")") public PList searchDataShareInDatasets(@Context HttpServletRequest request) { LOG.debug("==> GdsREST.searchDataShareInDatasets()"); PList ret; - RangerPerfTracer perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.searchDataShareInDatasets()"); - SearchFilter filter = null; + RangerPerfTracer perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.searchDataShareInDatasets()"); + SearchFilter filter = null; try { filter = searchUtil.getSearchFilter(request, dshidService.sortFields); ret = gdsStore.searchDataShareInDatasets(filter); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("searchDataShareInDatasets({}) failed", filter, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1495,56 +1505,56 @@ public PList searchDataShareInDatasets(@Context HttpSe return ret; } - @GET - @Path("/datashare/dataset/summary") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_DATASHARE_IN_DATASET_SUMMARY + "\")") - public PList getDshInDsSummary(@Context HttpServletRequest request) { - LOG.debug("==> GdsREST.searchDshInDsSummary()"); + @GET + @Path("/datashare/dataset/summary") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_DATASHARE_IN_DATASET_SUMMARY + "\")") + public PList getDshInDsSummary(@Context HttpServletRequest request) { + LOG.debug("==> GdsREST.searchDshInDsSummary()"); - PList ret; - SearchFilter filter = null; - RangerPerfTracer perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.getDshInDsSummary()"); + PList ret; + SearchFilter filter = null; + RangerPerfTracer perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.getDshInDsSummary()"); - try { - filter = searchUtil.getSearchFilter(request, dshidService.sortFields); + try { + filter = searchUtil.getSearchFilter(request, dshidService.sortFields); - ret = gdsStore.getDshInDsSummary(filter); - } catch (WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - LOG.error("getDshInDsSummary({}) failed", filter, excp); + ret = gdsStore.getDshInDsSummary(filter); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getDshInDsSummary({}) failed", filter, excp); - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } - LOG.debug("<== GdsREST.getDshInDsSummary({}): {}", filter, ret); + LOG.debug("<== GdsREST.getDshInDsSummary({}): {}", filter, ret); - return ret; - } + return ret; + } @POST @Path("/dataset/project") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.ADD_DATASET_IN_PROJECT + "\")") public RangerDatasetInProject addDatasetInProject(RangerDatasetInProject projectData) { LOG.debug("==> GdsREST.addDatasetInProject({})", projectData); RangerDatasetInProject ret; - RangerPerfTracer perf = null; + RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.addDatasetInProject(" + projectData + ")"); + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.addDatasetInProject(" + projectData + ")"); } ret = gdsStore.addDatasetInProject(projectData); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("addDatasetInProject({}) failed", projectData, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1559,26 +1569,26 @@ public RangerDatasetInProject addDatasetInProject(RangerDatasetInProject project @PUT @Path("/dataset/project/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_DATASET_IN_PROJECT + "\")") public RangerDatasetInProject updateDatasetInProject(@PathParam("id") Long id, RangerDatasetInProject dataShareInProject) { LOG.debug("==> GdsREST.updateDatasetInProject({}, {})", id, dataShareInProject); RangerDatasetInProject ret; - RangerPerfTracer perf = null; + RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.updateDatasetInProject(" + dataShareInProject + ")"); + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.updateDatasetInProject(" + dataShareInProject + ")"); } dataShareInProject.setId(id); ret = gdsStore.updateDatasetInProject(dataShareInProject); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("updateDatasetInProject({}) failed", dataShareInProject, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1600,14 +1610,14 @@ public void removeDatasetInProject(@PathParam("id") Long id) { RangerPerfTracer perf = null; try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.removeProjectData(" + id + ")"); + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.removeProjectData(" + id + ")"); } gdsStore.removeDatasetInProject(id); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("removeProjectData({}) failed", id, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1620,7 +1630,7 @@ public void removeDatasetInProject(@PathParam("id") Long id) { @GET @Path("/dataset/project/{id}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_DATASET_IN_PROJECT + "\")") public RangerDatasetInProject getDatasetInProject(@PathParam("id") Long id) { LOG.debug("==> GdsREST.getDatasetInProject({})", id); @@ -1630,7 +1640,7 @@ public RangerDatasetInProject getDatasetInProject(@PathParam("id") Long id) { try { if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.getDatasetInProject(" + id + ")"); + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "GdsREST.getDatasetInProject(" + id + ")"); } ret = gdsStore.getDatasetInProject(id); @@ -1651,7 +1661,7 @@ public RangerDatasetInProject getDatasetInProject(@PathParam("id") Long id) { @GET @Path("/dataset/project") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_DATASET_IN_PROJECT + "\")") public PList searchDatasetInProjects(@Context HttpServletRequest request) { LOG.debug("==> GdsREST.searchDatasetInProjects()"); @@ -1664,9 +1674,9 @@ public PList searchDatasetInProjects(@Context HttpServle filter = searchUtil.getSearchFilter(request, dipService.sortFields); ret = gdsStore.searchDatasetInProjects(filter); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("searchDatasetInProjects({}) failed", filter, excp); throw restErrorUtil.createRESTException(excp.getMessage()); @@ -1679,17 +1689,10 @@ public PList searchDatasetInProjects(@Context HttpServle return ret; } - @GET @Path("/download/{serviceName}") - @Produces({ "application/json" }) - public ServiceGdsInfo getServiceGdsInfoIfUpdated(@PathParam("serviceName") String serviceName, - @QueryParam("lastKnownGdsVersion") @DefaultValue("-1") Long lastKnownVersion, - @QueryParam("lastActivationTime") @DefaultValue("0") Long lastActivationTime, - @QueryParam("pluginId") String pluginId, - @QueryParam("clusterName") @DefaultValue("") String clusterName, - @QueryParam("pluginCapabilities") @DefaultValue("") String pluginCapabilities, - @Context HttpServletRequest request) { + @Produces("application/json") + public ServiceGdsInfo getServiceGdsInfoIfUpdated(@PathParam("serviceName") String serviceName, @QueryParam("lastKnownGdsVersion") @DefaultValue("-1") Long lastKnownVersion, @QueryParam("lastActivationTime") @DefaultValue("0") Long lastActivationTime, @QueryParam("pluginId") String pluginId, @QueryParam("clusterName") @DefaultValue("") String clusterName, @QueryParam("pluginCapabilities") @DefaultValue("") String pluginCapabilities, @Context HttpServletRequest request) { LOG.debug("==> GdsREST.getServiceGdsInfoIfUpdated(serviceName={}, lastKnownVersion={}, lastActivationTime={}, pluginId={}, clusterName={}, pluginCapabilities{})", serviceName, lastKnownVersion, lastActivationTime, pluginId, clusterName, pluginCapabilities); ServiceGdsInfo ret = null; @@ -1738,14 +1741,8 @@ public ServiceGdsInfo getServiceGdsInfoIfUpdated(@PathParam("serviceName") Strin @GET @Path("/secure/download/{serviceName}") - @Produces({ "application/json" }) - public ServiceGdsInfo getSecureServiceGdsInfoIfUpdated(@PathParam("serviceName") String serviceName, - @QueryParam("lastKnownGdsVersion") @DefaultValue("-1") Long lastKnownVersion, - @QueryParam("lastActivationTime") @DefaultValue("0") Long lastActivationTime, - @QueryParam("pluginId") String pluginId, - @QueryParam("clusterName") @DefaultValue("") String clusterName, - @QueryParam("pluginCapabilities") @DefaultValue("") String pluginCapabilities, - @Context HttpServletRequest request) { + @Produces("application/json") + public ServiceGdsInfo getSecureServiceGdsInfoIfUpdated(@PathParam("serviceName") String serviceName, @QueryParam("lastKnownGdsVersion") @DefaultValue("-1") Long lastKnownVersion, @QueryParam("lastActivationTime") @DefaultValue("0") Long lastActivationTime, @QueryParam("pluginId") String pluginId, @QueryParam("clusterName") @DefaultValue("") String clusterName, @QueryParam("pluginCapabilities") @DefaultValue("") String pluginCapabilities, @Context HttpServletRequest request) { LOG.debug("==> GdsREST.getSecureServiceGdsInfoIfUpdated(serviceName={}, lastKnownVersion={}, lastActivationTime={}, pluginId={}, clusterName={}, pluginCapabilities{})", serviceName, lastKnownVersion, lastActivationTime, pluginId, clusterName, pluginCapabilities); ServiceGdsInfo ret = null; @@ -1792,114 +1789,9 @@ public ServiceGdsInfo getSecureServiceGdsInfoIfUpdated(@PathParam("serviceName") return ret; } - private Long getOrCreateDataShare(Long datasetId, Long serviceId, Long zoneId, String serviceName) throws Exception { - LOG.debug("==> GdsREST.getOrCreateDataShare(dataSetId={} serviceId={} zoneId={} seviceName={})", datasetId); - - Long ret; - RangerDataShare rangerDataShare; - RangerDataset rangerDataset = gdsStore.getDataset(datasetId); - String dataShareName = "__dataset_" + datasetId + "__service_" + serviceId + "__zone_" + zoneId; - - SearchFilter filter = new SearchFilter(); - filter.setParam(SearchFilter.DATA_SHARE_NAME, dataShareName); - PList dataSharePList = gdsStore.searchDataShares(filter); - List dataShareList = dataSharePList.getList(); - - if (CollectionUtils.isNotEmpty(dataShareList)) { - List rangerDataShares = dataSharePList.getList(); - rangerDataShare = rangerDataShares.get(0); - ret = rangerDataShare.getId(); - } else { - //Create a DataShare - RangerDataShare dataShare = new RangerDataShare(); - dataShare.setName(dataShareName); - dataShare.setDescription(dataShareName); - dataShare.setTermsOfUse(rangerDataset.getTermsOfUse()); - dataShare.setService(serviceName); - Set accessTypes = new HashSet<>(CollectionUtils.EMPTY_COLLECTION); - dataShare.setDefaultAccessTypes(accessTypes); - rangerDataShare = gdsStore.createDataShare(dataShare); - - //Add DataShare to DataSet - List rangerDataShareInDatasets = new ArrayList<>(); - RangerDataShareInDataset rangerDataShareInDataset = new RangerDataShareInDataset(); - rangerDataShareInDataset.setDataShareId(rangerDataShare.getId()); - rangerDataShareInDataset.setDatasetId(rangerDataset.getId()); - rangerDataShareInDataset.setStatus(RangerGds.GdsShareStatus.REQUESTED); - rangerDataShareInDatasets.add(rangerDataShareInDataset); - addDataSharesInDataset(rangerDataset.getId(), rangerDataShareInDatasets); - ret = rangerDataShare.getId(); - } - - LOG.debug("<== GdsREST.getOrCreateDataShare(RangerDataShare={})", ret); - - return ret; - } - - private Long validateAndGetServiceId(String serviceName){ - Long ret; - if (serviceName == null || serviceName.isEmpty()) { - LOG.error("ServiceName not provided"); - throw restErrorUtil.createRESTException("ServiceName not provided.", - MessageEnums.INVALID_INPUT_DATA); - } - - RangerService service; - - try { - service = serviceDBStore.getServiceByName(serviceName); - ret = service.getId(); - } catch (Exception e) { - LOG.error("Requested Service not found. serviceName=" + serviceName); - throw restErrorUtil.createRESTException("Service:" + serviceName + " not found", - MessageEnums.DATA_NOT_FOUND); - } - - if(service == null){ - LOG.error("Requested Service not found. serviceName=" + serviceName); - throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, RangerServiceNotFoundException.buildExceptionMsg(serviceName), - false); - } - - if(!service.getIsEnabled()){ - LOG.error("Requested Service is disabled. serviceName=" + serviceName); - throw restErrorUtil.createRESTException("Unauthorized access.", - MessageEnums.OPER_NOT_ALLOWED_FOR_STATE); - } - - return ret; - } - - private Long validateAndGetZoneId(String zoneName){ - Long ret = RangerSecurityZone.RANGER_UNZONED_SECURITY_ZONE_ID; - - if (zoneName == null || zoneName.isEmpty()) { - return ret; - } - - RangerSecurityZone rangerSecurityZone = null; - - try { - rangerSecurityZone = serviceDBStore.getSecurityZone(zoneName); - ret = rangerSecurityZone.getId(); - } catch (Exception e) { - LOG.error("Requested Zone not found. ZoneName=" + zoneName); - throw restErrorUtil.createRESTException("Zone:" + zoneName + " not found", - MessageEnums.DATA_NOT_FOUND); - } - - if(rangerSecurityZone == null){ - LOG.error("Requested Zone not found. ZoneName=" + zoneName); - throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, RangerServiceNotFoundException.buildExceptionMsg(zoneName), - false); - } - - return ret; - } - @GET @Path("/dataset/{id}/grants") - @Produces({"application/json"}) + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_DATASET_GRANTS + "\")") public List getDataSetGrants(@PathParam("id") Long id, @Context HttpServletRequest request) { LOG.debug("==> GdsREST.getDataSetGrants(dataSetId: {})", id); @@ -1919,13 +1811,12 @@ public List getDataSetGrants(@PathParam("id") Long id, @Context Htt if (CollectionUtils.isNotEmpty(filteredPolicyItems)) { ret = transformPolicyItemsToGrants(filteredPolicyItems); - } else { + } else { LOG.debug("getDataSetGrants(): no grants available in dataset(id={}), policy(id={}) for query {}", id, policies.get(0).getId(), request.getQueryString()); } } else { LOG.debug("getDataSetGrants(): no policy found for dataset(id={})", id); } - } catch (WebApplicationException excp) { throw excp; } catch (Throwable excp) { @@ -1942,8 +1833,8 @@ public List getDataSetGrants(@PathParam("id") Long id, @Context Htt @PUT @Path("/dataset/{id}/grant") - @Consumes({"application/json"}) - @Produces({"application/json"}) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_DATASET_GRANTS + "\")") public RangerPolicyHeader updateDataSetGrants(@PathParam("id") Long id, List rangerGrants) { LOG.debug("==> GdsREST.updateDataSetGrants(dataSetId: {}, rangerGrants: {})", id, rangerGrants); @@ -1953,15 +1844,16 @@ public RangerPolicyHeader updateDataSetGrants(@PathParam("id") Long id, List policies = gdsStore.getDatasetPolicies(id); - RangerPolicy policy = CollectionUtils.isNotEmpty(policies) ? policies.get(0) : gdsStore.addDatasetPolicy(id, new RangerPolicy()); - RangerPolicy policyWithModifiedGrants = updatePolicyWithModifiedGrants(policy, rangerGrants); + List policies = gdsStore.getDatasetPolicies(id); + RangerPolicy policy = CollectionUtils.isNotEmpty(policies) ? policies.get(0) : gdsStore.addDatasetPolicy(id, new RangerPolicy()); + RangerPolicy policyWithModifiedGrants = updatePolicyWithModifiedGrants(policy, rangerGrants); if (policyWithModifiedGrants != null) { RangerPolicy updatedPolicy = gdsStore.updateDatasetPolicy(id, policyWithModifiedGrants); + ret = rangerPolicyHeaderOf(updatedPolicy); } else { throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_MODIFIED, "No action performed: The grant may already exist or may not be found for deletion.", false); @@ -1988,30 +1880,27 @@ List filterPolicyItemsByRequest(RangerPolicy rangerPolicy, Htt return Collections.emptyList(); } - List policyItems = rangerPolicy.getPolicyItems(); - String[] filteringPrincipals = searchUtil.getParamMultiValues(request, "principal"); - String[] filteringAccessTypes = searchUtil.getParamMultiValues(request, "accessType"); + List policyItems = rangerPolicy.getPolicyItems(); + String[] filteringPrincipals = searchUtil.getParamMultiValues(request, "principal"); + String[] filteringAccessTypes = searchUtil.getParamMultiValues(request, "accessType"); - Predicate byPrincipalPredicate = filterByPrincipalsPredicate(filteringPrincipals); + Predicate byPrincipalPredicate = filterByPrincipalsPredicate(filteringPrincipals); Predicate byAccessTypePredicate = filterByAccessTypesPredicate(filteringAccessTypes); - - List filteredPolicyItems = policyItems.stream() - .filter(byPrincipalPredicate.and(byAccessTypePredicate)) - .collect(Collectors.toList()); + List filteredPolicyItems = policyItems.stream().filter(byPrincipalPredicate.and(byAccessTypePredicate)).collect(Collectors.toList()); LOG.debug("<== GdsREST.filterPolicyItemsByRequest(rangerPolicy: {}): filteredPolicyItems= {}", rangerPolicy, filteredPolicyItems); return filteredPolicyItems; } - @VisibleForTesting - List transformPolicyItemsToGrants(List policyItems) { + @VisibleForTesting + List transformPolicyItemsToGrants(List policyItems) { LOG.debug("==> GdsREST.transformPolicyItemsToGrants(policyItems: {})", policyItems); if (CollectionUtils.isEmpty(policyItems)) { return null; } - List ret = new ArrayList<>(); + List ret = new ArrayList<>(); for (RangerPolicyItem policyItem : policyItems) { List policyItemUsers = policyItem.getUsers(); @@ -2021,19 +1910,19 @@ List transformPolicyItemsToGrants(List policyItem List policyItemAccesses = policyItem.getAccesses(); List policyItemConditions = policyItem.getConditions(); - List policyItemAccessTypes = policyItemAccesses.stream().map(x -> x.getType()).collect(Collectors.toList()); + List policyItemAccessTypes = policyItemAccesses.stream().map(RangerPolicyItemAccess::getType).collect(Collectors.toList()); List policyItemConditionValues = policyItemConditions.stream().flatMap(x -> x.getValues().stream()).collect(Collectors.toList()); if (CollectionUtils.isNotEmpty(policyItemUsers)) { - policyItemUsers.stream().forEach(x -> ret.add(new RangerGrant(new RangerPrincipal(RangerPrincipal.PrincipalType.USER, x), policyItemAccessTypes, policyItemConditionValues))); + policyItemUsers.forEach(x -> ret.add(new RangerGrant(new RangerPrincipal(RangerPrincipal.PrincipalType.USER, x), policyItemAccessTypes, policyItemConditionValues))); } if (CollectionUtils.isNotEmpty(policyItemGroups)) { - policyItemGroups.stream().forEach(x -> ret.add(new RangerGrant(new RangerPrincipal(RangerPrincipal.PrincipalType.GROUP, x), policyItemAccessTypes, policyItemConditionValues))); + policyItemGroups.forEach(x -> ret.add(new RangerGrant(new RangerPrincipal(RangerPrincipal.PrincipalType.GROUP, x), policyItemAccessTypes, policyItemConditionValues))); } if (CollectionUtils.isNotEmpty(policyItemRoles)) { - policyItemRoles.stream().forEach(x -> ret.add(new RangerGrant(new RangerPrincipal(RangerPrincipal.PrincipalType.ROLE, x), policyItemAccessTypes, policyItemConditionValues))); + policyItemRoles.forEach(x -> ret.add(new RangerGrant(new RangerPrincipal(RangerPrincipal.PrincipalType.ROLE, x), policyItemAccessTypes, policyItemConditionValues))); } } @@ -2042,38 +1931,25 @@ List transformPolicyItemsToGrants(List policyItem return ret; } - private RangerPolicyHeader rangerPolicyHeaderOf(RangerPolicy rangerPolicy) { - LOG.debug("==> GdsREST.rangerPolicyHeaderOf(rangerPolicy: {})", rangerPolicy); - - RangerPolicyHeader ret = null; - if (rangerPolicy != null) { - ret = new RangerPolicyHeader(rangerPolicy); - } - - LOG.debug("<== GdsREST.rangerPolicyHeaderOf(rangerPolicy: {}): ret= {}", rangerPolicy, ret); - return ret; - } - - @VisibleForTesting - RangerPolicy updatePolicyWithModifiedGrants(RangerPolicy policy, List rangerGrants) { + @VisibleForTesting + RangerPolicy updatePolicyWithModifiedGrants(RangerPolicy policy, List rangerGrants) { LOG.debug("==> GdsREST.updatePolicyWithModifiedGrants(policy: {}, rangerGrants: {})", policy, rangerGrants); try { - List policyItems = policy.getPolicyItems(); + List policyItems = policy.getPolicyItems(); List policyItemsToUpdate = policyItems.stream().map(this::copyOf).collect(Collectors.toList()); - - Set principalsToUpdate = rangerGrants.stream().map(RangerGrant::getPrincipal).collect(Collectors.toSet()); + Set principalsToUpdate = rangerGrants.stream().map(RangerGrant::getPrincipal).collect(Collectors.toSet()); for (RangerPrincipal principal : principalsToUpdate) { List policyItemsToRemove = new ArrayList<>(); - policyItemsToUpdate.stream() - .filter(matchesPrincipalPredicate(principal)) - .forEach(policyItem -> { - removeMatchingPrincipalFromPolicyItem(policyItem, principal); - if (isPolicyItemEmpty(policyItem)) { - policyItemsToRemove.add(policyItem); - } - - }); + + policyItemsToUpdate.stream().filter(matchesPrincipalPredicate(principal)).forEach(policyItem -> { + removeMatchingPrincipalFromPolicyItem(policyItem, principal); + + if (isPolicyItemEmpty(policyItem)) { + policyItemsToRemove.add(policyItem); + } + }); + policyItemsToUpdate.removeAll(policyItemsToRemove); } @@ -2092,18 +1968,145 @@ RangerPolicy updatePolicyWithModifiedGrants(RangerPolicy policy, List GdsREST.getOrCreateDataShare(dataSetId={} serviceId={} zoneId={} serviceName={})", datasetId, serviceId, zoneId, serviceName); + + Long ret; + RangerDataShare rangerDataShare; + RangerDataset rangerDataset = gdsStore.getDataset(datasetId); + String dataShareName = "__dataset_" + datasetId + "__service_" + serviceId + "__zone_" + zoneId; + + SearchFilter filter = new SearchFilter(); + + filter.setParam(SearchFilter.DATA_SHARE_NAME, dataShareName); + + PList dataSharePList = gdsStore.searchDataShares(filter); + List dataShareList = dataSharePList.getList(); + + if (CollectionUtils.isNotEmpty(dataShareList)) { + List rangerDataShares = dataSharePList.getList(); + + rangerDataShare = rangerDataShares.get(0); + ret = rangerDataShare.getId(); + } else { + //Create a DataShare + RangerDataShare dataShare = new RangerDataShare(); + + dataShare.setName(dataShareName); + dataShare.setDescription(dataShareName); + dataShare.setTermsOfUse(rangerDataset.getTermsOfUse()); + dataShare.setService(serviceName); + dataShare.setDefaultAccessTypes(new HashSet<>()); + + rangerDataShare = gdsStore.createDataShare(dataShare); + + //Add DataShare to DataSet + List rangerDataShareInDatasets = new ArrayList<>(); + RangerDataShareInDataset rangerDataShareInDataset = new RangerDataShareInDataset(); + + rangerDataShareInDataset.setDataShareId(rangerDataShare.getId()); + rangerDataShareInDataset.setDatasetId(rangerDataset.getId()); + rangerDataShareInDataset.setStatus(RangerGds.GdsShareStatus.REQUESTED); + rangerDataShareInDatasets.add(rangerDataShareInDataset); + + addDataSharesInDataset(rangerDataset.getId(), rangerDataShareInDatasets); + + ret = rangerDataShare.getId(); + } + + LOG.debug("<== GdsREST.getOrCreateDataShare(RangerDataShare={})", ret); + + return ret; + } + + private Long validateAndGetServiceId(String serviceName) { + Long ret; + + if (serviceName == null || serviceName.isEmpty()) { + LOG.error("ServiceName not provided"); + + throw restErrorUtil.createRESTException("ServiceName not provided.", MessageEnums.INVALID_INPUT_DATA); + } + + RangerService service; + + try { + service = serviceDBStore.getServiceByName(serviceName); + ret = service.getId(); + } catch (Exception e) { + LOG.error("Requested Service not found. serviceName={}", serviceName); + + throw restErrorUtil.createRESTException("Service:" + serviceName + " not found", MessageEnums.DATA_NOT_FOUND); + } + + if (service == null) { + LOG.error("Requested Service not found. serviceName={}", serviceName); + + throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, RangerServiceNotFoundException.buildExceptionMsg(serviceName), false); + } + + if (!service.getIsEnabled()) { + LOG.error("Requested Service is disabled. serviceName={}", serviceName); + + throw restErrorUtil.createRESTException("Unauthorized access.", MessageEnums.OPER_NOT_ALLOWED_FOR_STATE); + } + + return ret; + } + + private Long validateAndGetZoneId(String zoneName) { + Long ret = RangerSecurityZone.RANGER_UNZONED_SECURITY_ZONE_ID; + + if (zoneName == null || zoneName.isEmpty()) { + return ret; + } + + RangerSecurityZone rangerSecurityZone; + + try { + rangerSecurityZone = serviceDBStore.getSecurityZone(zoneName); + ret = rangerSecurityZone.getId(); + } catch (Exception e) { + LOG.error("Requested Zone not found. ZoneName={}", zoneName); + + throw restErrorUtil.createRESTException("Zone:" + zoneName + " not found", MessageEnums.DATA_NOT_FOUND); + } + + if (rangerSecurityZone == null) { + LOG.error("Requested Zone not found. ZoneName={}", zoneName); + + throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, RangerServiceNotFoundException.buildExceptionMsg(zoneName), false); + } + + return ret; + } + + private RangerPolicyHeader rangerPolicyHeaderOf(RangerPolicy rangerPolicy) { + LOG.debug("==> GdsREST.rangerPolicyHeaderOf(rangerPolicy: {})", rangerPolicy); + + RangerPolicyHeader ret = null; + + if (rangerPolicy != null) { + ret = new RangerPolicyHeader(rangerPolicy); + } + + LOG.debug("<== GdsREST.rangerPolicyHeaderOf(rangerPolicy: {}): ret= {}", rangerPolicy, ret); + + return ret; + } + private boolean isPolicyItemEmpty(RangerPolicyItem policyItem) { - return CollectionUtils.isEmpty(policyItem.getUsers()) && - CollectionUtils.isEmpty(policyItem.getGroups()) && - CollectionUtils.isEmpty(policyItem.getRoles()); + return CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups()) && CollectionUtils.isEmpty(policyItem.getRoles()); } private void removeMatchingPrincipalFromPolicyItem(RangerPolicyItem policyItem, RangerPrincipal principal) { - String principalName = principal.getName(); + String principalName = principal.getName(); PrincipalType principalType = principal.getType(); if (principalType == PrincipalType.USER && policyItem.getUsers() != null) { @@ -2122,20 +2125,16 @@ private RangerPolicyItem transformGrantToPolicyItem(RangerGrant grant) { return null; } - RangerPolicyItem policyItem = new RangerPolicyItem(); + RangerPolicyItem policyItem = new RangerPolicyItem(); + List permissions = grant.getAccessTypes(); + List conditions = grant.getConditions(); - List permissions = grant.getAccessTypes(); if (CollectionUtils.isNotEmpty(permissions)) { - policyItem.setAccesses(permissions.stream() - .map(accessType -> new RangerPolicyItemAccess(accessType, true)) - .collect(Collectors.toList())); + policyItem.setAccesses(permissions.stream().map(accessType -> new RangerPolicyItemAccess(accessType, true)).collect(Collectors.toList())); } - List conditions = grant.getConditions(); if (CollectionUtils.isNotEmpty(conditions)) { - policyItem.setConditions(conditions.stream() - .map(condition -> new RangerPolicyItemCondition(GDS_POLICY_EXPR_CONDITION, Collections.singletonList(condition))) - .collect(Collectors.toList())); + policyItem.setConditions(conditions.stream().map(condition -> new RangerPolicyItemCondition(GDS_POLICY_EXPR_CONDITION, Collections.singletonList(condition))).collect(Collectors.toList())); } switch (grant.getPrincipal().getType()) { @@ -2156,7 +2155,7 @@ private RangerPolicyItem transformGrantToPolicyItem(RangerGrant grant) { } private Predicate matchesPrincipalPredicate(RangerPrincipal principal) { - String principalName = principal.getName(); + String principalName = principal.getName(); PrincipalType principalType = principal.getType(); return policyItem -> { @@ -2182,24 +2181,21 @@ private Predicate filterByPrincipalsPredicate(String[] filteri } Map> principalCriteriaMap = new HashMap<>(); + for (String principal : filteringPrincipals) { - String[] parts = principal.split(":"); - String principalType = parts.length > 1 ? parts[0] : DEFAULT_PRINCIPAL_TYPE; - String principalName = parts.length > 1 ? parts[1] : parts[0]; + String[] parts = principal.split(":"); + String principalType = parts.length > 1 ? parts[0] : DEFAULT_PRINCIPAL_TYPE; + String principalName = parts.length > 1 ? parts[1] : parts[0]; - principalCriteriaMap - .computeIfAbsent(principalType.toLowerCase(), k -> new HashSet<>()) - .add(principalName); + principalCriteriaMap.computeIfAbsent(principalType.toLowerCase(), k -> new HashSet<>()).add(principalName); } return policyItem -> { - Set users = principalCriteriaMap.getOrDefault(PRINCIPAL_TYPE_USER, Collections.emptySet()); + Set users = principalCriteriaMap.getOrDefault(PRINCIPAL_TYPE_USER, Collections.emptySet()); Set groups = principalCriteriaMap.getOrDefault(PRINCIPAL_TYPE_GROUP, Collections.emptySet()); - Set roles = principalCriteriaMap.getOrDefault(PRINCIPAL_TYPE_ROLE, Collections.emptySet()); + Set roles = principalCriteriaMap.getOrDefault(PRINCIPAL_TYPE_ROLE, Collections.emptySet()); - return (policyItem.getUsers() != null && policyItem.getUsers().stream().anyMatch(users::contains)) || - (policyItem.getGroups() != null && policyItem.getGroups().stream().anyMatch(groups::contains)) || - (policyItem.getRoles() != null && policyItem.getRoles().stream().anyMatch(roles::contains)); + return (policyItem.getUsers() != null && policyItem.getUsers().stream().anyMatch(users::contains)) || (policyItem.getGroups() != null && policyItem.getGroups().stream().anyMatch(groups::contains)) || (policyItem.getRoles() != null && policyItem.getRoles().stream().anyMatch(roles::contains)); }; } @@ -2209,18 +2205,19 @@ private Predicate filterByAccessTypesPredicate(String[] filter } Set accessTypeSet = new HashSet<>(Arrays.asList(filteringAccessTypes)); - return policyItem -> policyItem.getAccesses().stream() - .anyMatch(access -> accessTypeSet.contains(access.getType())); + + return policyItem -> policyItem.getAccesses().stream().anyMatch(access -> accessTypeSet.contains(access.getType())); } private RangerPolicyItem copyOf(RangerPolicyItem policyItem) { RangerPolicyItem copy = new RangerPolicyItem(); + copy.setAccesses(new ArrayList<>(policyItem.getAccesses())); copy.setUsers(new ArrayList<>(policyItem.getUsers())); copy.setGroups(new ArrayList<>(policyItem.getGroups())); copy.setRoles(new ArrayList<>(policyItem.getRoles())); copy.setConditions(new ArrayList<>(policyItem.getConditions())); - copy.setDelegateAdmin(new Boolean(policyItem.getDelegateAdmin())); + copy.setDelegateAdmin(policyItem.getDelegateAdmin()); return copy; } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/MetricsREST.java b/security-admin/src/main/java/org/apache/ranger/rest/MetricsREST.java index b34a795b42..c4ab05dd53 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/MetricsREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/MetricsREST.java @@ -19,16 +19,6 @@ package org.apache.ranger.rest; -import java.lang.management.ManagementFactory; -import java.lang.management.RuntimeMXBean; -import java.util.LinkedHashMap; -import java.util.Map; - -import javax.ws.rs.GET; -import javax.ws.rs.Path; -import javax.ws.rs.Produces; -import javax.ws.rs.core.MediaType; - import org.apache.ranger.metrics.RangerAdminMetricsWrapper; import org.apache.ranger.plugin.model.RangerMetrics; import org.apache.ranger.util.RangerMetricsUtil; @@ -40,17 +30,28 @@ import org.springframework.transaction.annotation.Propagation; import org.springframework.transaction.annotation.Transactional; +import javax.ws.rs.GET; +import javax.ws.rs.Path; +import javax.ws.rs.Produces; +import javax.ws.rs.core.MediaType; + +import java.lang.management.ManagementFactory; +import java.lang.management.RuntimeMXBean; +import java.util.LinkedHashMap; +import java.util.Map; + @Path("metrics") @Component @Scope("request") @Transactional(propagation = Propagation.REQUIRES_NEW) public class MetricsREST { private static final Logger LOG = LoggerFactory.getLogger(MetricsREST.class); - private static final RuntimeMXBean RUNTIME = ManagementFactory.getRuntimeMXBean(); - private static final String JVM_MACHINE_ACTUAL_NAME = RUNTIME.getVmName(); - private static final String VERSION = RUNTIME.getVmVersion(); - private static final String JVM_MACHINE_REPRESENTATION_NAME = RUNTIME.getName(); - private static final String JVM_VENDOR_NAME = RUNTIME.getVmVendor(); + + private static final RuntimeMXBean RUNTIME = ManagementFactory.getRuntimeMXBean(); + private static final String JVM_MACHINE_ACTUAL_NAME = RUNTIME.getVmName(); + private static final String VERSION = RUNTIME.getVmVersion(); + private static final String JVM_MACHINE_REPRESENTATION_NAME = RUNTIME.getName(); + private static final String JVM_VENDOR_NAME = RUNTIME.getVmVendor(); @Autowired RangerMetricsUtil jvmMetricUtil; @@ -60,25 +61,23 @@ public class MetricsREST { @GET @Path("/status") - @Produces({ "application/json" }) + @Produces("application/json") public RangerMetrics getStatus() { - if (LOG.isDebugEnabled()) { - LOG.debug("==> MetricsREST.getStatus()"); - } + LOG.debug("==> MetricsREST.getStatus()"); - Map jvm = new LinkedHashMap<>(); + Map jvm = new LinkedHashMap<>(); Map vmDetails = new LinkedHashMap<>(); + vmDetails.put("JVM Machine Actual Name", JVM_MACHINE_ACTUAL_NAME); vmDetails.put("version", VERSION); vmDetails.put("JVM Machine Representation Name", JVM_MACHINE_REPRESENTATION_NAME); vmDetails.put("Up time of JVM", RUNTIME.getUptime()); vmDetails.put("JVM Vendor Name", JVM_VENDOR_NAME); vmDetails.putAll(jvmMetricUtil.getValues()); - jvm.put("jvm",vmDetails); - if (LOG.isDebugEnabled()) { - LOG.debug("<== MetricsREST.getStatus(): jvm=" + jvm); - } + jvm.put("jvm", vmDetails); + + LOG.debug("<== MetricsREST.getStatus(): jvm={}", jvm); return new RangerMetrics(jvm); } @@ -87,19 +86,18 @@ public RangerMetrics getStatus() { @Path("/prometheus") @Produces(MediaType.TEXT_PLAIN) public String getMetricsPrometheus() { - if (LOG.isDebugEnabled()) { - LOG.debug("==> MetricsREST.getMetricsPrometheus()"); - } + LOG.debug("==> MetricsREST.getMetricsPrometheus()"); + String ret = ""; + try { ret = rangerAdminMetricsWrapper.getRangerMetricsInPrometheusFormat(); } catch (Exception e) { LOG.error("MetricsREST.getMetricsPrometheus(): Exception occurred while getting metric.", e); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== MetricsREST.getMetricsPrometheus(): ret=" + ret); - } + LOG.debug("<== MetricsREST.getMetricsPrometheus(): ret={}", ret); + return ret; } @@ -107,20 +105,18 @@ public String getMetricsPrometheus() { @Path("/json") @Produces(MediaType.APPLICATION_JSON) public Map> getMetricsJson() { - if (LOG.isDebugEnabled()) { - LOG.debug("==> MetricsREST.getMetricsJson()"); - } + LOG.debug("==> MetricsREST.getMetricsJson()"); Map> ret = null; + try { ret = rangerAdminMetricsWrapper.getRangerMetrics(); } catch (Exception e) { LOG.error("MetricsREST.getMetricsJson(): Exception occurred while getting metric.", e); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== MetricsREST.getMetricsJson(): ret=" + ret); - } + LOG.debug("<== MetricsREST.getMetricsJson(): ret={}", ret); + return ret; } } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java index b7735e7155..5d11e97a4a 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java @@ -19,7 +19,11 @@ package org.apache.ranger.rest; -import org.apache.ranger.common.*; +import org.apache.ranger.common.MessageEnums; +import org.apache.ranger.common.RESTErrorUtil; +import org.apache.ranger.common.RangerSearchUtil; +import org.apache.ranger.common.ServiceUtil; +import org.apache.ranger.common.StringUtil; import org.apache.ranger.common.annotation.RangerAnnotationClassName; import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName; import org.apache.ranger.db.RangerDaoManager; @@ -30,7 +34,13 @@ import org.apache.ranger.plugin.util.SearchFilter; import org.apache.ranger.service.RangerPolicyService; import org.apache.ranger.service.XAssetService; -import org.apache.ranger.view.*; +import org.apache.ranger.view.VXAsset; +import org.apache.ranger.view.VXLong; +import org.apache.ranger.view.VXPolicy; +import org.apache.ranger.view.VXPolicyList; +import org.apache.ranger.view.VXRepository; +import org.apache.ranger.view.VXRepositoryList; +import org.apache.ranger.view.VXResource; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -42,7 +52,14 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.ws.rs.*; +import javax.ws.rs.Consumes; +import javax.ws.rs.DELETE; +import javax.ws.rs.GET; +import javax.ws.rs.POST; +import javax.ws.rs.PUT; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; import javax.ws.rs.core.Context; import java.util.List; @@ -53,352 +70,276 @@ @RangerAnnotationJSMgrName("PublicMgr") @Transactional(propagation = Propagation.REQUIRES_NEW) public class PublicAPIs { - private static final Logger logger = LoggerFactory.getLogger(PublicAPIs.class); - - @Autowired - RangerSearchUtil searchUtil; - - @Autowired - XAssetService xAssetService; - - @Autowired - RangerPolicyService policyService; - - @Autowired - StringUtil stringUtil; - - @Autowired - ServiceUtil serviceUtil; - - @Autowired - ServiceREST serviceREST; - - @Autowired - RangerDaoManager daoMgr; - - @Autowired - RESTErrorUtil restErrorUtil; - - @Autowired - AssetREST assetREST; - - @GET - @Path("/api/repository/{id}") - @Produces({ "application/json" }) - public VXRepository getRepository(@PathParam("id") Long id) { - if(logger.isDebugEnabled()) { - logger.debug("==> PublicAPIs.getRepository(" + id + ")"); - } - - RangerService service = serviceREST.getService(id); - - VXRepository ret = serviceUtil.toVXRepository(service); - - if(logger.isDebugEnabled()) { - logger.debug("<= PublicAPIs.getRepository(" + id + ")"); - } - return ret; - } - - - @POST - @Path("/api/repository/") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXRepository createRepository(VXRepository vXRepository) { - if(logger.isDebugEnabled()) { - logger.debug("==> PublicAPIs.createRepository(" + vXRepository + ")"); - } - - VXAsset vXAsset = serviceUtil.publicObjecttoVXAsset(vXRepository); - - RangerService service = serviceUtil.toRangerService(vXAsset); - - RangerService createdService = serviceREST.createService(service); - - VXAsset retvXAsset = serviceUtil.toVXAsset(createdService); - - VXRepository ret = serviceUtil.vXAssetToPublicObject(retvXAsset); - - if(logger.isDebugEnabled()) { - logger.debug("<== PublicAPIs.createRepository(" + ret + ")"); - } - - return ret; - } - - - @PUT - @Path("/api/repository/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXRepository updateRepository(VXRepository vXRepository, - @PathParam("id") Long id) { - - if(logger.isDebugEnabled()) { - logger.debug("==> PublicAPIs.updateRepository(" + id + ")"); - } - - XXService existing = daoMgr.getXXService().getById(id); - if(existing == null) { - throw restErrorUtil.createRESTException("Repository not found for Id: " + id, MessageEnums.DATA_NOT_FOUND); - } - - vXRepository.setId(id); - - VXAsset vXAsset = serviceUtil.publicObjecttoVXAsset(vXRepository); - - RangerService service = serviceUtil.toRangerService(vXAsset); - service.setVersion(existing.getVersion()); - - RangerService updatedService = serviceREST.updateService(service, null); - - VXAsset retvXAsset = serviceUtil.toVXAsset(updatedService); - - VXRepository ret = serviceUtil.vXAssetToPublicObject(retvXAsset); - - if(logger.isDebugEnabled()) { - logger.debug("<== PublicAPIs.updateRepository(" + ret + ")"); - } - - return ret; - } - - - @DELETE - @Path("/api/repository/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - @RangerAnnotationClassName(class_name = VXAsset.class) - public void deleteRepository(@PathParam("id") Long id, - @Context HttpServletRequest request) { - - if(logger.isDebugEnabled()) { - logger.debug("==> PublicAPIs.deleteRepository(" + id + ")"); - } - - serviceREST.deleteService(id); - - if(logger.isDebugEnabled()) { - logger.debug("<== PublicAPIs.deleteRepository(" + id + ")"); - } - } - - @GET - @Path("/api/repository/") - @Produces({ "application/json" }) - public VXRepositoryList searchRepositories( - @Context HttpServletRequest request) { - - if(logger.isDebugEnabled()) { - logger.debug("==> PublicAPIs.searchRepositories()"); - } - - SearchFilter filter = searchUtil.getSearchFilterFromLegacyRequestForRepositorySearch(request, xAssetService.sortFields); - - List serviceList = serviceREST.getServices(filter); - - VXRepositoryList ret = null; - - if (serviceList != null) { - ret = serviceUtil.rangerServiceListToPublicObjectList(serviceList); - } - - if(logger.isDebugEnabled()) { - logger.debug("<== PublicAPIs.searchRepositories(): count=" + (ret == null ? 0 : ret.getListSize())); - } - - return ret; - } - - - @GET - @Path("/api/repository/count") - @Produces({ "application/json" }) - public VXLong countRepositories(@Context HttpServletRequest request) { - - if(logger.isDebugEnabled()) { - logger.debug("==> PublicAPIs.countRepositories()"); - } - - VXLong ret = assetREST.countXAssets(request); - - if(logger.isDebugEnabled()) { - logger.debug("<== PublicAPIs.countRepositories(): count=" + ret); - } - - return ret; - } - - - - @GET - @Path("/api/policy/{id}") - @Produces({ "application/json" }) - public VXPolicy getPolicy(@PathParam("id") Long id) { - - if(logger.isDebugEnabled()) { - logger.debug("==> PublicAPIs.getPolicy() " + id); - } - - RangerPolicy policy = null; - RangerService service = null; - - policy = serviceREST.getPolicy(id); - - if(policy != null) { - service = serviceREST.getServiceByName(policy.getService()); - } - - VXPolicy ret = serviceUtil.toVXPolicy(policy, service); - - if(logger.isDebugEnabled()) { - logger.debug("<== PublicAPIs.getPolicy()" + ret); - } - - return ret; - } - - - @POST - @Path("/api/policy") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXPolicy createPolicy(VXPolicy vXPolicy) { - - if(logger.isDebugEnabled()) { - logger.debug("==> PublicAPIs.createPolicy()"); - } - - if(vXPolicy == null) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Policy object is null in create policy api", false); - } - RangerService service = serviceREST.getServiceByName(vXPolicy.getRepositoryName()); - RangerPolicy policy = serviceUtil.toRangerPolicy(vXPolicy,service); - - VXPolicy ret = null; - if(policy != null) { - if(logger.isDebugEnabled()) { - logger.debug("RANGERPOLICY: " + policy.toString()); - } - - RangerPolicy createdPolicy = serviceREST.createPolicy(policy,null); - - ret = serviceUtil.toVXPolicy(createdPolicy, service); - } - - if(logger.isDebugEnabled()) { - logger.debug("<== PublicAPIs.createPolicy(" + policy + "): " + ret); - } - - return ret; - } - - @PUT - @Path("/api/policy/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXPolicy updatePolicy(VXPolicy vXPolicy, @PathParam("id") Long id) { - - if(logger.isDebugEnabled()) { - logger.debug("==> PublicAPIs.updatePolicy(): " + vXPolicy ); - } - - if(vXPolicy == null) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Policy object is null in update policy api", false); - } - - XXPolicy existing = daoMgr.getXXPolicy().getById(id); - if(existing == null) { - throw restErrorUtil.createRESTException("Policy not found for Id: " + id, MessageEnums.DATA_NOT_FOUND); - } - - vXPolicy.setId(id); - - RangerService service = serviceREST.getServiceByName(vXPolicy.getRepositoryName()); - RangerPolicy policy = serviceUtil.toRangerPolicy(vXPolicy,service); - - VXPolicy ret = null; - if(policy != null) { - policy.setVersion(existing.getVersion()); - - RangerPolicy updatedPolicy = serviceREST.updatePolicy(policy, policy.getId()); - - ret = serviceUtil.toVXPolicy(updatedPolicy, service); - } - - if(logger.isDebugEnabled()) { - logger.debug("<== PublicAPIs.updatePolicy(" + policy + "): " + ret); - } - - return ret; - } - - @DELETE - @Path("/api/policy/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - @RangerAnnotationClassName(class_name = VXResource.class) - public void deletePolicy(@PathParam("id") Long id, - @Context HttpServletRequest request) { - - if(logger.isDebugEnabled()) { - logger.debug("==> PublicAPIs.deletePolicy(): " + id ); - } - - serviceREST.deletePolicy(id); - - if(logger.isDebugEnabled()) { - logger.debug("<== PublicAPIs.deletePolicy(): " + id ); - } - } - - @GET - @Path("/api/policy") - @Produces({ "application/json" }) - public VXPolicyList searchPolicies(@Context HttpServletRequest request) { - - if(logger.isDebugEnabled()) { - logger.debug("==> PublicAPIs.searchPolicies(): "); - } - - SearchFilter filter = searchUtil.getSearchFilterFromLegacyRequest(request, policyService.sortFields); - // get all policies from the store; pick the page to return after applying filter - int savedStartIndex = filter.getStartIndex(); - int savedMaxRows = filter.getMaxRows(); - - filter.setStartIndex(0); - filter.setMaxRows(Integer.MAX_VALUE); - - List rangerPolicyList = serviceREST.getPolicies(filter); - - filter.setStartIndex(savedStartIndex); - filter.setMaxRows(savedMaxRows); - - VXPolicyList vXPolicyList = null; - if (rangerPolicyList != null) { - vXPolicyList = serviceUtil.rangerPolicyListToPublic(rangerPolicyList,filter); - } - if(logger.isDebugEnabled()) { - logger.debug("<== PublicAPIs.searchPolicies(): " + vXPolicyList ); - } - return vXPolicyList; - } - - @GET - @Path("/api/policy/count") - @Produces({ "application/json" }) - public VXLong countPolicies(@Context HttpServletRequest request) { - - if(logger.isDebugEnabled()) { - logger.debug("==> PublicAPIs.countPolicies(): "); - } - - VXLong ret = assetREST.countXResources(request); - - if(logger.isDebugEnabled()) { - logger.debug("<== PublicAPIs.countPolicies(): " + ret); - } - - return ret; - } + private static final Logger logger = LoggerFactory.getLogger(PublicAPIs.class); + @Autowired + RangerSearchUtil searchUtil; + + @Autowired + XAssetService xAssetService; + + @Autowired + RangerPolicyService policyService; + + @Autowired + StringUtil stringUtil; + + @Autowired + ServiceUtil serviceUtil; + + @Autowired + ServiceREST serviceREST; + + @Autowired + RangerDaoManager daoMgr; + + @Autowired + RESTErrorUtil restErrorUtil; + + @Autowired + AssetREST assetREST; + + @GET + @Path("/api/repository/{id}") + @Produces("application/json") + public VXRepository getRepository(@PathParam("id") Long id) { + logger.debug("==> PublicAPIs.getRepository({})", id); + + RangerService service = serviceREST.getService(id); + VXRepository ret = serviceUtil.toVXRepository(service); + + logger.debug("<= PublicAPIs.getRepository({})", id); + + return ret; + } + + @POST + @Path("/api/repository/") + @Consumes("application/json") + @Produces("application/json") + public VXRepository createRepository(VXRepository vXRepository) { + logger.debug("==> PublicAPIs.createRepository({})", vXRepository); + + VXAsset vXAsset = serviceUtil.publicObjecttoVXAsset(vXRepository); + RangerService service = serviceUtil.toRangerService(vXAsset); + RangerService createdService = serviceREST.createService(service); + VXAsset retvXAsset = serviceUtil.toVXAsset(createdService); + VXRepository ret = serviceUtil.vXAssetToPublicObject(retvXAsset); + + logger.debug("<== PublicAPIs.createRepository({})", ret); + + return ret; + } + + @PUT + @Path("/api/repository/{id}") + @Consumes("application/json") + @Produces("application/json") + public VXRepository updateRepository(VXRepository vXRepository, @PathParam("id") Long id) { + logger.debug("==> PublicAPIs.updateRepository({})", id); + + XXService existing = daoMgr.getXXService().getById(id); + + if (existing == null) { + throw restErrorUtil.createRESTException("Repository not found for Id: " + id, MessageEnums.DATA_NOT_FOUND); + } + + vXRepository.setId(id); + + VXAsset vXAsset = serviceUtil.publicObjecttoVXAsset(vXRepository); + RangerService service = serviceUtil.toRangerService(vXAsset); + + service.setVersion(existing.getVersion()); + + RangerService updatedService = serviceREST.updateService(service, null); + VXAsset retvXAsset = serviceUtil.toVXAsset(updatedService); + VXRepository ret = serviceUtil.vXAssetToPublicObject(retvXAsset); + + logger.debug("<== PublicAPIs.updateRepository({})", ret); + + return ret; + } + + @DELETE + @Path("/api/repository/{id}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @RangerAnnotationClassName(class_name = VXAsset.class) + public void deleteRepository(@PathParam("id") Long id, @Context HttpServletRequest request) { + logger.debug("==> PublicAPIs.deleteRepository({})", id); + + serviceREST.deleteService(id); + + logger.debug("<== PublicAPIs.deleteRepository({})", id); + } + + @GET + @Path("/api/repository/") + @Produces("application/json") + public VXRepositoryList searchRepositories(@Context HttpServletRequest request) { + logger.debug("==> PublicAPIs.searchRepositories()"); + + SearchFilter filter = searchUtil.getSearchFilterFromLegacyRequestForRepositorySearch(request, xAssetService.sortFields); + List serviceList = serviceREST.getServices(filter); + VXRepositoryList ret = null; + + if (serviceList != null) { + ret = serviceUtil.rangerServiceListToPublicObjectList(serviceList); + } + + logger.debug("<== PublicAPIs.searchRepositories(): count={}", (ret == null ? 0 : ret.getListSize())); + + return ret; + } + + @GET + @Path("/api/repository/count") + @Produces("application/json") + public VXLong countRepositories(@Context HttpServletRequest request) { + logger.debug("==> PublicAPIs.countRepositories()"); + + VXLong ret = assetREST.countXAssets(request); + + logger.debug("<== PublicAPIs.countRepositories(): count={}", ret); + + return ret; + } + + @GET + @Path("/api/policy/{id}") + @Produces("application/json") + public VXPolicy getPolicy(@PathParam("id") Long id) { + logger.debug("==> PublicAPIs.getPolicy() {}", id); + + RangerService service = null; + RangerPolicy policy = serviceREST.getPolicy(id); + + if (policy != null) { + service = serviceREST.getServiceByName(policy.getService()); + } + + VXPolicy ret = serviceUtil.toVXPolicy(policy, service); + + logger.debug("<== PublicAPIs.getPolicy(){}", ret); + + return ret; + } + + @POST + @Path("/api/policy") + @Consumes("application/json") + @Produces("application/json") + public VXPolicy createPolicy(VXPolicy vXPolicy) { + logger.debug("==> PublicAPIs.createPolicy()"); + + if (vXPolicy == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Policy object is null in create policy api", false); + } + + RangerService service = serviceREST.getServiceByName(vXPolicy.getRepositoryName()); + RangerPolicy policy = serviceUtil.toRangerPolicy(vXPolicy, service); + + VXPolicy ret = null; + if (policy != null) { + logger.debug("RangerPolicy: {}", policy); + + RangerPolicy createdPolicy = serviceREST.createPolicy(policy, null); + + ret = serviceUtil.toVXPolicy(createdPolicy, service); + } + + logger.debug("<== PublicAPIs.createPolicy({}): {}", policy, ret); + + return ret; + } + + @PUT + @Path("/api/policy/{id}") + @Consumes("application/json") + @Produces("application/json") + public VXPolicy updatePolicy(VXPolicy vXPolicy, @PathParam("id") Long id) { + logger.debug("==> PublicAPIs.updatePolicy(): {}", vXPolicy); + + if (vXPolicy == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Policy object is null in update policy api", false); + } + + XXPolicy existing = daoMgr.getXXPolicy().getById(id); + + if (existing == null) { + throw restErrorUtil.createRESTException("Policy not found for Id: " + id, MessageEnums.DATA_NOT_FOUND); + } + + vXPolicy.setId(id); + + RangerService service = serviceREST.getServiceByName(vXPolicy.getRepositoryName()); + RangerPolicy policy = serviceUtil.toRangerPolicy(vXPolicy, service); + + VXPolicy ret = null; + if (policy != null) { + policy.setVersion(existing.getVersion()); + + RangerPolicy updatedPolicy = serviceREST.updatePolicy(policy, policy.getId()); + + ret = serviceUtil.toVXPolicy(updatedPolicy, service); + } + + logger.debug("<== PublicAPIs.updatePolicy({}):{}", policy, ret); + + return ret; + } + + @DELETE + @Path("/api/policy/{id}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @RangerAnnotationClassName(class_name = VXResource.class) + public void deletePolicy(@PathParam("id") Long id, @Context HttpServletRequest request) { + logger.debug("==> PublicAPIs.deletePolicy(): {}", id); + + serviceREST.deletePolicy(id); + + logger.debug("<== PublicAPIs.deletePolicy(): {}", id); + } + + @GET + @Path("/api/policy") + @Produces("application/json") + public VXPolicyList searchPolicies(@Context HttpServletRequest request) { + logger.debug("==> PublicAPIs.searchPolicies(): "); + + SearchFilter filter = searchUtil.getSearchFilterFromLegacyRequest(request, policyService.sortFields); + + // get all policies from the store; pick the page to return after applying filter + int savedStartIndex = filter.getStartIndex(); + int savedMaxRows = filter.getMaxRows(); + + filter.setStartIndex(0); + filter.setMaxRows(Integer.MAX_VALUE); + + List rangerPolicyList = serviceREST.getPolicies(filter); + + filter.setStartIndex(savedStartIndex); + filter.setMaxRows(savedMaxRows); + + VXPolicyList vXPolicyList = null; + + if (rangerPolicyList != null) { + vXPolicyList = serviceUtil.rangerPolicyListToPublic(rangerPolicyList, filter); + } + + logger.debug("<== PublicAPIs.searchPolicies(): {}", vXPolicyList); + return vXPolicyList; + } + + @GET + @Path("/api/policy/count") + @Produces("application/json") + public VXLong countPolicies(@Context HttpServletRequest request) { + logger.debug("==> PublicAPIs.countPolicies(): "); + + VXLong ret = assetREST.countXResources(request); + + logger.debug("<== PublicAPIs.countPolicies(): {}", ret); + + return ret; + } } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java index d9a2140998..7b1eb7fe7d 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java @@ -29,14 +29,14 @@ import org.apache.ranger.plugin.model.RangerRole; import org.apache.ranger.plugin.model.RangerSecurityZone; import org.apache.ranger.plugin.model.RangerSecurityZoneHeaderInfo; +import org.apache.ranger.plugin.model.RangerSecurityZoneV2; +import org.apache.ranger.plugin.model.RangerSecurityZoneV2.RangerSecurityZoneChangeRequest; +import org.apache.ranger.plugin.model.RangerSecurityZoneV2.RangerSecurityZoneResource; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerServiceHeaderInfo; import org.apache.ranger.plugin.model.RangerServiceResource; import org.apache.ranger.plugin.model.RangerServiceTags; -import org.apache.ranger.plugin.model.RangerSecurityZoneV2; -import org.apache.ranger.plugin.model.RangerSecurityZoneV2.RangerSecurityZoneChangeRequest; -import org.apache.ranger.plugin.model.RangerSecurityZoneV2.RangerSecurityZoneResource; import org.apache.ranger.plugin.store.PList; import org.apache.ranger.plugin.util.GrantRevokeRoleRequest; import org.apache.ranger.plugin.util.RangerPurgeResult; @@ -66,7 +66,6 @@ import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.Context; -import java.util.ArrayList; import java.util.Collection; import java.util.List; @@ -76,933 +75,868 @@ @RangerAnnotationJSMgrName("PublicMgr") @Transactional(propagation = Propagation.REQUIRES_NEW) public class PublicAPIsv2 { - private static final Logger logger = LoggerFactory.getLogger(PublicAPIsv2.class); + private static final Logger logger = LoggerFactory.getLogger(PublicAPIsv2.class); - @Autowired - ServiceREST serviceREST; + @Autowired + ServiceREST serviceREST; - @Autowired - TagREST tagREST; + @Autowired + TagREST tagREST; - @Autowired - SecurityZoneREST securityZoneRest; + @Autowired + SecurityZoneREST securityZoneRest; - @Autowired - RoleREST roleREST; + @Autowired + RoleREST roleREST; - @Autowired - RESTErrorUtil restErrorUtil; + @Autowired + RESTErrorUtil restErrorUtil; @Autowired SecurityZoneDBStore securityZoneStore; - /* - * SecurityZone Creation API - */ - @POST - @Path("/api/zones") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerSecurityZone createSecurityZone(RangerSecurityZone securityZone) { - return securityZoneRest.createSecurityZone(securityZone); - } - - /* - * SecurityZone Manipulation API - */ - @PUT - @Path("/api/zones/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerSecurityZone updateSecurityZone(@PathParam("id") Long zoneId, RangerSecurityZone securityZone) { - return securityZoneRest.updateSecurityZone(zoneId, securityZone); - } - - @DELETE - @Path("/api/zones/name/{name}") - public void deleteSecurityZone(@PathParam("name") String zoneName) { - securityZoneRest.deleteSecurityZone(zoneName); - } - - @DELETE - @Path("/api/zones/{id}") - public void deleteSecurityZone(@PathParam("id") Long zoneId) { - securityZoneRest.deleteSecurityZone(zoneId); - } - - /* - * API's to Access SecurityZones - */ - @GET - @Path("/api/zones/name/{name}") - @Produces({ "application/json" }) - public RangerSecurityZone getSecurityZone(@PathParam("name") String zoneName) { - return securityZoneRest.getSecurityZone(zoneName); - } - - @GET - @Path("/api/zones/{id}") - @Produces({ "application/json"}) - public RangerSecurityZone getSecurityZone(@PathParam("id") Long id) { - return securityZoneRest.getSecurityZone(id); - } - - @GET + /* + * SecurityZone Creation API + */ + @POST + @Path("/api/zones") + @Consumes("application/json") + @Produces("application/json") + public RangerSecurityZone createSecurityZone(RangerSecurityZone securityZone) { + return securityZoneRest.createSecurityZone(securityZone); + } + + /* + * SecurityZone Manipulation API + */ + @PUT + @Path("/api/zones/{id}") + @Consumes("application/json") + @Produces("application/json") + public RangerSecurityZone updateSecurityZone(@PathParam("id") Long zoneId, RangerSecurityZone securityZone) { + return securityZoneRest.updateSecurityZone(zoneId, securityZone); + } + + @DELETE + @Path("/api/zones/name/{name}") + public void deleteSecurityZone(@PathParam("name") String zoneName) { + securityZoneRest.deleteSecurityZone(zoneName); + } + + @DELETE + @Path("/api/zones/{id}") + public void deleteSecurityZone(@PathParam("id") Long zoneId) { + securityZoneRest.deleteSecurityZone(zoneId); + } + + /* + * API's to Access SecurityZones + */ + @GET + @Path("/api/zones/name/{name}") + @Produces("application/json") + public RangerSecurityZone getSecurityZone(@PathParam("name") String zoneName) { + return securityZoneRest.getSecurityZone(zoneName); + } + + @GET + @Path("/api/zones/{id}") + @Produces("application/json") + public RangerSecurityZone getSecurityZone(@PathParam("id") Long id) { + return securityZoneRest.getSecurityZone(id); + } + + @GET @Path("/api/zones") - @Produces({ "application/json"}) - public List getAllZones(@Context HttpServletRequest request){ - return securityZoneRest.getAllZones(request).getSecurityZones(); - } + @Produces("application/json") + public List getAllZones(@Context HttpServletRequest request) { + return securityZoneRest.getAllZones(request).getSecurityZones(); + } /** * Get {@link List} of security zone header info. * This API is authorized to every authenticated user. + * * @return {@link List} of {@link RangerSecurityZoneHeaderInfo} if present. */ @GET @Path("/api/zone-headers") - @Produces({ "application/json" }) + @Produces("application/json") public List getSecurityZoneHeaderInfoList(@Context HttpServletRequest request) { - if (logger.isDebugEnabled()) { - logger.debug("==> PublicAPIsv2.getSecurityZoneHeaderInfoList()"); - } + logger.debug("==> PublicAPIsv2.getSecurityZoneHeaderInfoList()"); List ret; + try { ret = securityZoneStore.getSecurityZoneHeaderInfoList(request); } catch (WebApplicationException excp) { throw excp; } catch (Throwable excp) { logger.error("PublicAPIsv2.getSecurityZoneHeaderInfoList() failed", excp); + throw restErrorUtil.createRESTException(excp.getMessage()); } - if (logger.isDebugEnabled()) { - logger.debug("<== PublicAPIsv2.getSecurityZoneHeaderInfoList():" + ret); - } + logger.debug("<== PublicAPIsv2.getSecurityZoneHeaderInfoList():{}", ret); + return ret; } - /** - * Get {@link List} of security zone header info. - * This API is authorized to every authenticated user. - * @param serviceId - * @param isTagService - * @return {@link List} of {@link RangerSecurityZoneHeaderInfo} if present. - */ - @GET - @Path("/api/zones/zone-headers/for-service/{serviceId}") - @Produces({ "application/json" }) - public List getSecurityZoneHeaderInfoListByServiceId(@PathParam("serviceId") Long serviceId, - @DefaultValue("false") @QueryParam("isTagService") Boolean isTagService, - @Context HttpServletRequest request) { - return securityZoneRest.getSecurityZoneHeaderInfoListByServiceId(serviceId,isTagService, request); - } + /** + * Get {@link List} of security zone header info. + * This API is authorized to every authenticated user. + * + * @param serviceId + * @param isTagService + * @return {@link List} of {@link RangerSecurityZoneHeaderInfo} if present. + */ + @GET + @Path("/api/zones/zone-headers/for-service/{serviceId}") + @Produces("application/json") + public List getSecurityZoneHeaderInfoListByServiceId(@PathParam("serviceId") Long serviceId, @DefaultValue("false") @QueryParam("isTagService") Boolean isTagService, @Context HttpServletRequest request) { + return securityZoneRest.getSecurityZoneHeaderInfoListByServiceId(serviceId, isTagService, request); + } /** * Get service header info {@link List} for given zone. * This API is authorized to every authenticated user. + * * @param zoneId * @return {@link List} of {@link RangerServiceHeaderInfo} for given zone if present. */ @GET @Path("/api/zones/{zoneId}/service-headers") - @Produces({ "application/json" }) + @Produces("application/json") public List getServiceHeaderInfoListByZoneId(@PathParam("zoneId") Long zoneId, @Context HttpServletRequest request) { - if (logger.isDebugEnabled()) { - logger.debug("==> PublicAPIsv2.getServiceHeaderInfoListByZoneId({})" + zoneId); - } + logger.debug("==> PublicAPIsv2.getServiceHeaderInfoListByZoneId({})", zoneId); List ret; + try { ret = securityZoneStore.getServiceHeaderInfoListByZoneId(zoneId, request); } catch (WebApplicationException excp) { throw excp; } catch (Throwable excp) { logger.error("PublicAPIsv2.getServiceHeaderInfoListByZoneId() failed", excp); + throw restErrorUtil.createRESTException(excp.getMessage()); } - if (logger.isDebugEnabled()) { - logger.debug("<== PublicAPIsv2.getServiceHeaderInfoListByZoneId():" + ret); + logger.debug("<== PublicAPIsv2.getServiceHeaderInfoListByZoneId():{}", ret); + return ret; + } + + @GET + @Path("/api/zone-names/{serviceName}/resource") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") + public Collection getSecurityZoneNamesForResource(@PathParam("serviceName") String serviceName, @Context HttpServletRequest request) { + return securityZoneRest.getZoneNamesForResource(serviceName, request); + } + + @POST + @Path("/api/zones-v2") + @Consumes("application/json") + @Produces("application/json") + public RangerSecurityZoneV2 createSecurityZone(RangerSecurityZoneV2 securityZone) { + return securityZoneRest.createSecurityZone(securityZone); + } + + @PUT + @Path("/api/zones-v2/{id}") + @Consumes("application/json") + @Produces("application/json") + public RangerSecurityZoneV2 updateSecurityZone(@PathParam("id") Long zoneId, RangerSecurityZoneV2 securityZone) { + return securityZoneRest.updateSecurityZone(zoneId, securityZone); + } + + @PUT + @Path("/api/zones-v2/{id}/partial") + @Consumes("application/json") + @Produces("application/json") + public Boolean updateSecurityZone(@PathParam("id") Long zoneId, RangerSecurityZoneChangeRequest changeRequest) { + return securityZoneRest.updateSecurityZone(zoneId, changeRequest); + } + + @GET + @Path("/api/zones-v2/name/{name}") + @Produces("application/json") + public RangerSecurityZoneV2 getSecurityZoneV2(@PathParam("name") String zoneName) { + return securityZoneRest.getSecurityZoneV2(zoneName); + } + + @GET + @Path("/api/zones-v2/{id}") + @Produces("application/json") + public RangerSecurityZoneV2 getSecurityZoneV2(@PathParam("id") Long zoneId) { + return securityZoneRest.getSecurityZoneV2(zoneId); + } + + @GET + @Path("/api/zones-v2/{id}/resources/{serviceName}") + @Produces("application/json") + public PList getResources(@PathParam("id") Long zoneId, @PathParam("serviceName") String serviceName, @Context HttpServletRequest request) { + return securityZoneRest.getResources(zoneId, serviceName, request); + } + + @GET + @Path("/api/zones-v2/name/{name}/resources/{serviceName}") + @Produces("application/json") + public PList getResources(@PathParam("name") String zoneName, @PathParam("serviceName") String serviceName, @Context HttpServletRequest request) { + return securityZoneRest.getResources(zoneName, serviceName, request); + } + + @GET + @Path("/api/zones-v2") + @Produces("application/json") + public PList getAllZonesV2(@Context HttpServletRequest request) { + return securityZoneRest.getAllZonesV2(request); + } + + /* + * ServiceDef Manipulation APIs + */ + + @GET + @Path("/api/servicedef/{id}") + @Produces("application/json") + public RangerServiceDef getServiceDef(@PathParam("id") Long id) { + return serviceREST.getServiceDef(id); + } + + @GET + @Path("/api/servicedef/name/{name}") + @Produces("application/json") + public RangerServiceDef getServiceDefByName(@PathParam("name") String name) { + return serviceREST.getServiceDefByName(name); + } + + @GET + @Path("/api/servicedef/") + @Produces("application/json") + public List searchServiceDefs(@Context HttpServletRequest request) { + return serviceREST.getServiceDefs(request).getServiceDefs(); + } + + @POST + @Path("/api/servicedef/") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @Consumes("application/json") + @Produces("application/json") + public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) { + return serviceREST.createServiceDef(serviceDef); + } + + @PUT + @Path("/api/servicedef/{id}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @Consumes("application/json") + @Produces("application/json") + public RangerServiceDef updateServiceDef(RangerServiceDef serviceDef, @PathParam("id") Long id) { + // if serviceDef.id is specified, it should be same as param 'id' + if (serviceDef.getId() == null) { + serviceDef.setId(id); + } else if (!serviceDef.getId().equals(id)) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "serviceDef id mismatch", true); + } + + return serviceREST.updateServiceDef(serviceDef, serviceDef.getId()); + } + + @PUT + @Path("/api/servicedef/name/{name}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @Consumes("application/json") + @Produces("application/json") + public RangerServiceDef updateServiceDefByName(RangerServiceDef serviceDef, @PathParam("name") String name) { + // serviceDef.name is immutable + // if serviceDef.name is specified, it should be same as the param 'name' + if (serviceDef.getName() == null) { + serviceDef.setName(name); + } else if (!serviceDef.getName().equals(name)) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "serviceDef name mismatch", true); + } + + // ignore serviceDef.id - if specified. Retrieve using the given name and use id from the retrieved object + RangerServiceDef existingServiceDef = getServiceDefByName(name); + + serviceDef.setId(existingServiceDef.getId()); + + if (StringUtils.isEmpty(serviceDef.getGuid())) { + serviceDef.setGuid(existingServiceDef.getGuid()); + } + + return serviceREST.updateServiceDef(serviceDef, serviceDef.getId()); + } + + /* + * Should add this back when guid is used for search and delete operations as well + @PUT + @Path("/api/servicedef/guid/{guid}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @Produces({ "application/json" }) + public RangerServiceDef updateServiceDefByGuid(RangerServiceDef serviceDef, @PathParam("guid") String guid) { + // ignore serviceDef.id - if specified. Retrieve using the given guid and use id from the retrieved object + RangerServiceDef existingServiceDef = getServiceDefByGuid(guid); + serviceDef.setId(existingServiceDef.getId()); + if(StringUtils.isEmpty(serviceDef.getGuid())) { + serviceDef.setGuid(existingServiceDef.getGuid()); + } + + return serviceREST.updateServiceDef(serviceDef); + } + */ + + @DELETE + @Path("/api/servicedef/{id}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void deleteServiceDef(@PathParam("id") Long id, @Context HttpServletRequest request) { + serviceREST.deleteServiceDef(id, request); + } + + @DELETE + @Path("/api/servicedef/name/{name}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void deleteServiceDefByName(@PathParam("name") String name, @Context HttpServletRequest request) { + RangerServiceDef serviceDef = serviceREST.getServiceDefByName(name); + + serviceREST.deleteServiceDef(serviceDef.getId(), request); + } + + /* + * Service Manipulation APIs + */ + + @GET + @Path("/api/service/{id}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") + public RangerService getService(@PathParam("id") Long id) { + return serviceREST.getService(id); + } + + @GET + @Path("/api/service/name/{name}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") + public RangerService getServiceByName(@PathParam("name") String name) { + return serviceREST.getServiceByName(name); + } + + @GET + @Path("/api/service/") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") + public List searchServices(@Context HttpServletRequest request) { + return serviceREST.getServices(request).getServices(); + } + + @GET + @Path("/api/service-headers") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_HEADERS + "\")") + public List getServiceHeaders(@Context HttpServletRequest request) { + return serviceREST.getServiceHeaders(request); + } + + @POST + @Path("/api/service/") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") + @Consumes("application/json") + @Produces("application/json") + public RangerService createService(RangerService service) { + return serviceREST.createService(service); + } + + @PUT + @Path("/api/service/{id}") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") + @Consumes("application/json") + @Produces("application/json") + public RangerService updateService(RangerService service, @PathParam("id") Long id, @Context HttpServletRequest request) { + // if service.id is specified, it should be same as the param 'id' + if (service.getId() == null) { + service.setId(id); + } else if (!service.getId().equals(id)) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "service id mismatch", true); + } + + return serviceREST.updateService(service, request); + } + + @PUT + @Path("/api/service/name/{name}") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") + @Consumes("application/json") + @Produces("application/json") + public RangerService updateServiceByName(RangerService service, @PathParam("name") String name, @Context HttpServletRequest request) { + // ignore service.id - if specified. Retrieve using the given name and use id from the retrieved object + RangerService existingService = getServiceByName(name); + + service.setId(existingService.getId()); + + if (StringUtils.isEmpty(service.getGuid())) { + service.setGuid(existingService.getGuid()); + } + + if (StringUtils.isEmpty(service.getName())) { + service.setName(existingService.getName()); + } + + return serviceREST.updateService(service, request); + } + + /* + * Should add this back when guid is used for search and delete operations as well + @PUT + @Path("/api/service/guid/{guid}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @Produces({ "application/json" }) + public RangerService updateServiceByGuid(RangerService service, @PathParam("guid") String guid) { + // ignore service.id - if specified. Retrieve using the given guid and use id from the retrieved object + RangerService existingService = getServiceByGuid(guid); + service.setId(existingService.getId()); + if(StringUtils.isEmpty(service.getGuid())) { + service.setGuid(existingService.getGuid()); } + + return serviceREST.updateService(service); + } + */ + + @DELETE + @Path("/api/service/{id}") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") + public void deleteService(@PathParam("id") Long id) { + serviceREST.deleteService(id); + } + + @DELETE + @Path("/api/service/name/{name}") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") + public void deleteServiceByName(@PathParam("name") String name) { + RangerService service = serviceREST.getServiceByName(name); + + serviceREST.deleteService(service.getId()); + } + + /* + * Policy Manipulation APIs + */ + + @GET + @Path("/api/policy/{id}") + @Produces("application/json") + public RangerPolicy getPolicy(@PathParam("id") Long id) { + return serviceREST.getPolicy(id); + } + + @GET + @Path("/api/policy/") + @Produces("application/json") + public List getPolicies(@Context HttpServletRequest request) { + logger.debug("==> PublicAPIsv2.getPolicies()"); + + List ret = serviceREST.getPolicies(request).getPolicies(); + boolean includeMetaAttributes = Boolean.parseBoolean(request.getParameter("includeMetaAttributes")); + + if (includeMetaAttributes) { + ret = serviceREST.getPoliciesWithMetaAttributes(ret); + } + + logger.debug("<== PublicAPIsv2.getPolicies(Request: {} Result Size: {}", request.getQueryString(), ret.size()); + return ret; } - @GET - @Path("/api/zone-names/{serviceName}/resource") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") - public Collection getSecurityZoneNamesForResource(@PathParam("serviceName") String serviceName, @Context HttpServletRequest request) { - return securityZoneRest.getZoneNamesForResource(serviceName, request); - } - - @POST - @Path("/api/zones-v2") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerSecurityZoneV2 createSecurityZone(RangerSecurityZoneV2 securityZone) { - return securityZoneRest.createSecurityZone(securityZone); - } - - @PUT - @Path("/api/zones-v2/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerSecurityZoneV2 updateSecurityZone(@PathParam("id") Long zoneId, RangerSecurityZoneV2 securityZone) { - return securityZoneRest.updateSecurityZone(zoneId, securityZone); - } - - @PUT - @Path("/api/zones-v2/{id}/partial") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public Boolean updateSecurityZone(@PathParam("id") Long zoneId, RangerSecurityZoneChangeRequest changeRequest) { - return securityZoneRest.updateSecurityZone(zoneId, changeRequest); - } - - @GET - @Path("/api/zones-v2/name/{name}") - @Produces({ "application/json" }) - public RangerSecurityZoneV2 getSecurityZoneV2(@PathParam("name") String zoneName) { - return securityZoneRest.getSecurityZoneV2(zoneName); - } - - @GET - @Path("/api/zones-v2/{id}") - @Produces({ "application/json" }) - public RangerSecurityZoneV2 getSecurityZoneV2(@PathParam("id") Long zoneId) { - return securityZoneRest.getSecurityZoneV2(zoneId); - } - - @GET - @Path("/api/zones-v2/{id}/resources/{serviceName}") - @Produces({ "application/json" }) - public PList getResources(@PathParam("id") Long zoneId, @PathParam("serviceName") String serviceName, @Context HttpServletRequest request) { - return securityZoneRest.getResources(zoneId, serviceName, request); - } - - @GET - @Path("/api/zones-v2/name/{name}/resources/{serviceName}") - @Produces({ "application/json" }) - public PList getResources(@PathParam("name") String zoneName, @PathParam("serviceName") String serviceName, @Context HttpServletRequest request) { - return securityZoneRest.getResources(zoneName, serviceName, request); - } - - @GET - @Path("/api/zones-v2") - @Produces({ "application/json"}) - public PList getAllZonesV2(@Context HttpServletRequest request){ - return securityZoneRest.getAllZonesV2(request); - } - - /* - * ServiceDef Manipulation APIs - */ - - @GET - @Path("/api/servicedef/{id}") - @Produces({ "application/json" }) - public RangerServiceDef getServiceDef(@PathParam("id") Long id) { - return serviceREST.getServiceDef(id); - } - - @GET - @Path("/api/servicedef/name/{name}") - @Produces({ "application/json" }) - public RangerServiceDef getServiceDefByName(@PathParam("name") String name) { - return serviceREST.getServiceDefByName(name); - } - - @GET - @Path("/api/servicedef/") - @Produces({ "application/json" }) - public List searchServiceDefs(@Context HttpServletRequest request) { - return serviceREST.getServiceDefs(request).getServiceDefs(); - } - - @POST - @Path("/api/servicedef/") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) { - return serviceREST.createServiceDef(serviceDef); - } - - @PUT - @Path("/api/servicedef/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerServiceDef updateServiceDef(RangerServiceDef serviceDef, @PathParam("id") Long id) { - // if serviceDef.id is specified, it should be same as param 'id' - if(serviceDef.getId() == null) { - serviceDef.setId(id); - } else if(!serviceDef.getId().equals(id)) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "serviceDef id mismatch", true); - } - - return serviceREST.updateServiceDef(serviceDef, serviceDef.getId()); - } - - - @PUT - @Path("/api/servicedef/name/{name}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerServiceDef updateServiceDefByName(RangerServiceDef serviceDef, - @PathParam("name") String name) { - // serviceDef.name is immutable - // if serviceDef.name is specified, it should be same as the param 'name' - if(serviceDef.getName() == null) { - serviceDef.setName(name); - } else if(!serviceDef.getName().equals(name)) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "serviceDef name mismatch", true); - } - - // ignore serviceDef.id - if specified. Retrieve using the given name and use id from the retrieved object - RangerServiceDef existingServiceDef = getServiceDefByName(name); - serviceDef.setId(existingServiceDef.getId()); - if(StringUtils.isEmpty(serviceDef.getGuid())) { - serviceDef.setGuid(existingServiceDef.getGuid()); - } - - return serviceREST.updateServiceDef(serviceDef, serviceDef.getId()); - } - - /* - * Should add this back when guid is used for search and delete operations as well - @PUT - @Path("/api/servicedef/guid/{guid}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - @Produces({ "application/json" }) - public RangerServiceDef updateServiceDefByGuid(RangerServiceDef serviceDef, - @PathParam("guid") String guid) { - // ignore serviceDef.id - if specified. Retrieve using the given guid and use id from the retrieved object - RangerServiceDef existingServiceDef = getServiceDefByGuid(guid); - serviceDef.setId(existingServiceDef.getId()); - if(StringUtils.isEmpty(serviceDef.getGuid())) { - serviceDef.setGuid(existingServiceDef.getGuid()); - } - - return serviceREST.updateServiceDef(serviceDef); - } - */ - - - @DELETE - @Path("/api/servicedef/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public void deleteServiceDef(@PathParam("id") Long id, @Context HttpServletRequest request) { - serviceREST.deleteServiceDef(id, request); - } - - @DELETE - @Path("/api/servicedef/name/{name}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public void deleteServiceDefByName(@PathParam("name") String name, @Context HttpServletRequest request) { - RangerServiceDef serviceDef = serviceREST.getServiceDefByName(name); - serviceREST.deleteServiceDef(serviceDef.getId(), request); - } - - /* - * Service Manipulation APIs - */ - - @GET - @Path("/api/service/{id}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") - public RangerService getService(@PathParam("id") Long id) { - return serviceREST.getService(id); - } - - @GET - @Path("/api/service/name/{name}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") - public RangerService getServiceByName(@PathParam("name") String name) { - return serviceREST.getServiceByName(name); - } - - @GET - @Path("/api/service/") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") - public List searchServices(@Context HttpServletRequest request) { - return serviceREST.getServices(request).getServices(); - } - - @GET - @Path("/api/service-headers") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_HEADERS + "\")") - public List getServiceHeaders(@Context HttpServletRequest request) { - return serviceREST.getServiceHeaders(request); - } - - @POST - @Path("/api/service/") - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerService createService(RangerService service) { - return serviceREST.createService(service); - } - - @PUT - @Path("/api/service/{id}") - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerService updateService(RangerService service, @PathParam("id") Long id, - @Context HttpServletRequest request) { - // if service.id is specified, it should be same as the param 'id' - if(service.getId() == null) { - service.setId(id); - } else if(!service.getId().equals(id)) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "service id mismatch", true); - } - - return serviceREST.updateService(service, request); - } - - @PUT - @Path("/api/service/name/{name}") - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerService updateServiceByName(RangerService service, - @PathParam("name") String name, - @Context HttpServletRequest request) { - // ignore service.id - if specified. Retrieve using the given name and use id from the retrieved object - RangerService existingService = getServiceByName(name); - service.setId(existingService.getId()); - if(StringUtils.isEmpty(service.getGuid())) { - service.setGuid(existingService.getGuid()); - } - if (StringUtils.isEmpty(service.getName())) { - service.setName(existingService.getName()); - } - - return serviceREST.updateService(service, request); - } - - /* - * Should add this back when guid is used for search and delete operations as well - @PUT - @Path("/api/service/guid/{guid}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - @Produces({ "application/json" }) - public RangerService updateServiceByGuid(RangerService service, - @PathParam("guid") String guid) { - // ignore service.id - if specified. Retrieve using the given guid and use id from the retrieved object - RangerService existingService = getServiceByGuid(guid); - service.setId(existingService.getId()); - if(StringUtils.isEmpty(service.getGuid())) { - service.setGuid(existingService.getGuid()); - } - - return serviceREST.updateService(service); - } - */ - - @DELETE - @Path("/api/service/{id}") - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") - public void deleteService(@PathParam("id") Long id) { - serviceREST.deleteService(id); - } - - @DELETE - @Path("/api/service/name/{name}") - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") - public void deleteServiceByName(@PathParam("name") String name) { - RangerService service = serviceREST.getServiceByName(name); - serviceREST.deleteService(service.getId()); - } - - - /* - * Policy Manipulation APIs - */ - - @GET - @Path("/api/policy/{id}") - @Produces({ "application/json" }) - public RangerPolicy getPolicy(@PathParam("id") Long id) { - return serviceREST.getPolicy(id); - } - - @GET - @Path("/api/policy/") - @Produces({ "application/json" }) - public List getPolicies(@Context HttpServletRequest request) { - - List ret = new ArrayList(); - - if(logger.isDebugEnabled()) { - logger.debug("==> PublicAPIsv2.getPolicies()"); - } - - ret = serviceREST.getPolicies(request).getPolicies(); - - boolean includeMetaAttributes = Boolean.parseBoolean(request.getParameter("includeMetaAttributes")); - if (includeMetaAttributes) { - ret = serviceREST.getPoliciesWithMetaAttributes(ret); - } - if(logger.isDebugEnabled()) { - logger.debug("<== PublicAPIsv2.getPolicies(Request: " + request.getQueryString() + " Result Size: " + ret.size() ); - } - return ret; - } - - @GET - @Path("/api/service/{servicename}/policy/{policyname}") - @Produces({ "application/json" }) - public RangerPolicy getPolicyByName(@PathParam("servicename") String serviceName, - @PathParam("policyname") String policyName, - @QueryParam("zoneName") String zoneName, - @Context HttpServletRequest request) { - if(logger.isDebugEnabled()) { - logger.debug("==> PublicAPIsv2.getPolicyByName(" + serviceName + "," + policyName + "," + zoneName + ")"); - } - - RangerPolicy policy = serviceREST.getPolicyByName(serviceName, policyName, zoneName); - - if (policy == null) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); - } - - if(logger.isDebugEnabled()) { - logger.debug("<== PublicAPIsv2.getPolicyByName(" + serviceName + "," + policyName + "," + zoneName + ")" + policy); - } - return policy; - } - - @GET - @Path("/api/service/{servicename}/policy/") - @Produces({ "application/json" }) - public List searchPolicies(@PathParam("servicename") String serviceName, - @Context HttpServletRequest request) { - return serviceREST.getServicePoliciesByName(serviceName, request).getPolicies(); - } - - @GET - @Path("/api/policies/{serviceDefName}/for-resource/") - @Produces({ "application/json" }) - public List getPoliciesForResource(@PathParam("serviceDefName") String serviceDefName, - @DefaultValue("") @QueryParam("serviceName") String serviceName, - @Context HttpServletRequest request) { - return serviceREST.getPoliciesForResource(serviceDefName, serviceName, request); - } - - @GET - @Path("/api/policy/guid/{guid}") - @Produces({ "application/json" }) - public RangerPolicy getPolicyByGUIDAndServiceNameAndZoneName(@PathParam("guid") String guid, - @DefaultValue("") @QueryParam("serviceName") String serviceName, - @DefaultValue("") @QueryParam("ZoneName") String zoneName) { - if(logger.isDebugEnabled()) { - logger.debug("==> PublicAPIsv2.getPolicyByGUIDAndServiceNameAndZoneName(" + guid + "," + serviceName + "," + zoneName + ")"); - } - RangerPolicy rangerPolicy = serviceREST.getPolicyByGUIDAndServiceNameAndZoneName(guid, serviceName, zoneName); - if(logger.isDebugEnabled()) { - logger.debug("<== PublicAPIsv2.getPolicyByGUIDAndServiceNameAndZoneName(" + guid + "," + serviceName + "," + zoneName + ")"); - } - return rangerPolicy; - } - - @POST - @Path("/api/policy/") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerPolicy createPolicy(RangerPolicy policy , @Context HttpServletRequest request) { - return serviceREST.createPolicy(policy, request); - } - - @POST - @Path("/api/policy/apply/") - @Consumes({ "application/json"}) - @Produces({ "application/json"}) - public RangerPolicy applyPolicy(RangerPolicy policy, @Context HttpServletRequest request) { // new API - return serviceREST.applyPolicy(policy, request); - } - - @PUT - @Path("/api/policy/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerPolicy updatePolicy(RangerPolicy policy, @PathParam("id") Long id) { - // if policy.id is specified, it should be same as the param 'id' - if(policy.getId() == null) { - policy.setId(id); - } else if(!policy.getId().equals(id)) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "policyID mismatch", true); - } - - return serviceREST.updatePolicy(policy, id); - } - - @PUT - @Path("/api/service/{servicename}/policy/{policyname}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerPolicy updatePolicyByName(RangerPolicy policy, - @PathParam("servicename") String serviceName, - @PathParam("policyname") String policyName, - @QueryParam("zoneName") String zoneName, - @Context HttpServletRequest request) { - if (policy.getService() == null || !policy.getService().equals(serviceName)) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "service name mismatch", true); - } - RangerPolicy oldPolicy = getPolicyByName(serviceName, policyName, zoneName, request); - - // ignore policy.id - if specified. Retrieve using the given serviceName+policyName and use id from the retrieved object - policy.setId(oldPolicy.getId()); - if(StringUtils.isEmpty(policy.getGuid())) { - policy.setGuid(oldPolicy.getGuid()); - } - if(StringUtils.isEmpty(policy.getName())) { - policy.setName(StringUtils.trim(oldPolicy.getName())); - } - - return serviceREST.updatePolicy(policy, policy.getId()); - } - - - /* Should add this back when guid is used for search and delete operations as well - @PUT - @Path("/api/policy/guid/{guid}") - @Produces({ "application/json" }) - public RangerPolicy updatePolicyByGuid(RangerPolicy policy, - @PathParam("guid") String guid) { - // ignore policy.guid - if specified. Retrieve using the given guid and use id from the retrieved object - RangerPolicy existingPolicy = getPolicyByGuid(name); - policy.setId(existingPolicy.getId()); - if(StringUtils.isEmpty(policy.getGuid())) { - policy.setGuid(existingPolicy.getGuid()); - } - - return serviceREST.updatePolicy(policy); - } - */ - - - @DELETE - @Path("/api/policy/{id}") - public void deletePolicy(@PathParam("id") Long id) { - serviceREST.deletePolicy(id); - } - - @DELETE - @Path("/api/policy") - public void deletePolicyByName(@QueryParam("servicename") String serviceName, - @QueryParam("policyname") String policyName, - @QueryParam("zoneName") String zoneName, - @Context HttpServletRequest request) { - if(logger.isDebugEnabled()) { - logger.debug("==> PublicAPIsv2.deletePolicyByName(" + serviceName + "," + policyName + ")"); - } - - if (serviceName == null || policyName == null) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "Invalid service name or policy name", true); - } - RangerPolicy policy = getPolicyByName(serviceName, policyName, zoneName, request); - serviceREST.deletePolicy(policy.getId()); - if(logger.isDebugEnabled()) { - logger.debug("<== PublicAPIsv2.deletePolicyByName(" + serviceName + "," + policyName + ")"); - } - } - - @DELETE - @Path("/api/policy/guid/{guid}") - public void deletePolicyByGUIDAndServiceNameAndZoneName(@PathParam("guid") String guid, - @DefaultValue("") @QueryParam("serviceName") String serviceName, - @DefaultValue("") @QueryParam("zoneName") String zoneName) { - if(logger.isDebugEnabled()) { - logger.debug("==> PublicAPIsv2.deletePolicyByGUIDAndServiceNameAndZoneName(" + guid + "," + serviceName + "," + zoneName + ")"); - } - serviceREST.deletePolicyByGUIDAndServiceNameAndZoneName(guid, serviceName, zoneName); - if(logger.isDebugEnabled()) { - logger.debug("<== PublicAPIsv2.deletePolicyByGUIDAndServiceNameAndZoneName(" + guid + "," + serviceName + "," + zoneName + ")"); - } - } - - @PUT - @Path("/api/service/{serviceName}/tags") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public void importServiceTags(@PathParam("serviceName") String serviceName, RangerServiceTags svcTags) { - if (logger.isDebugEnabled()) { - logger.debug("==> PublicAPIsv2.importServiceTags()"); - } - - // overwrite serviceName with the one given in url - if (svcTags.getServiceResources() != null) { - for (RangerServiceResource svcResource : svcTags.getServiceResources()) { - svcResource.setServiceName(serviceName); - } - } - - ServiceTags serviceTags = RangerServiceTags.toServiceTags(svcTags); - - // overwrite serviceName with the one given in url - serviceTags.setServiceName(serviceName); - - tagREST.importServiceTags(serviceTags); - - if (logger.isDebugEnabled()) { - logger.debug("<== PublicAPIsv2.importServiceTags()"); - } - } - - @GET - @Path("/api/service/{serviceName}/tags") - @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public RangerServiceTags getServiceTags(@PathParam("serviceName") String serviceName, @Context HttpServletRequest request) { - if (logger.isDebugEnabled()) { - logger.debug("==> PublicAPIsv2.getServiceTags()"); - } - - Long lastKnownVersion = -1L; - Long lastActivationTime = 0L; - String pluginId = null; - Boolean supportsTagDeltas = false; - String pluginCapabilities = ""; - ServiceTags tags = tagREST.getServiceTagsIfUpdated(serviceName, lastKnownVersion, lastActivationTime, pluginId, supportsTagDeltas, pluginCapabilities, request); - RangerServiceTags ret = RangerServiceTags.toRangerServiceTags(tags); - - if (logger.isDebugEnabled()) { - logger.debug("<== PublicAPIsv2.getServiceTags()"); - } - - return ret; - } - - - @GET - @Path("/api/plugins/info") - @Produces({ "application/json" }) - public List getPluginsInfo(@Context HttpServletRequest request) { - if (logger.isDebugEnabled()) { - logger.debug("==> PublicAPIsv2.getPluginsInfo()"); - } - - List ret = serviceREST.getPluginsInfo(request).getPluginInfoList(); - - if (logger.isDebugEnabled()) { - logger.debug("<== PublicAPIsv2.getPluginsInfo()"); - } - return ret; - } - - @DELETE - @Path("/api/server/policydeltas") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public void deletePolicyDeltas(@DefaultValue("7") @QueryParam("days") Integer olderThan, @Context HttpServletRequest request) { - if (logger.isDebugEnabled()) { - logger.debug("==> PublicAPIsv2.deletePolicyDeltas(" + olderThan + ")"); - } - - serviceREST.deletePolicyDeltas(olderThan, request); - - if (logger.isDebugEnabled()) { - logger.debug("<== PublicAPIsv2.deletePolicyDeltas(" + olderThan + ")"); - } - } - - @DELETE - @Path("/api/server/tagdeltas") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public void deleteTagDeltas(@DefaultValue("7") @QueryParam("days") Integer olderThan, @Context HttpServletRequest request) { - if (logger.isDebugEnabled()) { - logger.debug("==> PublicAPIsv2.deleteTagDeltas(" + olderThan + ")"); - } - - tagREST.deleteTagDeltas(olderThan, request); - - if (logger.isDebugEnabled()) { - logger.debug("<== PublicAPIsv2.deleteTagDeltas(" + olderThan + ")"); - } - } - - @DELETE - @Path("/api/server/purgepolicies/{serviceName}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public void purgeEmptyPolicies(@PathParam("serviceName") String serviceName, @Context HttpServletRequest request) { - if (logger.isDebugEnabled()) { - logger.debug("==> PublicAPIsv2.purgeEmptyPolicies(" + serviceName + ")"); - } - - if (serviceName == null) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "Invalid service name", true); - } - - serviceREST.purgeEmptyPolicies(serviceName, request); - - if (logger.isDebugEnabled()) { - logger.debug("<== PublicAPIsv2.purgeEmptyPolicies(" + serviceName + ")"); - } - } - - /* - * Role Creation API - */ - - @POST - @Path("/api/roles") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerRole createRole(@QueryParam("serviceName") String serviceName, RangerRole role - , @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup - , @Context HttpServletRequest request) { - logger.info("==> PublicAPIsv2.createRole"); - RangerRole ret; - ret = roleREST.createRole(serviceName, role, createNonExistUserGroup); - logger.info("<== PublicAPIsv2.createRole" + ret.getName()); - return ret; - } - - /* - * Role Manipulation API - */ - @PUT - @Path("/api/roles/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerRole updateRole(@PathParam("id") Long roleId, RangerRole role - , @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup - , @Context HttpServletRequest request) { - return roleREST.updateRole(roleId, role, createNonExistUserGroup); - } - - @DELETE - @Path("/api/roles/name/{name}") - public void deleteRole(@QueryParam("serviceName") String serviceName, @QueryParam("execUser") String userName, @PathParam("name") String roleName, @Context HttpServletRequest request) { - roleREST.deleteRole(serviceName, userName, roleName); - } - - @DELETE - @Path("/api/roles/{id}") - public void deleteRole(@PathParam("id") Long roleId, @Context HttpServletRequest request) { - roleREST.deleteRole(roleId); - } - - /* - * APIs to Access Roles - */ - @GET - @Path("/api/roles/name/{name}") - @Produces({ "application/json" }) - public RangerRole getRole(@QueryParam("serviceName") String serviceName, @QueryParam("execUser") String userName, @PathParam("name") String roleName, @Context HttpServletRequest request) { - return roleREST.getRole(serviceName, userName, roleName); - } - - @GET - @Path("/api/roles/{id}") - @Produces({ "application/json" }) - public RangerRole getRole(@PathParam("id") Long id, @Context HttpServletRequest request) { - return roleREST.getRole(id); - } - - @GET - @Path("/api/roles") - @Produces({ "application/json" }) - public List getAllRoles(@Context HttpServletRequest request) { - return roleREST.getAllRoles(request).getSecurityRoles(); - } - - @GET - @Path("/api/roles/names") - @Produces({ "application/json" }) - public List getAllRoleNames(@QueryParam("serviceName") String serviceName, @QueryParam("execUser") String userName, @Context HttpServletRequest request){ - return roleREST.getAllRoleNames(serviceName, userName, request); - } - - @GET - @Path("/api/roles/user/{user}") - @Produces({ "application/json" }) - public List getUserRoles(@PathParam("user") String userName, @Context HttpServletRequest request){ - return roleREST.getUserRoles(userName, request); - } - - /* - This API is used to add users and groups with/without GRANT privileges to this Role. It follows add-or-update semantics - */ - @PUT - @Path("/api/roles/{id}/addUsersAndGroups") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerRole addUsersAndGroups(@PathParam("id") Long roleId, List users, List groups, Boolean isAdmin, @Context HttpServletRequest request) { - return roleREST.addUsersAndGroups(roleId, users, groups, isAdmin); - } - - /* + @GET + @Path("/api/service/{servicename}/policy/{policyname}") + @Produces("application/json") + public RangerPolicy getPolicyByName(@PathParam("servicename") String serviceName, @PathParam("policyname") String policyName, @QueryParam("zoneName") String zoneName, @Context HttpServletRequest request) { + logger.debug("==> PublicAPIsv2.getPolicyByName({}, {}, {})", serviceName, policyName, zoneName); + + RangerPolicy policy = serviceREST.getPolicyByName(serviceName, policyName, zoneName); + + if (policy == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); + } + + logger.debug("<== PublicAPIsv2.getPolicyByName({}, {}, {}): {}", serviceName, policyName, zoneName, policy); + return policy; + } + + @GET + @Path("/api/service/{servicename}/policy/") + @Produces("application/json") + public List searchPolicies(@PathParam("servicename") String serviceName, @Context HttpServletRequest request) { + return serviceREST.getServicePoliciesByName(serviceName, request).getPolicies(); + } + + @GET + @Path("/api/policies/{serviceDefName}/for-resource/") + @Produces("application/json") + public List getPoliciesForResource(@PathParam("serviceDefName") String serviceDefName, @DefaultValue("") @QueryParam("serviceName") String serviceName, @Context HttpServletRequest request) { + return serviceREST.getPoliciesForResource(serviceDefName, serviceName, request); + } + + @GET + @Path("/api/policy/guid/{guid}") + @Produces("application/json") + public RangerPolicy getPolicyByGUIDAndServiceNameAndZoneName(@PathParam("guid") String guid, @DefaultValue("") @QueryParam("serviceName") String serviceName, @DefaultValue("") @QueryParam("ZoneName") String zoneName) { + logger.debug("==> PublicAPIsv2.getPolicyByGUIDAndServiceNameAndZoneName({}, {}, {})", guid, serviceName, zoneName); + + RangerPolicy rangerPolicy = serviceREST.getPolicyByGUIDAndServiceNameAndZoneName(guid, serviceName, zoneName); + + logger.debug("<== PublicAPIsv2.getPolicyByGUIDAndServiceNameAndZoneName({}, {}, {})", guid, serviceName, zoneName); + + return rangerPolicy; + } + + @POST + @Path("/api/policy/") + @Consumes("application/json") + @Produces("application/json") + public RangerPolicy createPolicy(RangerPolicy policy, @Context HttpServletRequest request) { + return serviceREST.createPolicy(policy, request); + } + + @POST + @Path("/api/policy/apply/") + @Consumes("application/json") + @Produces("application/json") + public RangerPolicy applyPolicy(RangerPolicy policy, @Context HttpServletRequest request) { // new API + return serviceREST.applyPolicy(policy, request); + } + + @PUT + @Path("/api/policy/{id}") + @Consumes("application/json") + @Produces("application/json") + public RangerPolicy updatePolicy(RangerPolicy policy, @PathParam("id") Long id) { + // if policy.id is specified, it should be same as the param 'id' + if (policy.getId() == null) { + policy.setId(id); + } else if (!policy.getId().equals(id)) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "policyID mismatch", true); + } + + return serviceREST.updatePolicy(policy, id); + } + + @PUT + @Path("/api/service/{servicename}/policy/{policyname}") + @Consumes("application/json") + @Produces("application/json") + public RangerPolicy updatePolicyByName(RangerPolicy policy, @PathParam("servicename") String serviceName, @PathParam("policyname") String policyName, @QueryParam("zoneName") String zoneName, @Context HttpServletRequest request) { + if (policy.getService() == null || !policy.getService().equals(serviceName)) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "service name mismatch", true); + } + + RangerPolicy oldPolicy = getPolicyByName(serviceName, policyName, zoneName, request); + + // ignore policy.id - if specified. Retrieve using the given serviceName+policyName and use id from the retrieved object + policy.setId(oldPolicy.getId()); + + if (StringUtils.isEmpty(policy.getGuid())) { + policy.setGuid(oldPolicy.getGuid()); + } + + if (StringUtils.isEmpty(policy.getName())) { + policy.setName(StringUtils.trim(oldPolicy.getName())); + } + + return serviceREST.updatePolicy(policy, policy.getId()); + } + + /* Should add this back when guid is used for search and delete operations as well + @PUT + @Path("/api/policy/guid/{guid}") + @Produces({ "application/json" }) + public RangerPolicy updatePolicyByGuid(RangerPolicy policy, @PathParam("guid") String guid) { + // ignore policy.guid - if specified. Retrieve using the given guid and use id from the retrieved object + RangerPolicy existingPolicy = getPolicyByGuid(name); + policy.setId(existingPolicy.getId()); + if(StringUtils.isEmpty(policy.getGuid())) { + policy.setGuid(existingPolicy.getGuid()); + } + + return serviceREST.updatePolicy(policy); + } + */ + + @DELETE + @Path("/api/policy/{id}") + public void deletePolicy(@PathParam("id") Long id) { + serviceREST.deletePolicy(id); + } + + @DELETE + @Path("/api/policy") + public void deletePolicyByName(@QueryParam("servicename") String serviceName, @QueryParam("policyname") String policyName, @QueryParam("zoneName") String zoneName, @Context HttpServletRequest request) { + logger.debug("==> PublicAPIsv2.deletePolicyByName({}, {})", serviceName, policyName); + + if (serviceName == null || policyName == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Invalid service name or policy name", true); + } + + RangerPolicy policy = getPolicyByName(serviceName, policyName, zoneName, request); + + serviceREST.deletePolicy(policy.getId()); + + logger.debug("<== PublicAPIsv2.deletePolicyByName({}, {})", serviceName, policyName); + } + + @DELETE + @Path("/api/policy/guid/{guid}") + public void deletePolicyByGUIDAndServiceNameAndZoneName(@PathParam("guid") String guid, @DefaultValue("") @QueryParam("serviceName") String serviceName, @DefaultValue("") @QueryParam("zoneName") String zoneName) { + logger.debug("==> PublicAPIsv2.deletePolicyByGUIDAndServiceNameAndZoneName({}, {}, {})", guid, serviceName, zoneName); + + serviceREST.deletePolicyByGUIDAndServiceNameAndZoneName(guid, serviceName, zoneName); + + logger.debug("<== PublicAPIsv2.deletePolicyByGUIDAndServiceNameAndZoneName({}, {}, {})", guid, serviceName, zoneName); + } + + @PUT + @Path("/api/service/{serviceName}/tags") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void importServiceTags(@PathParam("serviceName") String serviceName, RangerServiceTags svcTags) { + logger.debug("==> PublicAPIsv2.importServiceTags()"); + + // overwrite serviceName with the one given in url + if (svcTags.getServiceResources() != null) { + for (RangerServiceResource svcResource : svcTags.getServiceResources()) { + svcResource.setServiceName(serviceName); + } + } + + ServiceTags serviceTags = RangerServiceTags.toServiceTags(svcTags); + + // overwrite serviceName with the one given in url + serviceTags.setServiceName(serviceName); + + tagREST.importServiceTags(serviceTags); + + logger.debug("<== PublicAPIsv2.importServiceTags()"); + } + + @GET + @Path("/api/service/{serviceName}/tags") + @Produces("application/json") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public RangerServiceTags getServiceTags(@PathParam("serviceName") String serviceName, @Context HttpServletRequest request) { + logger.debug("==> PublicAPIsv2.getServiceTags()"); + + Long lastKnownVersion = -1L; + Long lastActivationTime = 0L; + String pluginId = null; + Boolean supportsTagDeltas = false; + String pluginCapabilities = ""; + ServiceTags tags = tagREST.getServiceTagsIfUpdated(serviceName, lastKnownVersion, lastActivationTime, pluginId, supportsTagDeltas, pluginCapabilities, request); + RangerServiceTags ret = RangerServiceTags.toRangerServiceTags(tags); + + logger.debug("<== PublicAPIsv2.getServiceTags()"); + + return ret; + } + + @GET + @Path("/api/plugins/info") + @Produces("application/json") + public List getPluginsInfo(@Context HttpServletRequest request) { + logger.debug("==> PublicAPIsv2.getPluginsInfo()"); + + List ret = serviceREST.getPluginsInfo(request).getPluginInfoList(); + + logger.debug("<== PublicAPIsv2.getPluginsInfo()"); + + return ret; + } + + @DELETE + @Path("/api/server/policydeltas") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void deletePolicyDeltas(@DefaultValue("7") @QueryParam("days") Integer olderThan, @Context HttpServletRequest request) { + logger.debug("==> PublicAPIsv2.deletePolicyDeltas({})", olderThan); + + serviceREST.deletePolicyDeltas(olderThan, request); + + logger.debug("<== PublicAPIsv2.deletePolicyDeltas({})", olderThan); + } + + @DELETE + @Path("/api/server/tagdeltas") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void deleteTagDeltas(@DefaultValue("7") @QueryParam("days") Integer olderThan, @Context HttpServletRequest request) { + logger.debug("==> PublicAPIsv2.deleteTagDeltas({})", olderThan); + + tagREST.deleteTagDeltas(olderThan, request); + + logger.debug("<== PublicAPIsv2.deleteTagDeltas({})", olderThan); + } + + @DELETE + @Path("/api/server/purgepolicies/{serviceName}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void purgeEmptyPolicies(@PathParam("serviceName") String serviceName, @Context HttpServletRequest request) { + logger.debug("==> PublicAPIsv2.purgeEmptyPolicies({})", serviceName); + + if (serviceName == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Invalid service name", true); + } + + serviceREST.purgeEmptyPolicies(serviceName, request); + + logger.debug("<== PublicAPIsv2.purgeEmptyPolicies({})", serviceName); + } + + /* + * Role Creation API + */ + + @POST + @Path("/api/roles") + @Consumes("application/json") + @Produces("application/json") + public RangerRole createRole(@QueryParam("serviceName") String serviceName, RangerRole role, @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup, @Context HttpServletRequest request) { + logger.info("==> PublicAPIsv2.createRole"); + + RangerRole ret = roleREST.createRole(serviceName, role, createNonExistUserGroup); + + logger.info("<== PublicAPIsv2.createRole({})", ret.getName()); + + return ret; + } + + /* + * Role Manipulation API + */ + @PUT + @Path("/api/roles/{id}") + @Consumes("application/json") + @Produces("application/json") + public RangerRole updateRole(@PathParam("id") Long roleId, RangerRole role, @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup, @Context HttpServletRequest request) { + return roleREST.updateRole(roleId, role, createNonExistUserGroup); + } + + @DELETE + @Path("/api/roles/name/{name}") + public void deleteRole(@QueryParam("serviceName") String serviceName, @QueryParam("execUser") String userName, @PathParam("name") String roleName, @Context HttpServletRequest request) { + roleREST.deleteRole(serviceName, userName, roleName); + } + + @DELETE + @Path("/api/roles/{id}") + public void deleteRole(@PathParam("id") Long roleId, @Context HttpServletRequest request) { + roleREST.deleteRole(roleId); + } + + /* + * APIs to Access Roles + */ + @GET + @Path("/api/roles/name/{name}") + @Produces("application/json") + public RangerRole getRole(@QueryParam("serviceName") String serviceName, @QueryParam("execUser") String userName, @PathParam("name") String roleName, @Context HttpServletRequest request) { + return roleREST.getRole(serviceName, userName, roleName); + } + + @GET + @Path("/api/roles/{id}") + @Produces("application/json") + public RangerRole getRole(@PathParam("id") Long id, @Context HttpServletRequest request) { + return roleREST.getRole(id); + } + + @GET + @Path("/api/roles") + @Produces("application/json") + public List getAllRoles(@Context HttpServletRequest request) { + return roleREST.getAllRoles(request).getSecurityRoles(); + } + + @GET + @Path("/api/roles/names") + @Produces("application/json") + public List getAllRoleNames(@QueryParam("serviceName") String serviceName, @QueryParam("execUser") String userName, @Context HttpServletRequest request) { + return roleREST.getAllRoleNames(serviceName, userName, request); + } + + @GET + @Path("/api/roles/user/{user}") + @Produces("application/json") + public List getUserRoles(@PathParam("user") String userName, @Context HttpServletRequest request) { + return roleREST.getUserRoles(userName, request); + } + + /* + This API is used to add users and groups with/without GRANT privileges to this Role. It follows add-or-update semantics + */ + @PUT + @Path("/api/roles/{id}/addUsersAndGroups") + @Consumes("application/json") + @Produces("application/json") + public RangerRole addUsersAndGroups(@PathParam("id") Long roleId, List users, List groups, Boolean isAdmin, @Context HttpServletRequest request) { + return roleREST.addUsersAndGroups(roleId, users, groups, isAdmin); + } + + /* This API is used to remove users and groups, without regard to their GRANT privilege, from this Role. */ - @PUT - @Path("/api/roles/{id}/removeUsersAndGroups") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerRole removeUsersAndGroups(@PathParam("id") Long roleId, List users, List groups, @Context HttpServletRequest request) { - return roleREST.removeUsersAndGroups(roleId, users, groups); - } - - /* + @PUT + @Path("/api/roles/{id}/removeUsersAndGroups") + @Consumes("application/json") + @Produces("application/json") + public RangerRole removeUsersAndGroups(@PathParam("id") Long roleId, List users, List groups, @Context HttpServletRequest request) { + return roleREST.removeUsersAndGroups(roleId, users, groups); + } + + /* This API is used to remove GRANT privilege from listed users and groups. */ - @PUT - @Path("/api/roles/{id}/removeAdminFromUsersAndGroups") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerRole removeAdminFromUsersAndGroups(@PathParam("id") Long roleId, List users, List groups, @Context HttpServletRequest request) { - return roleREST.removeAdminFromUsersAndGroups(roleId, users, groups); - } - - /* - This API is used to add users and roles with/without GRANT privileges to this Role. It follows add-or-update semantics - */ - @PUT - @Path("/api/roles/grant/{serviceName}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RESTResponse grantRole(@PathParam("serviceName") String serviceName, GrantRevokeRoleRequest grantRoleRequest, @Context HttpServletRequest request) { - if(logger.isDebugEnabled()) { - logger.debug("==> PublicAPIsv2.grantRoleUsersAndRoles(" + grantRoleRequest.toString() + ")"); - } - return roleREST.grantRole(serviceName, grantRoleRequest, request); - } - - /* + @PUT + @Path("/api/roles/{id}/removeAdminFromUsersAndGroups") + @Consumes("application/json") + @Produces("application/json") + public RangerRole removeAdminFromUsersAndGroups(@PathParam("id") Long roleId, List users, List groups, @Context HttpServletRequest request) { + return roleREST.removeAdminFromUsersAndGroups(roleId, users, groups); + } + + /* + This API is used to add users and roles with/without GRANT privileges to this Role. It follows add-or-update semantics + */ + @PUT + @Path("/api/roles/grant/{serviceName}") + @Consumes("application/json") + @Produces("application/json") + public RESTResponse grantRole(@PathParam("serviceName") String serviceName, GrantRevokeRoleRequest grantRoleRequest, @Context HttpServletRequest request) { + logger.debug("==> PublicAPIsv2.grantRoleUsersAndRoles({})", grantRoleRequest); + + return roleREST.grantRole(serviceName, grantRoleRequest, request); + } + + /* This API is used to remove users and groups, without regard to their GRANT privilege, from this Role. */ - @PUT - @Path("/api/roles/revoke/{serviceName}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RESTResponse revokeRoleUsersAndRoles(@PathParam("serviceName") String serviceName, GrantRevokeRoleRequest revokeRoleRequest, @Context HttpServletRequest request) { - return roleREST.revokeRole(serviceName, revokeRoleRequest, request); - } - - @DELETE - @Path("/api/server/purge/records") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public List purgeRecords(@QueryParam("type") String recordType, @DefaultValue("180") @QueryParam("retentionDays") Integer olderThan, @Context HttpServletRequest request) { - if (logger.isDebugEnabled()) { - logger.debug("==> PublicAPIsv2.purgeRecords(" + recordType + ", " + olderThan + ")"); - } - - List ret = serviceREST.purgeRecords(recordType, olderThan, request); - - if (logger.isDebugEnabled()) { - logger.debug("<== PublicAPIsv2.purgeRecords(" + recordType + ", " + olderThan + "): ret=" + ret); - } - - return ret; - } + @PUT + @Path("/api/roles/revoke/{serviceName}") + @Consumes("application/json") + @Produces("application/json") + public RESTResponse revokeRoleUsersAndRoles(@PathParam("serviceName") String serviceName, GrantRevokeRoleRequest revokeRoleRequest, @Context HttpServletRequest request) { + return roleREST.revokeRole(serviceName, revokeRoleRequest, request); + } + + @DELETE + @Path("/api/server/purge/records") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public List purgeRecords(@QueryParam("type") String recordType, @DefaultValue("180") @QueryParam("retentionDays") Integer olderThan, @Context HttpServletRequest request) { + logger.debug("==> PublicAPIsv2.purgeRecords({}, {})", recordType, olderThan); + + List ret = serviceREST.purgeRecords(recordType, olderThan, request); + + logger.debug("<== PublicAPIsv2.purgeRecords({}, {}): ret={}", recordType, olderThan, ret); + + return ret; + } } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/RangerHealthREST.java b/security-admin/src/main/java/org/apache/ranger/rest/RangerHealthREST.java index c982a9e8d5..2798866e95 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/RangerHealthREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/RangerHealthREST.java @@ -19,9 +19,6 @@ package org.apache.ranger.rest; -import javax.ws.rs.GET; -import javax.ws.rs.Path; -import javax.ws.rs.Produces; import org.apache.ranger.biz.RangerBizUtil; import org.apache.ranger.plugin.model.RangerServerHealth; import org.apache.ranger.util.RangerServerHealthUtil; @@ -31,6 +28,10 @@ import org.springframework.transaction.annotation.Propagation; import org.springframework.transaction.annotation.Transactional; +import javax.ws.rs.GET; +import javax.ws.rs.Path; +import javax.ws.rs.Produces; + @Path("actuator") @Component @Scope("request") @@ -46,11 +47,11 @@ public class RangerHealthREST { */ @GET @Path("/health") - @Produces({"application/json"}) + @Produces("application/json") @Transactional(propagation = Propagation.NOT_SUPPORTED) public RangerServerHealth getRangerServerHealth() { - String dbVersion = xaBizUtil.getDBVersion(); + String dbVersion = xaBizUtil.getDBVersion(); return rangerServerHealthUtil.getRangerServerHealth(dbVersion); } -} \ No newline at end of file +} diff --git a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java index d8e30b516a..3a80595da7 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java @@ -19,24 +19,11 @@ package org.apache.ranger.rest; -import java.io.IOException; -import java.io.InputStream; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.HashSet; -import java.util.Iterator; -import java.util.List; -import java.util.Set; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.ws.rs.*; -import javax.ws.rs.core.Context; -import javax.ws.rs.core.MediaType; - -import org.apache.commons.lang.StringUtils; +import com.sun.jersey.core.header.FormDataContentDisposition; +import com.sun.jersey.multipart.FormDataParam; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.io.IOUtils; +import org.apache.commons.lang.StringUtils; import org.apache.ranger.admin.client.datatype.RESTResponse; import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.biz.AssetMgr; @@ -45,15 +32,15 @@ import org.apache.ranger.biz.ServiceDBStore; import org.apache.ranger.biz.ServiceDBStore.JSON_FILE_NAME_TYPE; import org.apache.ranger.biz.XUserMgr; +import org.apache.ranger.common.AppConstants; +import org.apache.ranger.common.ContextUtil; +import org.apache.ranger.common.MessageEnums; +import org.apache.ranger.common.PropertiesUtil; import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.common.RangerSearchUtil; import org.apache.ranger.common.RangerValidatorFactory; import org.apache.ranger.common.ServiceUtil; import org.apache.ranger.common.UserSessionBase; -import org.apache.ranger.common.PropertiesUtil; -import org.apache.ranger.common.AppConstants; -import org.apache.ranger.common.ContextUtil; -import org.apache.ranger.common.MessageEnums; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.entity.XXService; import org.apache.ranger.entity.XXServiceDef; @@ -85,8 +72,30 @@ import org.springframework.transaction.annotation.Propagation; import org.springframework.transaction.annotation.Transactional; -import com.sun.jersey.multipart.FormDataParam; -import com.sun.jersey.core.header.FormDataContentDisposition; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.Consumes; +import javax.ws.rs.DELETE; +import javax.ws.rs.DefaultValue; +import javax.ws.rs.GET; +import javax.ws.rs.POST; +import javax.ws.rs.PUT; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; +import javax.ws.rs.QueryParam; +import javax.ws.rs.WebApplicationException; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.MediaType; + +import java.io.IOException; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Set; @Path("roles") @Component @@ -95,12 +104,12 @@ public class RoleREST { private static final Logger LOG = LoggerFactory.getLogger(RoleREST.class); - private static List INVALID_USERS = new ArrayList<>(); - - public static final String POLICY_DOWNLOAD_USERS = "policy.download.auth.users"; - public static final String PARAM_ROLE_NAME = "roleName"; + public static final String POLICY_DOWNLOAD_USERS = "policy.download.auth.users"; + public static final String PARAM_ROLE_NAME = "roleName"; public static final String PARAM_IMPORT_IN_PROGRESS = "importInProgress"; + private static final List INVALID_USERS = new ArrayList<>(); + @Autowired RESTErrorUtil restErrorUtil; @@ -137,224 +146,242 @@ public class RoleREST { @Autowired XUserMgr userMgr; - static { - INVALID_USERS.add(RangerPolicyEngine.USER_CURRENT); - INVALID_USERS.add(RangerPolicyEngine.RESOURCE_OWNER); - } - - /* This operation is allowed only when effective User has ranger admin privilege - * if execUser is not same as logged-in user then effective user is execUser - * else effective user is logged-in user. - * This logic is implemented as part of ensureAdminAccess(String serviceName, String userName); - */ - @POST @Path("/roles") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerRole createRole(@QueryParam("serviceName") String serviceName, RangerRole role - , @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup - ) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> createRole("+ role + ")"); - } + @Consumes("application/json") + @Produces("application/json") + public RangerRole createRole(@QueryParam("serviceName") String serviceName, RangerRole role, @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup) { + LOG.debug("==> createRole({})", role); RangerRole ret; + try { RangerRoleValidator validator = validatorFactory.getRangerRoleValidator(roleStore); + validator.validate(role, RangerValidator.Action.CREATE); String userName = role.getCreatedByUser(); + ensureAdminAccess(serviceName, userName); + if (containsInvalidMember(role.getUsers())) { throw new Exception("Invalid role user(s)"); } + ret = roleStore.createRole(role, createNonExistUserGroup); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { - LOG.error("createRole(" + role + ") failed", excp); + } catch (Throwable excp) { + LOG.error("createRole({}) failed", role, excp); throw restErrorUtil.createRESTException(excp.getMessage()); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== createRole("+ role + "):" + ret); - } + + LOG.debug("<== createRole({}): {}", role, ret); + return ret; } - /* This operation is allowed only when - - * Logged in user has ranger admin role + /* This operation is allowed only when effective User has ranger admin privilege + * if execUser is not same as logged-in user then effective user is execUser + * else effective user is logged-in user. + * This logic is implemented as part of ensureAdminAccess(String serviceName, String userName); */ @PUT @Path("/roles/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerRole updateRole(@PathParam("id") Long roleId - , RangerRole role - , @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup - ) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> updateRole(id=" + roleId +", " + role + ")"); - } + @Consumes("application/json") + @Produces("application/json") + public RangerRole updateRole(@PathParam("id") Long roleId, RangerRole role, @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup) { + LOG.debug("==> updateRole(id={}, role={})", roleId, role); if (role.getId() != null && !roleId.equals(role.getId())) { throw restErrorUtil.createRESTException("roleId mismatch!!"); } else { role.setId(roleId); } + RangerRole ret; + try { UserSessionBase usb = ContextUtil.getCurrentUserSession(); String loggedInUser = usb != null ? usb.getLoginId() : null; RangerRole existingRole = getRole(roleId); if (!bizUtil.isUserRangerAdmin(loggedInUser) && !ensureRoleAccess(loggedInUser, userMgr.getGroupsForUser(loggedInUser), existingRole)) { - LOG.error("User " + loggedInUser + " does not have permission for this operation"); + LOG.error("User {} does not have permission for this operation", loggedInUser); throw new Exception("User does not have permission for this operation"); } RangerRoleValidator validator = validatorFactory.getRangerRoleValidator(roleStore); + validator.validate(role, RangerValidator.Action.UPDATE); if (containsInvalidMember(role.getUsers())) { throw new Exception("Invalid role user(s)"); } + ret = roleStore.updateRole(role, createNonExistUserGroup); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { - LOG.error("updateRole(" + role + ") failed", excp); + } catch (Throwable excp) { + LOG.error("updateRole({}) failed", role, excp); throw restErrorUtil.createRESTException(excp.getMessage()); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== updateRole(id=" + roleId +", " + role + "):" + ret); - } + + LOG.debug("<== updateRole(id={}, role={}) => ret:{}", roleId, role, ret); + return ret; } - /* This operation is allowed only when effective User has ranger admin privilege - * if execUser is not same as logged-in user then effective user is execUser - * else effective user is logged-in user. - * This logic is implemented as part of ensureAdminAccess(String serviceName, String userName); + /* This operation is allowed only when - + * Logged in user has ranger admin role */ @DELETE @Path("/roles/name/{name}") public void deleteRole(@QueryParam("serviceName") String serviceName, @QueryParam("execUser") String execUser, @PathParam("name") String roleName) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> deleteRole(user=" + execUser + " name=" + roleName + ")"); - } + LOG.debug("==> deleteRole(user={}, name={})", execUser, roleName); + try { RangerRoleValidator validator = validatorFactory.getRangerRoleValidator(roleStore); + validator.validate(roleName, RangerRoleValidator.Action.DELETE); ensureAdminAccess(serviceName, execUser); + roleStore.deleteRole(roleName); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { - LOG.error("deleteRole(" + roleName + ") failed", excp); + } catch (Throwable excp) { + LOG.error("deleteRole({}) failed", roleName, excp); throw restErrorUtil.createRESTException(excp.getMessage()); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== deleteRole(name=" + roleName + ")"); - } + + LOG.debug("<== deleteRole(name={})", roleName); } - /* This operation is allowed only when - - * Logged in user has ranger admin role + /* This operation is allowed only when effective User has ranger admin privilege + * if execUser is not same as logged-in user then effective user is execUser + * else effective user is logged-in user. + * This logic is implemented as part of ensureAdminAccess(String serviceName, String userName); */ @DELETE @Path("/roles/{id}") public void deleteRole(@PathParam("id") Long roleId) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> deleteRole(id=" + roleId + ")"); - } + LOG.debug("==> deleteRole(id={})", roleId); + try { RangerRoleValidator validator = validatorFactory.getRangerRoleValidator(roleStore); + validator.validate(roleId, RangerRoleValidator.Action.DELETE); ensureAdminAccess(null, null); + roleStore.deleteRole(roleId); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { - LOG.error("deleteRole(" + roleId + ") failed", excp); + } catch (Throwable excp) { + LOG.error("deleteRole({}) failed", roleId, excp); if (excp.getMessage().contains(String.valueOf(ValidationErrorCode.ROLE_VALIDATION_ERR_INVALID_ROLE_ID.getErrorCode()))) { - throw restErrorUtil.createRESTException( - "Data Not Found for given Id", - MessageEnums.DATA_NOT_FOUND, roleId, null, - "readResource : No Object found with given id."); + throw restErrorUtil.createRESTException("Data Not Found for given Id", MessageEnums.DATA_NOT_FOUND, roleId, null, "readResource : No Object found with given id."); } else { throw restErrorUtil.createRESTException(excp.getMessage()); } } - if (LOG.isDebugEnabled()) { - LOG.debug("<== deleteRole(id=" + roleId + ")"); - } + + LOG.debug("<== deleteRole(id={})", roleId); } - /* - * Minimum required privilege is the effective user has admin option for this role. - * This is used to list all the roles, groups, and users who belong to this role. + /* This operation is allowed only when - + * Logged in user has ranger admin role */ @GET @Path("/roles/name/{name}") - @Produces({ "application/json" }) + @Produces("application/json") public RangerRole getRole(@QueryParam("serviceName") String serviceName, @QueryParam("execUser") String execUser, @PathParam("name") String roleName) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> getRole(name=" + roleName + ", execUser=" + execUser + ")"); - } + LOG.debug("==> getRole(name={}, execUser={})", roleName, execUser); + RangerRole ret; try { Set userGroups = StringUtils.isNotEmpty(execUser) ? userMgr.getGroupsForUser(execUser) : new HashSet<>(); ret = getRoleIfAccessible(roleName, serviceName, execUser, userGroups); + if (ret == null) { throw restErrorUtil.createRESTException("User doesn't have permissions to get details for " + roleName); } - - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { - LOG.error("getRole(name=" + roleName + ", execUser=" + execUser + ") failed", excp); + } catch (Throwable excp) { + LOG.error("getRole(name={}, execUser={}) failed", roleName, execUser, excp); + throw restErrorUtil.createRESTException(excp.getMessage()); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== getRole(name=" + roleName + ", execUser=" + execUser + "):" + ret); - } + + LOG.debug("<== getRole(name={}, execUser={}):{}", roleName, execUser, ret); + return ret; } + /* + * Minimum required privilege is the effective user has admin option for this role. + * This is used to list all the roles, groups, and users who belong to this role. + */ + @GET @Path("/roles/{id}") - @Produces({ "application/json" }) + @Produces("application/json") public RangerRole getRole(@PathParam("id") Long id) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> getRole(id=" + id + ")"); - } + LOG.debug("==> getRole(id={})", id); + RangerRole ret; + try { ret = roleStore.getRole(id); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { - LOG.error("getRole(" + id + ") failed", excp); + } catch (Throwable excp) { + LOG.error("getRole({}) failed", id, excp); throw restErrorUtil.createRESTException(excp.getMessage()); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== getRole(id=" + id + "):" + ret); + + LOG.debug("<== getRole(id={}):{}", id, ret); + + return ret; + } + + @GET + @Path("/roles") + @Produces("application/json") + public RangerRoleList getAllRoles(@Context HttpServletRequest request) { + LOG.debug("==> getAllRoles()"); + + RangerRoleList ret = new RangerRoleList(); + SearchFilter filter = searchUtil.getSearchFilter(request, roleService.sortFields); + + try { + ensureAdminAccess(null, null); + + roleStore.getRoles(filter, ret); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getRoles() failed", excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); } + + LOG.debug("<== getAllRoles():{}", ret); + return ret; } @@ -365,271 +392,242 @@ public RangerRole getRole(@PathParam("id") Long id) { */ @GET - @Path("/roles") - @Produces({ "application/json" }) - public RangerRoleList getAllRoles(@Context HttpServletRequest request) { - RangerRoleList ret = new RangerRoleList(); - if (LOG.isDebugEnabled()) { - LOG.debug("==> getAllRoles()"); - } - SearchFilter filter = searchUtil.getSearchFilter(request, roleService.sortFields); + @Path("/roles/exportJson") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAdminRole()") + public void getRolesInJson(@Context HttpServletRequest request, @Context HttpServletResponse response) { + LOG.debug("==> getRolesInJson()"); + try { - ensureAdminAccess(null, null); - roleStore.getRoles(filter,ret); - } catch(WebApplicationException excp) { + List roleLists = getAllFilteredRoleList(request); + + if (CollectionUtils.isNotEmpty(roleLists)) { + svcStore.getObjectInJson(roleLists, response, JSON_FILE_NAME_TYPE.ROLE); + } else { + response.setStatus(HttpServletResponse.SC_NO_CONTENT); + + LOG.error("There is no Role to Export!!"); + } + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { - LOG.error("getRoles() failed", excp); + } catch (Throwable excp) { + LOG.error("Error while exporting policy file!!", excp); throw restErrorUtil.createRESTException(excp.getMessage()); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== getAllRoles():" + ret); + + LOG.debug("<== getRolesInJson()"); + } + + @POST + @Path("/roles/importRolesFromFile") + @Consumes({MediaType.MULTIPART_FORM_DATA, MediaType.APPLICATION_JSON}) + @Produces({"application/json", "application/xml"}) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAdminRole()") + public RESTResponse importRolesFromFile(@Context HttpServletRequest request, @FormDataParam("file") InputStream uploadedInputStream, @FormDataParam("file") FormDataContentDisposition fileDetail, @QueryParam("updateIfExists") Boolean updateIfExists, @DefaultValue("false") @QueryParam("createNonExistUserGroupRole") Boolean createNonExistUserGroupRole) { + LOG.debug("==> RoleREST.importRolesFromFile()"); + + RESTResponse ret = new RESTResponse(); + String metaDataInfo = null; + + RangerContextHolder.getOrCreateOpContext().setBulkModeContext(true); + + request.setAttribute(PARAM_IMPORT_IN_PROGRESS, true); + + try { + roleService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_ROLE, null, null, "IMPORT START"), "Import", "IMPORT START", null); + + if (updateIfExists == null) { + updateIfExists = false; + } + + List roleNameList = getRoleNameList(request, new ArrayList<>()); + String fileName = fileDetail.getFileName(); + int totalRoleCreate = 0; + int totalRoleUpdate = 0; + int totalRoleUnchange = 0; + String msg; + + if (fileName.endsWith("json")) { + try { + RangerExportRoleList rangerExportRoleList = processRoleInputJsonForMetaData(uploadedInputStream, null); + + if (rangerExportRoleList != null && !CollectionUtils.sizeIsEmpty(rangerExportRoleList.getMetaDataInfo())) { + metaDataInfo = JsonUtilsV2.mapToJson(rangerExportRoleList.getMetaDataInfo()); + } else { + LOG.info("metadata info is not provided!!"); + } + + List roles = getRolesFromProvidedJson(rangerExportRoleList); + + if (roles != null && !CollectionUtils.sizeIsEmpty(roles)) { + for (RangerRole roleInJson : roles) { + if (roleInJson != null && StringUtils.isNotEmpty(roleInJson.getName().trim())) { + String roleNameInJson = roleInJson.getName().trim(); + + if (CollectionUtils.isNotEmpty(roleNameList) && roleNameList.contains(roleNameInJson)) { + // check updateIfExists + if (updateIfExists) { + try { + RangerRole exitingRole = roleStore.getRole(roleNameInJson); + + if (!exitingRole.getId().equals(roleInJson.getId())) { + roleInJson.setId(exitingRole.getId()); + } + + if (exitingRole.equals(roleInJson)) { + totalRoleUnchange++; + + LOG.debug("Ignoring Roles from provided role in Json file... {}", roleNameInJson); + } else { + roleStore.updateRole(roleInJson, createNonExistUserGroupRole); + + totalRoleUpdate++; + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("updateRole({}) failed", roleInJson, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } + } else { + totalRoleUnchange++; + + LOG.debug("Ignoring Roles from provided role in Json file... {}", roleNameInJson); + } + + ret.setStatusCode(RESTResponse.STATUS_SUCCESS); + } else if (!roleNameList.contains(roleNameInJson) && (!roleNameInJson.isEmpty())) { + try { + roleStore.createRole(roleInJson, createNonExistUserGroupRole); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("createRole({}) failed", roleInJson, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } + + totalRoleCreate++; + + ret.setStatusCode(RESTResponse.STATUS_SUCCESS); + } + } + } + } else { + LOG.error("Json File does not contain any role."); + + throw restErrorUtil.createRESTException("Json File does not contain any role."); + } + + if (updateIfExists) { + msg = "Total Role Created = " + totalRoleCreate + " , Total Role Updated = " + totalRoleUpdate + " , Total Role Unchanged = " + totalRoleUnchange; + + ret.setMsgDesc(msg); + } else { + msg = "Total Role Created = " + totalRoleCreate + " , Total Role Unchanged = " + totalRoleUnchange; + + ret.setMsgDesc(msg); + } + } catch (IOException e) { + LOG.error(e.getMessage()); + + throw restErrorUtil.createRESTException(e.getMessage()); + } + } else { + LOG.error("Provided file format is not supported!!"); + + throw restErrorUtil.createRESTException("Provided file format is not supported!!"); + } + } catch (WebApplicationException excp) { + LOG.error("Error while importing role from file!!", excp); + + roleService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_ROLE, null, null, "IMPORT ERROR"), "Import failed", StringUtils.isNotEmpty(metaDataInfo) ? metaDataInfo : null, null); + + throw excp; + } catch (Throwable excp) { + LOG.error("Error while importing role from file!!", excp); + + roleService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_ROLE, null, null, "IMPORT ERROR"), "Import failed", StringUtils.isNotEmpty(metaDataInfo) ? metaDataInfo : null, null); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + roleService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_ROLE, null, null, "IMPORT END"), "IMPORT END", StringUtils.isNotEmpty(metaDataInfo) ? metaDataInfo : null, null); + + LOG.debug("<== RoleREST.importRolesFromFile()"); } + return ret; } - @GET - @Path("/roles/exportJson") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAdminRole()") - public void getRolesInJson(@Context HttpServletRequest request, @Context HttpServletResponse response) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> getRolesInJson()"); - } - try { - List roleLists = getAllFilteredRoleList(request); - - if (CollectionUtils.isNotEmpty(roleLists)) { - svcStore.getObjectInJson(roleLists, response, JSON_FILE_NAME_TYPE.ROLE); - } else { - response.setStatus(HttpServletResponse.SC_NO_CONTENT); - LOG.error("There is no Role to Export!!"); - } - - } catch (WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - LOG.error("Error while exporting policy file!!", excp); - throw restErrorUtil.createRESTException(excp.getMessage()); - } - if (LOG.isDebugEnabled()) { - LOG.debug("<== getRolesInJson()"); - } - } - - @POST - @Path("/roles/importRolesFromFile") - @Consumes({ MediaType.MULTIPART_FORM_DATA, MediaType.APPLICATION_JSON }) - @Produces({ "application/json", "application/xml" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAdminRole()") - public RESTResponse importRolesFromFile(@Context HttpServletRequest request, - @FormDataParam("file") InputStream uploadedInputStream, - @FormDataParam("file") FormDataContentDisposition fileDetail, - @QueryParam("updateIfExists") Boolean updateIfExists, - @DefaultValue("false") @QueryParam("createNonExistUserGroupRole") Boolean createNonExistUserGroupRole) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> RoleREST.importRolesFromFile()"); - } - RESTResponse ret = new RESTResponse(); - - RangerContextHolder.getOrCreateOpContext().setBulkModeContext(true); - - String metaDataInfo = null; - request.setAttribute(PARAM_IMPORT_IN_PROGRESS, true); - - try { - roleService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_ROLE, null, null, "IMPORT START"), "Import", "IMPORT START", null); - - if (updateIfExists == null) { - updateIfExists = false; - } - List roleNameList = new ArrayList(); - - roleNameList = getRoleNameList(request, roleNameList); - - String fileName = fileDetail.getFileName(); - int totalRoleCreate = 0; - int totalRoleUpdate = 0; - int totalRoleUnchange = 0; - String msg; - - if (fileName.endsWith("json")) { - try { - RangerExportRoleList rangerExportRoleList = null; - List roles = null; - rangerExportRoleList = processRoleInputJsonForMetaData(uploadedInputStream, rangerExportRoleList); - - if (rangerExportRoleList != null - && !CollectionUtils.sizeIsEmpty(rangerExportRoleList.getMetaDataInfo())) { - metaDataInfo = JsonUtilsV2.mapToJson(rangerExportRoleList.getMetaDataInfo()); - } else { - LOG.info("metadata info is not provided!!"); - } - roles = getRolesFromProvidedJson(rangerExportRoleList); - - if (roles != null && !CollectionUtils.sizeIsEmpty(roles)) { - for (RangerRole roleInJson : roles) { - - if (roleInJson != null && StringUtils.isNotEmpty(roleInJson.getName().trim())) { - String roleNameInJson = roleInJson.getName().trim(); - if (CollectionUtils.isNotEmpty(roleNameList) && roleNameList.contains(roleNameInJson)) { - - // check updateIfExists - if (updateIfExists) { - try { - RangerRole exitingRole = roleStore.getRole(roleNameInJson); - if (!exitingRole.getId().equals(roleInJson.getId())) { - roleInJson.setId(exitingRole.getId()); - } - if(exitingRole.equals(roleInJson)){ - totalRoleUnchange++; - if (LOG.isDebugEnabled()) { - LOG.debug("Ignoring Roles from provided role in Json file... "+ roleNameInJson); - } - } - else { - roleStore.updateRole(roleInJson, createNonExistUserGroupRole); - totalRoleUpdate++; - } - } catch (WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - LOG.error("updateRole(" + roleInJson + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } - } else { - totalRoleUnchange++; - if (LOG.isDebugEnabled()) { - LOG.debug("Ignoring Roles from provided role in Json file... " + roleNameInJson); - } - } - ret.setStatusCode(RESTResponse.STATUS_SUCCESS); - } else if (!roleNameList.contains(roleNameInJson) && (!roleNameInJson.isEmpty())) { - try { - roleStore.createRole(roleInJson, createNonExistUserGroupRole); - } catch (WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - LOG.error("createRole(" + roleInJson + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } - totalRoleCreate++; - ret.setStatusCode(RESTResponse.STATUS_SUCCESS); - } - } - } - } else { - LOG.error("Json File does not contain any role."); - throw restErrorUtil.createRESTException("Json File does not contain any role."); - } - if (updateIfExists) { - msg = "Total Role Created = " + totalRoleCreate + " , Total Role Updated = " + totalRoleUpdate + " , Total Role Unchanged = " + totalRoleUnchange; - ret.setMsgDesc(msg); - } else { - msg = "Total Role Created = " + totalRoleCreate + " , Total Role Unchanged = " + totalRoleUnchange; - ret.setMsgDesc(msg); - } - - } catch (IOException e) { - LOG.error(e.getMessage()); - throw restErrorUtil.createRESTException(e.getMessage()); - } - } else { - LOG.error("Provided file format is not supported!!"); - throw restErrorUtil.createRESTException("Provided file format is not supported!!"); - } - } catch (WebApplicationException excp) { - LOG.error("Error while importing role from file!!", excp); - - roleService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_ROLE, null, null, "IMPORT ERROR"), "Import failed", StringUtils.isNotEmpty(metaDataInfo) ? metaDataInfo : null, null); - - throw excp; - } catch (Throwable excp) { - LOG.error("Error while importing role from file!!", excp); - - roleService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_ROLE, null, null, "IMPORT ERROR"), "Import failed", StringUtils.isNotEmpty(metaDataInfo) ? metaDataInfo : null, null); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - roleService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_ROLE, null, null, "IMPORT END"), "IMPORT END", StringUtils.isNotEmpty(metaDataInfo) ? metaDataInfo : null, null); - - if (LOG.isDebugEnabled()) { - LOG.debug("<== RoleREST.importRolesFromFile()"); - } - } - - return ret; - } - @GET @Path("/lookup/roles") - @Produces({ "application/json" }) + @Produces("application/json") public RangerRoleList getAllRolesForUser(@Context HttpServletRequest request) { - RangerRoleList ret = new RangerRoleList(); - if (LOG.isDebugEnabled()) { - LOG.debug("==> getAllRolesForUser()"); - } - SearchFilter filter = searchUtil.getSearchFilter(request, roleService.sortFields); + LOG.debug("==> getAllRolesForUser()"); + + RangerRoleList ret = new RangerRoleList(); + SearchFilter filter = searchUtil.getSearchFilter(request, roleService.sortFields); + try { - roleStore.getRolesForUser(filter,ret); - } catch(WebApplicationException excp) { + roleStore.getRolesForUser(filter, ret); + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("getRoles() failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== getAllRoles():" + ret); - } + + LOG.debug("<== getAllRoles():{}", ret); + return ret; } - /* This operation is allowed only when effective User has ranger admin privilege - * if execUser is not same as logged-in user then effective user is execUser - * else effective user is logged-in user. - * This logic is implemented as part of ensureAdminAccess(String serviceName, String userName); - */ - @GET @Path("/roles/names") - @Produces({ "application/json" }) + @Produces("application/json") public List getAllRoleNames(@QueryParam("serviceName") String serviceName, @QueryParam("execUser") String userName, @Context HttpServletRequest request) { final List ret; - if (LOG.isDebugEnabled()) { - LOG.debug("==> getAllRoleNames()"); - } + + LOG.debug("==> getAllRoleNames()"); + SearchFilter filter = searchUtil.getSearchFilter(request, roleService.sortFields); + try { ensureAdminAccess(serviceName, userName); - ret = roleStore.getRoleNames(filter); - } catch(WebApplicationException excp) { + ret = roleStore.getRoleNames(filter); + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("getAllRoleNames() failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== getAllRoleNames():" + ret); - } + + LOG.debug("<== getAllRoleNames():{}", ret); + return ret; } + /* This operation is allowed only when effective User has ranger admin privilege + * if execUser is not same as logged-in user then effective user is execUser + * else effective user is logged-in user. + * This logic is implemented as part of ensureAdminAccess(String serviceName, String userName); + */ + /* This API is used to add users and groups with/without GRANT privileges to this Role. It follows add-or-update semantics */ @PUT @Path("/roles/{id}/addUsersAndGroups") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") public RangerRole addUsersAndGroups(@PathParam("id") Long roleId, List users, List groups, Boolean isAdmin) { if (LOG.isDebugEnabled()) { - LOG.debug("==> addUsersAndGroups(id=" + roleId + ", users=" + Arrays.toString(users.toArray()) + ", groups=" + Arrays.toString(groups.toArray()) + ", isAdmin=" + isAdmin + ")"); + LOG.debug("==> addUsersAndGroups(id={}, users={}, groups={}, isAdmin={})", roleId, Arrays.toString(users.toArray()), Arrays.toString(groups.toArray()), isAdmin); } RangerRole role; @@ -637,22 +635,26 @@ public RangerRole addUsersAndGroups(@PathParam("id") Long roleId, List u try { // Real processing ensureAdminAccess(null, null); + if (containsInvalidUser(users)) { throw new Exception("Invalid role user(s)"); } role = getRole(roleId); - Set roleUsers = new HashSet<>(); + Set roleUsers = new HashSet<>(); Set roleGroups = new HashSet<>(); for (RangerRole.RoleMember user : role.getUsers()) { if (users.contains(user.getName()) && isAdmin == Boolean.TRUE) { - user.setIsAdmin(isAdmin); + user.setIsAdmin(true); + roleUsers.add(user); } } + Set existingUsernames = getUserNames(role); + for (String user : users) { if (!existingUsernames.contains(user)) { roleUsers.add(new RangerRole.RoleMember(user, isAdmin)); @@ -664,24 +666,25 @@ public RangerRole addUsersAndGroups(@PathParam("id") Long roleId, List u roleGroups.add(group); } } + for (String group : groups) { roleGroups.add(new RangerRole.RoleMember(group, isAdmin)); } + role.setUsers(new ArrayList<>(roleUsers)); role.setGroups(new ArrayList<>(roleGroups)); - role = roleStore.updateRole(role,false); - - } catch(WebApplicationException excp) { + role = roleStore.updateRole(role, false); + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("addUsersAndGroups() failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); } if (LOG.isDebugEnabled()) { - LOG.debug("==> addUsersAndGroups(id=" + roleId + ", users=" + Arrays.toString(users.toArray()) + ", groups=" + Arrays.toString(groups.toArray()) + ", isAdmin=" + isAdmin + ")"); + LOG.debug("==> addUsersAndGroups(id={}, users={}, groups={}, isAdmin={})", roleId, Arrays.toString(users.toArray()), Arrays.toString(groups.toArray()), isAdmin); } return role; @@ -692,33 +695,40 @@ public RangerRole addUsersAndGroups(@PathParam("id") Long roleId, List u */ @PUT @Path("/roles/{id}/removeUsersAndGroups") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") public RangerRole removeUsersAndGroups(@PathParam("id") Long roleId, List users, List groups) { if (LOG.isDebugEnabled()) { - LOG.debug("==> removeUsersAndGroups(id=" + roleId + ", users=" + Arrays.toString(users.toArray()) + ", groups=" + Arrays.toString(groups.toArray()) + ")"); + LOG.debug("==> removeUsersAndGroups(id={}, users={}, groups={})", roleId, Arrays.toString(users.toArray()), Arrays.toString(groups.toArray())); } + RangerRole role; try { // Real processing ensureAdminAccess(null, null); + role = getRole(roleId); for (String user : users) { Iterator iter = role.getUsers().iterator(); + while (iter.hasNext()) { RangerRole.RoleMember member = iter.next(); + if (StringUtils.equals(member.getName(), user)) { iter.remove(); break; } } } + for (String group : groups) { Iterator iter = role.getGroups().iterator(); + while (iter.hasNext()) { RangerRole.RoleMember member = iter.next(); + if (StringUtils.equals(member.getName(), group)) { iter.remove(); break; @@ -727,16 +737,16 @@ public RangerRole removeUsersAndGroups(@PathParam("id") Long roleId, List users, List groups) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> removeAdminFromUsersAndGroups(id=" + roleId + ", users=" + Arrays.toString(users.toArray()) + ", groups=" + Arrays.toString(groups.toArray()) + ")"); - } + LOG.debug("==> removeAdminFromUsersAndGroups(id={}, users={}, groups={})", roleId, Arrays.toString(users.toArray()), Arrays.toString(groups.toArray())); + RangerRole role; + try { // Real processing ensureAdminAccess(null, null); + role = getRole(roleId); for (String user : users) { @@ -766,6 +777,7 @@ public RangerRole removeAdminFromUsersAndGroups(@PathParam("id") Long roleId, Li } } } + for (String group : groups) { for (RangerRole.RoleMember member : role.getGroups()) { if (StringUtils.equals(member.getName(), group) && member.getIsAdmin()) { @@ -775,111 +787,109 @@ public RangerRole removeAdminFromUsersAndGroups(@PathParam("id") Long roleId, Li } role = roleStore.updateRole(role, false); - - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("removeAdminFromUsersAndGroups() failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); } - if (LOG.isDebugEnabled()) { - LOG.debug("==> removeAdminFromUsersAndGroups(id=" + roleId + ", users=" + Arrays.toString(users.toArray()) + ", groups=" + Arrays.toString(groups.toArray()) + ")"); - } + LOG.debug("==> removeAdminFromUsersAndGroups(id={}, users={}, groups={})", roleId, Arrays.toString(users.toArray()), Arrays.toString(groups.toArray())); return role; } - /* - * This API is used to GRANT role to users and roles with/without ADMIN option. It follows add-or-update semantics - * Minimum required privilege is the effective user has admin option for the target roles - */ - @PUT - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @Path("/roles/grant/{serviceName}") public RESTResponse grantRole(@PathParam("serviceName") String serviceName, GrantRevokeRoleRequest grantRoleRequest, @Context HttpServletRequest request) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RoleREST.grantRole(" + serviceName + ", " + grantRoleRequest + ")"); - } - RESTResponse ret = new RESTResponse(); + LOG.debug("==> RoleREST.grantRole({}, {})", serviceName, grantRoleRequest); + + RESTResponse ret = new RESTResponse(); try { validateUsersGroupsAndRoles(grantRoleRequest); + String userName = grantRoleRequest.getGrantor(); + for (String roleName : grantRoleRequest.getTargetRoles()) { /* For each target Role, check following to allow access * If userName (execUser) is not same as logged in user then check - * If logged-in user is not ranger admin/service admin/service user, then deny the operation - * effective User is execUser + * If logged-in user is not ranger admin/service admin/service user, then deny the operation + * effective User is execUser * else - * effective user is logged-in user + * effective user is logged-in user * If effective user is ranger admin/has role admin privilege, then allow the operation * else deny the operation * This logic is implemented as part of getRoleIfAccessible(roleName, serviceName, userName, userGroups) - */ - Set userGroups = CollectionUtils.isNotEmpty(grantRoleRequest.getGrantorGroups()) ? grantRoleRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName); - RangerRole existingRole = getRoleIfAccessible(roleName, serviceName, userName, userGroups); + */ + Set userGroups = CollectionUtils.isNotEmpty(grantRoleRequest.getGrantorGroups()) ? grantRoleRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName); + RangerRole existingRole = getRoleIfAccessible(roleName, serviceName, userName, userGroups); + if (existingRole == null) { throw restErrorUtil.createRESTException("User doesn't have permissions to grant role " + roleName); } existingRole.setUpdatedBy(userName); + addUsersGroupsAndRoles(existingRole, grantRoleRequest.getUsers(), grantRoleRequest.getGroups(), grantRoleRequest.getRoles(), grantRoleRequest.getGrantOption()); } - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("grantRole() failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); } if (LOG.isDebugEnabled()) { - LOG.debug("==> grantRole(serviceName=" + serviceName + ", users=" + Arrays.toString(grantRoleRequest.getUsers().toArray()) + ", groups=" + Arrays.toString(grantRoleRequest.getRoles().toArray()) + ", isAdmin=" + grantRoleRequest.getGrantOption() + ")"); + LOG.debug("==> grantRole(serviceName={}, users={}, groups={}, isAdmin={})", serviceName, Arrays.toString(grantRoleRequest.getUsers().toArray()), Arrays.toString(grantRoleRequest.getRoles().toArray()), grantRoleRequest.getGrantOption()); } + ret.setStatusCode(RESTResponse.STATUS_SUCCESS); return ret; } /* - * This API is used to remove users and roles, with regard to their REVOKE role from users and roles. - * Minimum required privilege is the execUser (or doAsUser) has admin option for the target roles + * This API is used to GRANT role to users and roles with/without ADMIN option. It follows add-or-update semantics + * Minimum required privilege is the effective user has admin option for the target roles */ @PUT @Path("/roles/revoke/{serviceName}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") public RESTResponse revokeRole(@PathParam("serviceName") String serviceName, GrantRevokeRoleRequest revokeRoleRequest, @Context HttpServletRequest request) { + LOG.debug("==> RoleREST.revokeRole({}, {})", serviceName, revokeRoleRequest); - if(LOG.isDebugEnabled()) { - LOG.debug("==> RoleREST.revokeRole(" + serviceName + ", " + revokeRoleRequest + ")"); - } - RESTResponse ret = new RESTResponse(); + RESTResponse ret = new RESTResponse(); try { validateUsersGroupsAndRoles(revokeRoleRequest); + String userName = revokeRoleRequest.getGrantor(); + for (String roleName : revokeRoleRequest.getTargetRoles()) { /* For each target Role, check following to allow access * If userName (execUser) is not same as logged in user then check - * If logged-in user is not ranger admin/service admin/service user, then deny the operation - * effective User is execUser + * If logged-in user is not ranger admin/service admin/service user, then deny the operation + * effective User is execUser * else - * effective user is logged-in user + * effective user is logged-in user * If effective user is ranger admin/has role admin privilege, then allow the operation * else deny the operation * This logic is implemented as part of getRoleIfAccessible(roleName, serviceName, userName, userGroups) */ - Set userGroups = CollectionUtils.isNotEmpty(revokeRoleRequest.getGrantorGroups()) ? revokeRoleRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName); - RangerRole existingRole = getRoleIfAccessible(roleName, serviceName, userName, userGroups); + Set userGroups = CollectionUtils.isNotEmpty(revokeRoleRequest.getGrantorGroups()) ? revokeRoleRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName); + RangerRole existingRole = getRoleIfAccessible(roleName, serviceName, userName, userGroups); + if (existingRole == null) { throw restErrorUtil.createRESTException("User doesn't have permissions to revoke role " + roleName); } + existingRole.setUpdatedBy(userName); if (revokeRoleRequest.getGrantOption()) { @@ -888,108 +898,111 @@ public RESTResponse revokeRole(@PathParam("serviceName") String serviceName, Gra removeUsersGroupsAndRoles(existingRole, revokeRoleRequest.getUsers(), revokeRoleRequest.getGroups(), revokeRoleRequest.getRoles()); } } - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("revokeRole() failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); } if (LOG.isDebugEnabled()) { - LOG.debug("==> revokeRole(serviceName=" + serviceName + ", users=" + Arrays.toString(revokeRoleRequest.getUsers().toArray()) + ", roles=" + Arrays.toString(revokeRoleRequest.getRoles().toArray()) + ", isAdmin=" + revokeRoleRequest.getGrantOption() + ")"); + LOG.debug("==> revokeRole(serviceName={}, users={}, groups={}, isAdmin={})", serviceName, Arrays.toString(revokeRoleRequest.getUsers().toArray()), Arrays.toString(revokeRoleRequest.getRoles().toArray()), revokeRoleRequest.getGrantOption()); } + ret.setStatusCode(RESTResponse.STATUS_SUCCESS); return ret; } - /* Get all the roles that this user or user's groups belong to + /* + * This API is used to remove users and roles, with regard to their REVOKE role from users and roles. + * Minimum required privilege is the execUser (or doAsUser) has admin option for the target roles */ @GET @Path("/roles/user/{user}") - @Produces({ "application/json" }) + @Produces("application/json") public List getUserRoles(@PathParam("user") String userName, @Context HttpServletRequest request) { Set ret = new HashSet<>(); - if (LOG.isDebugEnabled()) { - LOG.debug("==> getUserRoles()"); - } + LOG.debug("==> getUserRoles()"); + try { if (xUserService.getXUserByUserName(userName) == null) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "User:" + userName + " not found", false); } + Set roleList = roleStore.getRoleNames(userName, userMgr.getGroupsForUser(userName)); + for (RangerRole role : roleList) { ret.add(role.getName()); + Set roleMembers = new HashSet<>(); + getRoleMemberNames(roleMembers, role); + ret.addAll(roleMembers); } - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("getUserRoles() failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== getUserRoles():" + ret); - } + + LOG.debug("<== getUserRoles():{}", ret); + return new ArrayList<>(ret); } + /* Get all the roles that this user or user's groups belong to + */ + @GET @Path("/download/{serviceName}") - @Produces({ "application/json" }) - public RangerRoles getRangerRolesIfUpdated( - @PathParam("serviceName") String serviceName, - @DefaultValue("-1") @QueryParam("lastKnownRoleVersion") Long lastKnownRoleVersion, - @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime, - @QueryParam("pluginId") String pluginId, - @DefaultValue("") @QueryParam("clusterName") String clusterName, - @DefaultValue("") @QueryParam(RangerRESTUtils.REST_PARAM_CAPABILITIES) String pluginCapabilities, - @Context HttpServletRequest request) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> RoleREST.getRangerRolesIfUpdated(" - + serviceName + ", " + lastKnownRoleVersion + ", " + lastActivationTime + ")"); - } - RangerRoles ret = null; + @Produces("application/json") + public RangerRoles getRangerRolesIfUpdated(@PathParam("serviceName") String serviceName, @DefaultValue("-1") @QueryParam("lastKnownRoleVersion") Long lastKnownRoleVersion, @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime, @QueryParam("pluginId") String pluginId, @DefaultValue("") @QueryParam("clusterName") String clusterName, @DefaultValue("") @QueryParam(RangerRESTUtils.REST_PARAM_CAPABILITIES) String pluginCapabilities, @Context HttpServletRequest request) { + LOG.debug("==> RoleREST.getRangerRolesIfUpdated({}, {}, {})", serviceName, lastKnownRoleVersion, lastActivationTime); - boolean isValid = false; - int httpCode = HttpServletResponse.SC_OK; - Long downloadedVersion = null; - String logMsg = null; + RangerRoles ret = null; + boolean isValid = false; + int httpCode = HttpServletResponse.SC_OK; + Long downloadedVersion = null; + String logMsg = null; try { bizUtil.failUnauthenticatedDownloadIfNotAllowed(); + isValid = serviceUtil.isValidService(serviceName, request); } catch (WebApplicationException webException) { httpCode = webException.getResponse().getStatus(); - logMsg = webException.getResponse().getEntity().toString(); + logMsg = webException.getResponse().getEntity().toString(); } catch (Exception e) { httpCode = HttpServletResponse.SC_BAD_REQUEST; - logMsg = e.getMessage(); + logMsg = e.getMessage(); } + if (isValid) { try { RangerRoles roles = roleStore.getRoles(serviceName, lastKnownRoleVersion); + if (roles == null) { downloadedVersion = lastKnownRoleVersion; - httpCode = HttpServletResponse.SC_NOT_MODIFIED; - logMsg = "No change since last update"; + httpCode = HttpServletResponse.SC_NOT_MODIFIED; + logMsg = "No change since last update"; } else { - downloadedVersion = roles.getRoleVersion(); roles.setServiceName(serviceName); - ret = roles; - httpCode = HttpServletResponse.SC_OK; - logMsg = "Returning RangerRoles =>" + (ret.toString()); - } + downloadedVersion = roles.getRoleVersion(); + ret = roles; + logMsg = "Returning RangerRoles =>" + (ret); + } } catch (Throwable excp) { - LOG.error("getRangerRolesIfUpdated(" + serviceName + ", " + lastKnownRoleVersion + ", " + lastActivationTime + ") failed", excp); + LOG.error("getRangerRolesIfUpdated({}, {}, {}) failed", serviceName, lastKnownRoleVersion, lastActivationTime, excp); + httpCode = HttpServletResponse.SC_BAD_REQUEST; - logMsg = excp.getMessage(); + logMsg = excp.getMessage(); } } @@ -997,71 +1010,64 @@ public RangerRoles getRangerRolesIfUpdated( if (httpCode != HttpServletResponse.SC_OK) { boolean logError = httpCode != HttpServletResponse.SC_NOT_MODIFIED; + throw restErrorUtil.createRESTException(httpCode, logMsg, logError); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== RoleREST.getRangerRolesIfUpdated(" + serviceName + ", " + lastKnownRoleVersion + ", " + lastActivationTime + ")" + ret); - } + LOG.debug("<== RoleREST.getRangerRolesIfUpdated({}, {}, {}) ret:{}", serviceName, lastKnownRoleVersion, lastActivationTime, ret); + return ret; } @GET @Path("/secure/download/{serviceName}") - @Produces({ "application/json" }) - public RangerRoles getSecureRangerRolesIfUpdated( - @PathParam("serviceName") String serviceName, - @DefaultValue("-1") @QueryParam("lastKnownRoleVersion") Long lastKnownRoleVersion, - @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime, - @QueryParam("pluginId") String pluginId, - @DefaultValue("") @QueryParam("clusterName") String clusterName, - @DefaultValue("") @QueryParam(RangerRESTUtils.REST_PARAM_CAPABILITIES) String pluginCapabilities, - @Context HttpServletRequest request) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> RoleREST.getSecureRangerRolesIfUpdated(" - + serviceName + ", " + lastKnownRoleVersion + ", " + lastKnownRoleVersion + ")"); - } - RangerRoles ret = null; - int httpCode = HttpServletResponse.SC_OK; - String logMsg = null; - boolean isAllowed = false; - boolean isAdmin = bizUtil.isAdmin(); - boolean isKeyAdmin = bizUtil.isKeyAdmin(); - Long downloadedVersion = null; + @Produces("application/json") + public RangerRoles getSecureRangerRolesIfUpdated(@PathParam("serviceName") String serviceName, @DefaultValue("-1") @QueryParam("lastKnownRoleVersion") Long lastKnownRoleVersion, @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime, @QueryParam("pluginId") String pluginId, @DefaultValue("") @QueryParam("clusterName") String clusterName, @DefaultValue("") @QueryParam(RangerRESTUtils.REST_PARAM_CAPABILITIES) String pluginCapabilities, @Context HttpServletRequest request) { + LOG.debug("==> RoleREST.getSecureRangerRolesIfUpdated({}, {}, {})", serviceName, lastKnownRoleVersion, lastActivationTime); + RangerRoles ret = null; + int httpCode = HttpServletResponse.SC_OK; + String logMsg = null; + boolean isAdmin = bizUtil.isAdmin(); + boolean isKeyAdmin = bizUtil.isKeyAdmin(); + Long downloadedVersion = null; + boolean isValid = false; + boolean isAllowed; request.setAttribute("downloadPolicy", "secure"); - boolean isValid = false; try { isValid = serviceUtil.isValidService(serviceName, request); } catch (WebApplicationException webException) { httpCode = webException.getResponse().getStatus(); - logMsg = webException.getResponse().getEntity().toString(); + logMsg = webException.getResponse().getEntity().toString(); } catch (Exception e) { httpCode = HttpServletResponse.SC_BAD_REQUEST; - logMsg = e.getMessage(); + logMsg = e.getMessage(); } + if (isValid) { try { XXService xService = daoManager.getXXService().findByName(serviceName); + if (xService == null) { - LOG.error("Requested Service not found. serviceName=" + serviceName); - throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Service:" + serviceName + " not found", - false); + LOG.error("Requested Service not found. serviceName={}", serviceName); + + throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Service:" + serviceName + " not found", false); } - XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); + + XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); RangerService rangerService = svcStore.getServiceByName(serviceName); if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { if (isKeyAdmin) { isAllowed = true; - }else { + } else { isAllowed = bizUtil.isUserAllowed(rangerService, POLICY_DOWNLOAD_USERS); } - }else{ + } else { if (isAdmin) { isAllowed = true; - }else{ + } else { isAllowed = bizUtil.isUserAllowed(rangerService, POLICY_DOWNLOAD_USERS); } } @@ -1070,25 +1076,26 @@ public RangerRoles getSecureRangerRolesIfUpdated( RangerRoles roles = roleStore.getRoles(serviceName, lastKnownRoleVersion); if (roles == null) { downloadedVersion = lastKnownRoleVersion; - httpCode = HttpServletResponse.SC_NOT_MODIFIED; - logMsg = "No change since last update"; + httpCode = HttpServletResponse.SC_NOT_MODIFIED; + logMsg = "No change since last update"; } else { - downloadedVersion = roles.getRoleVersion(); roles.setServiceName(serviceName); - ret = roles; - httpCode = HttpServletResponse.SC_OK; - logMsg = "Returning RangerRoles =>" + (ret.toString()); + + downloadedVersion = roles.getRoleVersion(); + ret = roles; + logMsg = "Returning RangerRoles =>" + (ret); } } else { - LOG.error("getSecureRangerRolesIfUpdated(" + serviceName + ", " + lastKnownRoleVersion + ") failed as User doesn't have permission to UserGroupRoles"); + LOG.error("getSecureRangerRolesIfUpdated({}, {}) failed as User doesn't have permission to UserGroupRoles", serviceName, lastKnownRoleVersion); + httpCode = HttpServletResponse.SC_FORBIDDEN; // assert user is authenticated. - logMsg = "User doesn't have permission to download UserGroupRoles"; + logMsg = "User doesn't have permission to download UserGroupRoles"; } - } catch (Throwable excp) { - LOG.error("getSecureRangerRolesIfUpdated(" + serviceName + ", " + lastKnownRoleVersion + ", " + lastActivationTime + ") failed", excp); + LOG.error("getSecureRangerRolesIfUpdated({}, {}, {}) failed", serviceName, lastKnownRoleVersion, lastActivationTime, excp); + httpCode = HttpServletResponse.SC_BAD_REQUEST; - logMsg = excp.getMessage(); + logMsg = excp.getMessage(); } } @@ -1096,32 +1103,84 @@ public RangerRoles getSecureRangerRolesIfUpdated( if (httpCode != HttpServletResponse.SC_OK) { boolean logError = httpCode != HttpServletResponse.SC_NOT_MODIFIED; + throw restErrorUtil.createRESTException(httpCode, logMsg, logError); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== RoleREST.getSecureRangerRolesIfUpdated(" + serviceName + ", " + lastKnownRoleVersion + ", " + lastActivationTime + ")" + ret); - } + LOG.debug("<== RoleREST.getSecureRangerRolesIfUpdated({}, {}, {}) ret:{}", serviceName, lastKnownRoleVersion, lastActivationTime, ret); + return ret; } - private void ensureAdminAccess(String serviceName, String userName) throws Exception { + protected List getAllFilteredRoleList(HttpServletRequest request) throws Exception { + LOG.debug("==> getAllFilteredRoleList()"); + + String roleNames = null; + List roleNameList = null; + List roleLists = new ArrayList<>(); + + if (request.getParameter(PARAM_ROLE_NAME) != null) { + roleNames = request.getParameter(PARAM_ROLE_NAME); + } + + if (StringUtils.isNotEmpty(roleNames)) { + roleNameList = new ArrayList<>(Arrays.asList(roleNames.split(","))); + } + + SearchFilter filter = new SearchFilter(); + List rangerRoleList = roleStore.getRoles(filter); + + if (!CollectionUtils.isEmpty(rangerRoleList)) { + for (RangerRole role : rangerRoleList) { + if (role != null) { + if (CollectionUtils.isNotEmpty(roleNameList)) { + if (roleNameList.contains(role.getName())) { + // set createTime & updateTime Time as null since exported Roles don't need this + role.setCreateTime(null); + role.setUpdateTime(null); + + roleLists.add(role); + + roleNameList.remove(role.getName()); + + if (roleNameList.isEmpty()) { + break; + } + } + } else { + // set createTime & updateTime Time as null since exported Roles don't need this + role.setCreateTime(null); + role.setUpdateTime(null); + + roleLists.add(role); + } + } + } + } + LOG.debug("<== getAllFilteredRoleList(){}", roleLists.size()); + + return roleLists; + } + + private void ensureAdminAccess(String serviceName, String userName) throws Exception { /* If userName (execUser) is not same as logged in user then check - * If logged-in user is not ranger admin/service admin/service user, then deny the operation - * effective User is execUser + * If logged-in user is not ranger admin/service admin/service user, then deny the operation + * effective User is execUser * else - * effective user is logged-in user + * effective user is logged-in user * If effective user is ranger admin, then allow the operation * else deny the operation */ - String effectiveUser; - UserSessionBase usb = ContextUtil.getCurrentUserSession(); - String loggedInUser = usb != null ? usb.getLoginId() : null; + String effectiveUser; + UserSessionBase usb = ContextUtil.getCurrentUserSession(); + String loggedInUser = usb != null ? usb.getLoginId() : null; + if (!StringUtil.equals(userName, loggedInUser)) { if (!bizUtil.isUserRangerAdmin(loggedInUser) && !userIsSrvAdmOrSrvUser(serviceName, loggedInUser)) { throw new Exception("User does not have permission for this operation"); } + effectiveUser = userName != null ? userName : loggedInUser; } else { effectiveUser = loggedInUser; @@ -1134,36 +1193,41 @@ private void ensureAdminAccess(String serviceName, String userName) throws Excep private RangerRole getRoleIfAccessible(String roleName, String serviceName, String userName, Set userGroups) { /* If userName (execUser) is not same as logged in user then check - * If logged-in user is not ranger admin/service admin/service user, then deny the operation - * effective User is execUser + * If logged-in user is not ranger admin/service admin/service user, then deny the operation + * effective User is execUser * else - * effective user is logged-in user + * effective user is logged-in user * If effective user is ranger admin/has role admin privilege, then allow the operation * else deny the operation */ - RangerRole existingRole; - String effectiveUser; - UserSessionBase usb = ContextUtil.getCurrentUserSession(); - String loggedInUser = usb != null ? usb.getLoginId() : null; + RangerRole existingRole; + String effectiveUser; + UserSessionBase usb = ContextUtil.getCurrentUserSession(); + String loggedInUser = usb != null ? usb.getLoginId() : null; + if (!StringUtil.equals(userName, loggedInUser)) { if (!bizUtil.isUserRangerAdmin(loggedInUser) && !userIsSrvAdmOrSrvUser(serviceName, loggedInUser)) { LOG.error("User does not have permission for this operation"); + return null; } + effectiveUser = userName != null ? userName : loggedInUser; } else { effectiveUser = loggedInUser; } + try { if (!bizUtil.isUserRangerAdmin(effectiveUser) && !svcStore.isServiceAdminUser(serviceName, effectiveUser)) { existingRole = roleStore.getRole(roleName); - ensureRoleAccess(effectiveUser, userGroups, existingRole); + ensureRoleAccess(effectiveUser, userGroups, existingRole); } else { existingRole = roleStore.getRole(roleName); } } catch (Exception ex) { LOG.error(ex.getMessage()); + return null; } @@ -1176,8 +1240,10 @@ private boolean userIsSrvAdmOrSrvUser(String serviceName, String username) { if (!StringUtil.isEmpty(serviceName)) { try { isServiceAdmin = svcStore.isServiceAdminUser(serviceName, username); + if (!isServiceAdmin) { RangerService rangerService = svcStore.getServiceByName(serviceName); + if (rangerService != null) { String serviceUser = PropertiesUtil.getProperty("ranger.plugins." + rangerService.getType() + ".serviceuser"); @@ -1188,22 +1254,27 @@ private boolean userIsSrvAdmOrSrvUser(String serviceName, String username) { LOG.error(ex.getMessage()); } } + return isServiceAdmin; } private boolean containsInvalidMember(List users) { boolean ret = false; + for (RangerRole.RoleMember user : users) { for (String invalidUser : INVALID_USERS) { if (StringUtils.equals(user.getName(), invalidUser)) { ret = true; + break; } } + if (ret) { break; } } + return ret; } @@ -1212,70 +1283,76 @@ private boolean containsInvalidUser(List users) { } private boolean ensureRoleAccess(String username, Set userGroups, RangerRole role) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ensureRoleAccess("+ username + ", " + role + ")"); - } - boolean isAccessible = false; - List userList = role.getUsers(); - RangerRole.RoleMember userMember = new RangerRole.RoleMember(username, true); + LOG.debug("==> ensureRoleAccess({}, {})", username, role); + + boolean isAccessible = false; + List userList = role.getUsers(); + RangerRole.RoleMember userMember = new RangerRole.RoleMember(username, true); - if (!CollectionUtils.isEmpty(userList) && userList.contains(userMember)) { + if (!CollectionUtils.isEmpty(userList) && userList.contains(userMember)) { isAccessible = true; - if (LOG.isDebugEnabled()) { - LOG.debug("==> ensureRoleAccess(): user "+ username + " has permission for role " + role.getName()); - } + + LOG.debug("==> ensureRoleAccess(): user {} has permission for role {}", username, role.getName()); + return isAccessible; } if (!CollectionUtils.isEmpty(userGroups)) { List groupList = role.getGroups(); + for (RangerRole.RoleMember groupMember : groupList) { if (!groupMember.getIsAdmin()) { continue; } + if (userGroups.contains(groupMember.getName())) { isAccessible = true; - if (LOG.isDebugEnabled()) { - LOG.debug("==> ensureRoleAccess(): group " + groupMember.getName() + " has permission for role " + role.getName()); - } + + LOG.debug("==> ensureRoleAccess(): group {} has permission for role {}", groupMember.getName(), role.getName()); + return isAccessible; } } } Set roleMemberList = new HashSet<>(); + getRoleMembers(roleMemberList, role); + for (RangerRole.RoleMember roleMember : roleMemberList) { if (!roleMember.getIsAdmin()) { continue; } RangerRole roleMemberObj = roleStore.getRole(roleMember.getName()); + if (getUserNames(roleMemberObj).contains(username)) { isAccessible = true; - if (LOG.isDebugEnabled()) { - LOG.debug("==> ensureRoleAccess(): role "+ roleMember.getName() + " has permission for role " + role.getName()); - } + + LOG.debug("==> ensureRoleAccess(): role {} has permission for role {}", roleMember.getName(), role.getName()); + return isAccessible; } if (!CollectionUtils.isEmpty(userGroups) && !CollectionUtils.intersection(userGroups, getGroupNames(roleMemberObj)).isEmpty()) { isAccessible = true; - if (LOG.isDebugEnabled()) { - LOG.debug("==> ensureRoleAccess(): role " + roleMember.getName() + " has permission for role " + role.getName()); - } + + LOG.debug("==> ensureRoleAccess(): role {} has permission for role {}", roleMember.getName(), role.getName()); + return isAccessible; } } + if (!isAccessible) { throw restErrorUtil.createRESTException("User " + username + " does not have privilege to role " + role.getName()); } + return isAccessible; } private RangerRole addUsersGroupsAndRoles(RangerRole role, Set users, Set groups, Set roles, Boolean isAdmin) { if (LOG.isDebugEnabled()) { - LOG.debug("==> addUsersGroupsAndRoles(name=" + role.getName() + ", users=" + Arrays.toString(users.toArray()) + ", roles=" + Arrays.toString(roles.toArray()) + ", isAdmin=" + isAdmin + ")"); + LOG.debug("==> addUsersGroupsAndRoles(name={}, users={}, roles={}, isAdmin={})", role.getName(), Arrays.toString(users.toArray()), Arrays.toString(roles.toArray()), isAdmin); } try { @@ -1283,80 +1360,89 @@ private RangerRole addUsersGroupsAndRoles(RangerRole role, Set users, Se for (String newRole : roles) { //get members recursively and check if the grantor role is already a member Set roleMembers = new HashSet<>(); + getRoleMemberNames(roleMembers, roleStore.getRole(newRole)); - if (LOG.isDebugEnabled()) { - LOG.debug("Role members for " + newRole + " = " + roleMembers); - } + + LOG.debug("Role members for {} = {}", newRole, roleMembers); + if (roleMembers.contains(role.getName())) { throw new Exception("Invalid role grant"); } - } - Set roleUsers = new HashSet<>(); + Set roleUsers = new HashSet<>(); Set roleGroups = new HashSet<>(); - Set roleRoles = new HashSet<>(); + Set roleRoles = new HashSet<>(); + + for (RangerRole.RoleMember user : role.getUsers()) { + String userName = user.getName(); - for (RangerRole.RoleMember user : role.getUsers()) { - String userName = user.getName(); - if (users.contains(userName)) { - user.setIsAdmin(isAdmin); - } - roleUsers.add(user); - } + if (users.contains(userName)) { + user.setIsAdmin(isAdmin); + } + + roleUsers.add(user); + } Set existingUsernames = getUserNames(role); + for (String user : users) { if (!existingUsernames.contains(user)) { roleUsers.add(new RangerRole.RoleMember(user, isAdmin)); } } - for (RangerRole.RoleMember group : role.getGroups()) { - String groupName = group.getName(); - if (groups.contains(groupName)) { - group.setIsAdmin(isAdmin); - } - roleGroups.add(group); - } + for (RangerRole.RoleMember group : role.getGroups()) { + String groupName = group.getName(); + + if (groups.contains(groupName)) { + group.setIsAdmin(isAdmin); + } + + roleGroups.add(group); + } Set existingGroupnames = getGroupNames(role); + for (String group : groups) { if (!existingGroupnames.contains(group)) { roleGroups.add(new RangerRole.RoleMember(group, isAdmin)); } } - for (RangerRole.RoleMember roleMember : role.getRoles()) { - String roleName = roleMember.getName(); - if (roles.contains(roleName)) { - roleMember.setIsAdmin(isAdmin); - } - roleRoles.add(roleMember); - } + for (RangerRole.RoleMember roleMember : role.getRoles()) { + String roleName = roleMember.getName(); + + if (roles.contains(roleName)) { + roleMember.setIsAdmin(isAdmin); + } + + roleRoles.add(roleMember); + } Set existingRolenames = getRoleNames(role); + for (String newRole : roles) { if (!existingRolenames.contains(newRole)) { roleRoles.add(new RangerRole.RoleMember(newRole, isAdmin)); } } + role.setUsers(new ArrayList<>(roleUsers)); role.setGroups(new ArrayList<>(roleGroups)); role.setRoles(new ArrayList<>(roleRoles)); role = roleStore.updateRole(role, false); - - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("addUsersGroupsAndRoles() failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); } if (LOG.isDebugEnabled()) { - LOG.debug("<== addUsersGroupsAndRoles(name=" + role.getName() + ", users=" + Arrays.toString(users.toArray()) + ", roles=" + Arrays.toString(roles.toArray()) + ", isAdmin=" + isAdmin + ")"); + LOG.debug("<== addUsersGroupsAndRoles(name={}, users={}, roles={}, isAdmin={})", role.getName(), Arrays.toString(users.toArray()), Arrays.toString(roles.toArray()), isAdmin); } return role; @@ -1364,15 +1450,17 @@ private RangerRole addUsersGroupsAndRoles(RangerRole role, Set users, Se private RangerRole removeUsersGroupsAndRoles(RangerRole role, Set users, Set groups, Set roles) { if (LOG.isDebugEnabled()) { - LOG.debug("==> removeUsersGroupsAndRoles(name=" + role.getName() + ", users=" + Arrays.toString(users.toArray()) + ", roles=" + Arrays.toString(roles.toArray()) + ")"); + LOG.debug("==> removeUsersGroupsAndRoles(name={}, users={}, roles={})", role.getName(), Arrays.toString(users.toArray()), Arrays.toString(roles.toArray())); } try { // Real processing for (String user : users) { Iterator iter = role.getUsers().iterator(); + while (iter.hasNext()) { RangerRole.RoleMember member = iter.next(); + if (StringUtils.equals(member.getName(), user)) { iter.remove(); break; @@ -1382,8 +1470,10 @@ private RangerRole removeUsersGroupsAndRoles(RangerRole role, Set users, for (String group : groups) { Iterator iter = role.getGroups().iterator(); + while (iter.hasNext()) { RangerRole.RoleMember member = iter.next(); + if (StringUtils.equals(member.getName(), group)) { iter.remove(); break; @@ -1393,8 +1483,10 @@ private RangerRole removeUsersGroupsAndRoles(RangerRole role, Set users, for (String newRole : roles) { Iterator iter = role.getRoles().iterator(); + while (iter.hasNext()) { RangerRole.RoleMember member = iter.next(); + if (StringUtils.equals(member.getName(), newRole)) { iter.remove(); break; @@ -1403,16 +1495,16 @@ private RangerRole removeUsersGroupsAndRoles(RangerRole role, Set users, } role = roleStore.updateRole(role, false); - - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { + } catch (Throwable excp) { LOG.error("removeUsersGroupsAndRoles() failed", excp); throw restErrorUtil.createRESTException(excp.getMessage()); } + if (LOG.isDebugEnabled()) { - LOG.debug("<== removeUsersGroupsAndRoles(name=" + role.getName() + ", users=" + Arrays.toString(users.toArray()) + ", roles=" + Arrays.toString(roles.toArray()) + ")"); + LOG.debug("<== removeUsersGroupsAndRoles(name={}, users={}, roles={})", role.getName(), Arrays.toString(users.toArray()), Arrays.toString(roles.toArray())); } return role; @@ -1420,8 +1512,9 @@ private RangerRole removeUsersGroupsAndRoles(RangerRole role, Set users, private RangerRole removeAdminFromUsersGroupsAndRoles(RangerRole role, Set users, Set groups, Set roles) { if (LOG.isDebugEnabled()) { - LOG.debug("==> removeAdminFromUsersGroupsAndRoles(name=" + role + ", users=" + Arrays.toString(users.toArray()) + ", roles=" + Arrays.toString(roles.toArray()) + ")"); + LOG.debug("==> removeAdminFromUsersGroupsAndRoles(name={}, users={}, roles={})", role.getName(), Arrays.toString(users.toArray()), Arrays.toString(roles.toArray())); } + try { // Real processing for (String user : users) { @@ -1431,6 +1524,7 @@ private RangerRole removeAdminFromUsersGroupsAndRoles(RangerRole role, Set getUserNames(RangerRole role) { - Set usernames = new HashSet<>(); + for (RangerRole.RoleMember user : role.getUsers()) { usernames.add(user.getName()); } + return usernames; } private Set getGroupNames(RangerRole role) { - Set groupnames = new HashSet<>(); + for (RangerRole.RoleMember group : role.getGroups()) { groupnames.add(group.getName()); } + return groupnames; } private Set getRoleNames(RangerRole role) { Set rolenames = new HashSet<>(); + for (RangerRole.RoleMember roleMember : role.getRoles()) { rolenames.add(roleMember.getName()); } + return rolenames; } private void getRoleMemberNames(Set roleMembers, RangerRole role) throws Exception { - for (RangerRole.RoleMember roleMember : role.getRoles()) { - roleMembers.add(roleMember.getName()); - getRoleMemberNames(roleMembers, roleStore.getRole(roleMember.getName())); + for (RangerRole.RoleMember roleMember : role.getRoles()) { + roleMembers.add(roleMember.getName()); + + getRoleMemberNames(roleMembers, roleStore.getRole(roleMember.getName())); } } private void getRoleMembers(Set roleMembers, RangerRole role) throws Exception { for (RangerRole.RoleMember roleMember : role.getRoles()) { roleMembers.add(roleMember); + getRoleMembers(roleMembers, roleStore.getRole(roleMember.getName())); } } - private void validateUsersGroupsAndRoles(GrantRevokeRoleRequest request){ + private void validateUsersGroupsAndRoles(GrantRevokeRoleRequest request) { if (request == null) { throw restErrorUtil.createRESTException("Invalid grant/revoke role request"); } - if(CollectionUtils.isEmpty(request.getUsers()) && CollectionUtils.isEmpty(request.getGroups()) && CollectionUtils.isEmpty(request.getRoles())) { + if (CollectionUtils.isEmpty(request.getUsers()) && CollectionUtils.isEmpty(request.getGroups()) && CollectionUtils.isEmpty(request.getRoles())) { throw restErrorUtil.createRESTException("Grantee users/groups/roles list is empty"); } + if (request.getUsers() == null) { request.setUsers(new HashSet<>()); } - if (request.getGroups() == null ) { + if (request.getGroups() == null) { request.setGroups(new HashSet<>()); } @@ -1525,82 +1625,44 @@ private void validateUsersGroupsAndRoles(GrantRevokeRoleRequest request){ } } - protected List getAllFilteredRoleList(HttpServletRequest request) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> getAllFilteredRoleList()"); - } - String roleNames = null; - List roleNameList = null; - List roleLists = new ArrayList<>(); - - if (request.getParameter(PARAM_ROLE_NAME) != null) { - roleNames = request.getParameter(PARAM_ROLE_NAME); - } - if (StringUtils.isNotEmpty(roleNames)) { - roleNameList = new ArrayList(Arrays.asList(roleNames.split(","))); - } - - List rangerRoleList = new ArrayList(); - SearchFilter filter = new SearchFilter(); - - rangerRoleList = roleStore.getRoles(filter); - - if (!CollectionUtils.isEmpty(rangerRoleList)) { - for (RangerRole role : rangerRoleList) { - if (role != null) { - if (CollectionUtils.isNotEmpty(roleNameList)) { - if (roleNameList.contains(role.getName())) { - // set createTime & updateTime Time as null since exported Roles don't need this - role.setCreateTime(null); - role.setUpdateTime(null); - roleLists.add(role); - roleNameList.remove(role.getName()); - if (roleNameList.size() == 0) { - break; - } - } - } else { - // set createTime & updateTime Time as null since exported Roles don't need this - role.setCreateTime(null); - role.setUpdateTime(null); - roleLists.add(role); - } - } - } - } - if (LOG.isDebugEnabled()) { - LOG.debug("<== getAllFilteredRoleList()" + roleLists.size()); - } - return roleLists; - } - - private List getRoleNameList(HttpServletRequest request, List roleNameList) throws Exception { - SearchFilter filter = searchUtil.getSearchFilter(request, roleService.sortFields); - roleNameList = roleStore.getRoleNames(filter); - return roleNameList; - } - - private RangerExportRoleList processRoleInputJsonForMetaData(InputStream uploadedInputStream, - RangerExportRoleList rangerExportRoleList) throws Exception { - String rolesString = IOUtils.toString(uploadedInputStream); - rolesString = rolesString.trim(); - if (StringUtils.isNotEmpty(rolesString)) { - rangerExportRoleList = JsonUtilsV2.jsonToObj(rolesString, RangerExportRoleList.class); - } else { - LOG.error("Provided json file is empty!!"); - throw restErrorUtil.createRESTException("Provided json file is empty!!"); - } - return rangerExportRoleList; - } - - private List getRolesFromProvidedJson(RangerExportRoleList rangerExportRoleList) { - List roles = null; - if (rangerExportRoleList != null && !CollectionUtils.sizeIsEmpty(rangerExportRoleList.getSecurityRoles())) { - roles = rangerExportRoleList.getSecurityRoles(); - } else { - LOG.error("Provided json file does not contain any role!!"); - throw restErrorUtil.createRESTException("Provided json file does not contain any role!!"); - } - return roles; - } + private List getRoleNameList(HttpServletRequest request, List roleNameList) throws Exception { + SearchFilter filter = searchUtil.getSearchFilter(request, roleService.sortFields); + + roleNameList = roleStore.getRoleNames(filter); + + return roleNameList; + } + + private RangerExportRoleList processRoleInputJsonForMetaData(InputStream uploadedInputStream, RangerExportRoleList rangerExportRoleList) throws Exception { + String rolesString = IOUtils.toString(uploadedInputStream).trim(); + + if (StringUtils.isNotEmpty(rolesString)) { + rangerExportRoleList = JsonUtilsV2.jsonToObj(rolesString, RangerExportRoleList.class); + } else { + LOG.error("Provided json file is empty!!"); + + throw restErrorUtil.createRESTException("Provided json file is empty!!"); + } + + return rangerExportRoleList; + } + + private List getRolesFromProvidedJson(RangerExportRoleList rangerExportRoleList) { + List roles; + + if (rangerExportRoleList != null && !CollectionUtils.sizeIsEmpty(rangerExportRoleList.getSecurityRoles())) { + roles = rangerExportRoleList.getSecurityRoles(); + } else { + LOG.error("Provided json file does not contain any role!!"); + + throw restErrorUtil.createRESTException("Provided json file does not contain any role!!"); + } + + return roles; + } + + static { + INVALID_USERS.add(RangerPolicyEngine.USER_CURRENT); + INVALID_USERS.add(RangerPolicyEngine.RESOURCE_OWNER); + } } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java b/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java index dab430bfd2..6689675058 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java @@ -19,36 +19,9 @@ package org.apache.ranger.rest; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Iterator; -import java.util.List; -import java.util.Map; -import java.util.Objects; -import java.util.Set; - -import javax.persistence.OptimisticLockException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.ws.rs.Consumes; -import javax.ws.rs.DELETE; -import javax.ws.rs.GET; -import javax.ws.rs.POST; -import javax.ws.rs.PUT; -import javax.ws.rs.Path; -import javax.ws.rs.PathParam; -import javax.ws.rs.Produces; -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.Context; -import javax.ws.rs.DefaultValue; -import javax.ws.rs.QueryParam; - import org.apache.hadoop.thirdparty.com.google.common.collect.Sets; -import org.apache.ranger.biz.RangerPolicyAdmin; import org.apache.ranger.biz.RangerBizUtil; +import org.apache.ranger.biz.RangerPolicyAdmin; import org.apache.ranger.biz.SecurityZoneDBStore; import org.apache.ranger.biz.ServiceDBStore; import org.apache.ranger.biz.ServiceMgr; @@ -61,21 +34,21 @@ import org.apache.ranger.entity.XXService; import org.apache.ranger.entity.XXServiceDef; import org.apache.ranger.plugin.model.RangerSecurityZone; +import org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService; +import org.apache.ranger.plugin.model.RangerSecurityZone.SecurityZoneSummary; import org.apache.ranger.plugin.model.RangerSecurityZoneHeaderInfo; import org.apache.ranger.plugin.model.RangerSecurityZoneV2; -import org.apache.ranger.plugin.model.RangerSecurityZone.SecurityZoneSummary; +import org.apache.ranger.plugin.model.RangerSecurityZoneV2.RangerSecurityZoneChangeRequest; +import org.apache.ranger.plugin.model.RangerSecurityZoneV2.RangerSecurityZoneResource; import org.apache.ranger.plugin.model.validation.RangerSecurityZoneValidator; import org.apache.ranger.plugin.model.validation.RangerValidator; +import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.apache.ranger.plugin.store.PList; import org.apache.ranger.plugin.util.RangerSecurityZoneHelper; import org.apache.ranger.plugin.util.RangerSecurityZoneHelper.RangerSecurityZoneServiceHelper; import org.apache.ranger.plugin.util.SearchFilter; import org.apache.ranger.service.RangerSecurityZoneServiceService; -import org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService; -import org.apache.ranger.plugin.model.RangerSecurityZoneV2.RangerSecurityZoneChangeRequest; -import org.apache.ranger.plugin.model.RangerSecurityZoneV2.RangerSecurityZoneResource; import org.apache.ranger.view.RangerSecurityZoneList; -import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -84,13 +57,39 @@ import org.springframework.transaction.annotation.Propagation; import org.springframework.transaction.annotation.Transactional; +import javax.persistence.OptimisticLockException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.Consumes; +import javax.ws.rs.DELETE; +import javax.ws.rs.DefaultValue; +import javax.ws.rs.GET; +import javax.ws.rs.POST; +import javax.ws.rs.PUT; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; +import javax.ws.rs.QueryParam; +import javax.ws.rs.WebApplicationException; +import javax.ws.rs.core.Context; + +import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Objects; +import java.util.Set; @Path("zones") @Component @Scope("request") @Transactional(propagation = Propagation.REQUIRES_NEW) public class SecurityZoneREST { - private static final Logger LOG = LoggerFactory.getLogger(SecurityZoneREST.class); + private static final Logger LOG = LoggerFactory.getLogger(SecurityZoneREST.class); + private static final String STR_USER_NOT_AUTHORIZED_TO_ACCESS_ZONE = "User is not authorized to access zone(s)."; private static final String ERR_ANOTHER_SEC_ZONE_OPER_IN_PROGRESS = "Another security zone operation is already in progress"; @@ -107,7 +106,7 @@ public class SecurityZoneREST { ServiceDBStore svcStore; @Autowired - RangerSearchUtil searchUtil; + RangerSearchUtil searchUtil; @Autowired RangerValidatorFactory validatorFactory; @@ -115,25 +114,24 @@ public class SecurityZoneREST { @Autowired RangerBizUtil bizUtil; - @Autowired - ServiceREST serviceRest; + @Autowired + ServiceREST serviceRest; - @Autowired - RangerDaoManager daoManager; + @Autowired + RangerDaoManager daoManager; - @Autowired - ServiceMgr serviceMgr; + @Autowired + ServiceMgr serviceMgr; @POST @Path("/zones") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") public RangerSecurityZone createSecurityZone(RangerSecurityZone securityZone) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> createSecurityZone("+ securityZone + ")"); - } + LOG.debug("==> createSecurityZone({})", securityZone); RangerSecurityZone ret; + try { RangerSecurityZoneHelper zoneHelper = new RangerSecurityZoneHelper(securityZone, bizUtil.getCurrentUserLoginId()); // this populates resourcesBaseInfo @@ -141,35 +139,35 @@ public RangerSecurityZone createSecurityZone(RangerSecurityZone securityZone) { ensureAdminAccess(securityZone); removeEmptyEntries(securityZone); + RangerSecurityZoneValidator validator = validatorFactory.getSecurityZoneValidator(svcStore, securityZoneStore); + validator.validate(securityZone, RangerValidator.Action.CREATE); + ret = securityZoneStore.createSecurityZone(securityZone); } catch (OptimisticLockException | org.eclipse.persistence.exceptions.OptimisticLockException excp) { - LOG.error("createSecurityZone(" + securityZone + ") failed", excp); + LOG.error("createSecurityZone({}) failed", securityZone, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_CONFLICT, ERR_ANOTHER_SEC_ZONE_OPER_IN_PROGRESS, true); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { - LOG.error("createSecurityZone(" + securityZone + ") failed", excp); + } catch (Throwable excp) { + LOG.error("createSecurityZone({}) failed:", securityZone, excp); throw restErrorUtil.createRESTException(excp.getMessage()); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== createSecurityZone("+ securityZone + "):" + ret); - } + + LOG.debug("<== createSecurityZone({}):{}", securityZone, ret); + return ret; } @PUT @Path("/zones/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerSecurityZone updateSecurityZone(@PathParam("id") Long zoneId, - RangerSecurityZone securityZone) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> updateSecurityZone(id=" + zoneId +", " + securityZone + ")"); - } + @Consumes("application/json") + @Produces("application/json") + public RangerSecurityZone updateSecurityZone(@PathParam("id") Long zoneId, RangerSecurityZone securityZone) { + LOG.debug("==> updateSecurityZone(id={}, {})", zoneId, securityZone); if (zoneId != null && zoneId.equals(RangerSecurityZone.RANGER_UNZONED_SECURITY_ZONE_ID)) { throw restErrorUtil.createRESTException("Cannot update unzoned zone"); @@ -181,129 +179,130 @@ public RangerSecurityZone updateSecurityZone(@PathParam("id") Long zoneId, ensureUserAllowOperationOnServiceForZone(securityZone); removeEmptyEntries(securityZone); + if (securityZone.getId() != null && !zoneId.equals(securityZone.getId())) { throw restErrorUtil.createRESTException("zoneId mismatch!!"); } else { securityZone.setId(zoneId); } + RangerSecurityZone ret; + try { RangerSecurityZoneValidator validator = validatorFactory.getSecurityZoneValidator(svcStore, securityZoneStore); + validator.validate(securityZone, RangerValidator.Action.UPDATE); + ret = securityZoneStore.updateSecurityZoneById(securityZone); } catch (OptimisticLockException | org.eclipse.persistence.exceptions.OptimisticLockException excp) { - LOG.error("updateSecurityZone(" + securityZone + ") failed", excp); + LOG.error("updateSecurityZone({}) failed", securityZone, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_CONFLICT, ERR_ANOTHER_SEC_ZONE_OPER_IN_PROGRESS, true); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { - LOG.error("updateSecurityZone(" + securityZone + ") failed", excp); + } catch (Throwable excp) { + LOG.error("updateSecurityZone({}) failed", securityZone, excp); throw restErrorUtil.createRESTException(excp.getMessage()); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== updateSecurityZone(id=" + zoneId +", " + securityZone + "):" + ret); - } + + LOG.debug("<== updateSecurityZone(id={}, {}):{}", zoneId, securityZone, ret); + return ret; } @DELETE @Path("/zones/name/{name}") public void deleteSecurityZone(@PathParam("name") String zoneName) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> deleteSecurityZone(name=" + zoneName + ")"); - } + LOG.debug("==> deleteSecurityZone(name={})", zoneName); + try { - ensureAdminAccess(); + ensureAdminAccess(); + RangerSecurityZoneValidator validator = validatorFactory.getSecurityZoneValidator(svcStore, securityZoneStore); + validator.validate(zoneName, RangerValidator.Action.DELETE); + securityZoneStore.deleteSecurityZoneByName(zoneName); } catch (OptimisticLockException | org.eclipse.persistence.exceptions.OptimisticLockException excp) { - LOG.error("deleteSecurityZone(" + zoneName + ") failed", excp); + LOG.error("deleteSecurityZone({}) failed", zoneName, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_CONFLICT, ERR_ANOTHER_SEC_ZONE_OPER_IN_PROGRESS, true); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { - LOG.error("deleteSecurityZone(" + zoneName + ") failed", excp); + } catch (Throwable excp) { + LOG.error("deleteSecurityZone({}) failed", zoneName, excp); throw restErrorUtil.createRESTException(excp.getMessage()); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== deleteSecurityZone(name=" + zoneName + ")"); - } + + LOG.debug("<== deleteSecurityZone(name=={})", zoneName); } @DELETE @Path("/zones/{id}") public void deleteSecurityZone(@PathParam("id") Long zoneId) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> deleteSecurityZone(id=" + zoneId + ")"); - } + LOG.debug("==> deleteSecurityZone(id={})", zoneId); + if (zoneId != null && zoneId.equals(RangerSecurityZone.RANGER_UNZONED_SECURITY_ZONE_ID)) { throw restErrorUtil.createRESTException("Cannot delete unzoned zone"); } + try { - ensureAdminAccess(); + ensureAdminAccess(); + RangerSecurityZoneValidator validator = validatorFactory.getSecurityZoneValidator(svcStore, securityZoneStore); + validator.validate(zoneId, RangerValidator.Action.DELETE); + securityZoneStore.deleteSecurityZoneById(zoneId); } catch (OptimisticLockException | org.eclipse.persistence.exceptions.OptimisticLockException excp) { - LOG.error("deleteSecurityZone(" + zoneId + ") failed", excp); + LOG.error("deleteSecurityZone({}) failed", zoneId, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_CONFLICT, ERR_ANOTHER_SEC_ZONE_OPER_IN_PROGRESS, true); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { - LOG.error("deleteSecurityZone(" + zoneId + ") failed", excp); + } catch (Throwable excp) { + LOG.error("deleteSecurityZone({}) failed", zoneId, excp); - throw restErrorUtil.createRESTException( - "Data Not Found for given Id", - MessageEnums.DATA_NOT_FOUND, zoneId, null, - "readResource : No Object found with given id."); - } - if (LOG.isDebugEnabled()) { - LOG.debug("<== deleteSecurityZone(id=" + zoneId + ")"); + throw restErrorUtil.createRESTException("Data Not Found for given Id", MessageEnums.DATA_NOT_FOUND, zoneId, null, "readResource : No Object found with given id."); } + + LOG.debug("<== deleteSecurityZone(id={})", zoneId); } @GET @Path("/zones/name/{name}") - @Produces({ "application/json" }) + @Produces("application/json") public RangerSecurityZone getSecurityZone(@PathParam("name") String zoneName) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> getSecurityZone(name=" + zoneName + ")"); - } + LOG.debug("==> getSecurityZone(name={})", zoneName); if (!bizUtil.hasModuleAccess(RangerConstants.MODULE_SECURITY_ZONE)) { throw restErrorUtil.createRESTException(STR_USER_NOT_AUTHORIZED_TO_ACCESS_ZONE, MessageEnums.OPER_NO_PERMISSION); } RangerSecurityZone ret; + try { ret = securityZoneStore.getSecurityZoneByName(zoneName); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { - LOG.error("getSecurityZone(" + zoneName + ") failed", excp); + } catch (Throwable excp) { + LOG.error("getSecurityZone({}) failed", zoneName, excp); throw restErrorUtil.createRESTException(excp.getMessage()); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== getSecurityZone(name=" + zoneName + "):" + ret); - } + LOG.debug("<== getSecurityZone(name={}):{}", zoneName, ret); + return ret; } @GET @Path("/zones/{id}") - @Produces({ "application/json" }) + @Produces("application/json") public RangerSecurityZone getSecurityZone(@PathParam("id") Long id) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> getSecurityZone(id=" + id + ")"); - } + LOG.debug("==> getSecurityZone(id={})", id); if (!bizUtil.hasModuleAccess(RangerConstants.MODULE_SECURITY_ZONE)) { throw restErrorUtil.createRESTException(STR_USER_NOT_AUTHORIZED_TO_ACCESS_ZONE, MessageEnums.OPER_NO_PERMISSION); @@ -314,39 +313,39 @@ public RangerSecurityZone getSecurityZone(@PathParam("id") Long id) { } RangerSecurityZone ret; + try { ret = securityZoneStore.getSecurityZone(id); - } catch(WebApplicationException excp) { + } catch (WebApplicationException excp) { throw excp; - } catch(Throwable excp) { - LOG.error("getSecurityZone(" + id + ") failed", excp); + } catch (Throwable excp) { + LOG.error("getSecurityZone({}) failed", id, excp); throw restErrorUtil.createRESTException(excp.getMessage()); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== getSecurityZone(id=" + id + "):" + ret); - } + LOG.debug("<== getSecurityZone(id={}):{}", id, ret); + return ret; } @GET @Path("/zones") - @Produces({ "application/json" }) + @Produces("application/json") public RangerSecurityZoneList getAllZones(@Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> getAllZones()"); - } + LOG.debug("==> getAllZones()"); if (!bizUtil.hasModuleAccess(RangerConstants.MODULE_SECURITY_ZONE)) { throw restErrorUtil.createRESTException(STR_USER_NOT_AUTHORIZED_TO_ACCESS_ZONE, MessageEnums.OPER_NO_PERMISSION); } - RangerSecurityZoneList ret = new RangerSecurityZoneList(); - SearchFilter filter = searchUtil.getSearchFilter(request, securityZoneService.sortFields); + RangerSecurityZoneList ret = new RangerSecurityZoneList(); + SearchFilter filter = searchUtil.getSearchFilter(request, securityZoneService.sortFields); try { List securityZones = securityZoneStore.getSecurityZones(filter); + ret.setSecurityZoneList(securityZones); + if (securityZones != null) { ret.setTotalCount(securityZones.size()); ret.setSortBy(filter.getSortBy()); @@ -361,23 +360,19 @@ public RangerSecurityZoneList getAllZones(@Context HttpServletRequest request) { throw restErrorUtil.createRESTException(excp.getMessage()); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== getAllZones():" + ret); - } + LOG.debug("<== getAllZones():{}", ret); + return ret; } @GET @Path("/zone-names/{serviceName}/resource") - @Produces({ "application/json" }) + @Produces("application/json") public Collection getZoneNamesForResource(@PathParam("serviceName") String serviceName, @Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> SecurityZoneREST.getZoneNamesForResource(" + serviceName + ")"); - } + LOG.debug("==> SecurityZoneREST.getZoneNamesForResource({})", serviceName); if (!serviceRest.isServiceAdmin(serviceName)) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, - "User '" + bizUtil.getCurrentUserLoginId() + "' does not have privilege", true); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User '" + bizUtil.getCurrentUserLoginId() + "' does not have privilege", true); } Collection ret = null; @@ -390,22 +385,16 @@ public Collection getZoneNamesForResource(@PathParam("serviceName") Stri ret = policyAdmin.getZoneNamesForResource(resource); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== SecurityZoneREST.getZoneNamesForResource(" + serviceName + "): ret=" + ret); - } + LOG.debug("<== SecurityZoneREST.getZoneNamesForResource(serviceName={}):{}", serviceName, ret); return ret; } @GET @Path("/zones/zone-headers/for-service/{serviceId}") - @Produces({ "application/json" }) - public List getSecurityZoneHeaderInfoListByServiceId(@PathParam("serviceId") Long serviceId, - @DefaultValue("false") @QueryParam ("isTagService") Boolean isTagService, - @Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> SecurityZoneREST.getSecurityZoneHeaderInfoListByServiceId() serviceId:{}, isTagService:{}",serviceId,isTagService); - } + @Produces("application/json") + public List getSecurityZoneHeaderInfoListByServiceId(@PathParam("serviceId") Long serviceId, @DefaultValue("false") @QueryParam("isTagService") Boolean isTagService, @Context HttpServletRequest request) { + LOG.debug("==> SecurityZoneREST.getSecurityZoneHeaderInfoListByServiceId() serviceId:{}, isTagService:{}", serviceId, isTagService); List ret; @@ -418,27 +407,24 @@ public List getSecurityZoneHeaderInfoListByService throw restErrorUtil.createRESTException(excp.getMessage()); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== SecurityZoneREST.getSecurityZoneHeaderInfoListByServiceId():" + ret); - } + LOG.debug("<== SecurityZoneREST.getSecurityZoneHeaderInfoListByServiceId():{}", ret); return ret; } @GET @Path("/summary") - @Produces({ "application/json" }) + @Produces("application/json") public PList getZonesSummary(@Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> getZonesSummary()"); - } + LOG.debug("==> getZonesSummary()"); if (!bizUtil.hasModuleAccess(RangerConstants.MODULE_SECURITY_ZONE)) { throw restErrorUtil.createRESTException(STR_USER_NOT_AUTHORIZED_TO_ACCESS_ZONE, MessageEnums.OPER_NO_PERMISSION); } - PList ret = null; - SearchFilter filter = searchUtil.getSearchFilter(request, securityZoneService.sortFields); + PList ret; + SearchFilter filter = searchUtil.getSearchFilter(request, securityZoneService.sortFields); + try { ret = securityZoneStore.getZonesSummary(filter); } catch (WebApplicationException excp) { @@ -449,9 +435,8 @@ public PList getZonesSummary(@Context HttpServletRequest re throw restErrorUtil.createRESTException(excp.getMessage()); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== getZonesSummary():" + ret); - } + LOG.debug("<== getZonesSummary():{}", ret); + return ret; } @@ -486,8 +471,8 @@ public Boolean updateSecurityZone(Long zoneId, RangerSecurityZoneChangeRequest c RangerSecurityZone zone = getSecurityZone(zoneId); RangerSecurityZoneHelper zoneHelper = new RangerSecurityZoneHelper(zone, bizUtil.getCurrentUserLoginId()); RangerSecurityZone updatedZone = zoneHelper.updateZone(changeData); + RangerSecurityZone retV1 = updateSecurityZone(zoneId, updatedZone); - RangerSecurityZone retV1 = updateSecurityZone(zoneId, updatedZone); ret = retV1 != null; } catch (WebApplicationException excp) { throw excp; @@ -571,221 +556,191 @@ public PList getAllZonesV2(HttpServletRequest request) { return ret; } - private void ensureAdminAccess(){ - if(!bizUtil.isAdmin()){ - String userName = bizUtil.getCurrentUserLoginId(); - throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Ranger Security Zone is not accessible for user '" + userName + "'.", true); - } - } - - private void ensureUserAllowOperationOnServiceForZone( - RangerSecurityZone securityZone){ - if (!bizUtil.isAdmin()) { - String userName = bizUtil.getCurrentUserLoginId(); - RangerSecurityZone existingSecurityZone = null; - try { - existingSecurityZone = svcStore - .getSecurityZone(securityZone.getId()); - } catch (Exception ex) { - LOG.error("Unable to get Security Zone with id : " + securityZone.getId(), ex); - throw restErrorUtil.createRESTException(ex.getMessage()); - } - if (existingSecurityZone != null) { - /* Validation for non service related fields of security zone */ - - - if (!Objects.equals(securityZone.getName(), existingSecurityZone.getName())) { - throwRestError("User : " + userName - + " is not allowed to edit zone name of zone : " + existingSecurityZone.getName()); - } else if (!Objects.equals(securityZone.getDescription(), existingSecurityZone.getDescription())) { - throwRestError("User : " + userName - + " is not allowed to edit zone description of zone : " + existingSecurityZone.getName()); - } - if (!serviceMgr.isZoneAdmin(existingSecurityZone.getName())) { - if (!Objects.equals(securityZone.getAdminUserGroups(), existingSecurityZone.getAdminUserGroups())) { - throwRestError("User : " - + userName - + " is not allowed to edit zone Admin User Group of zone : " + existingSecurityZone.getName()); - } else if (!Objects.equals(securityZone.getAdminUsers(), existingSecurityZone.getAdminUsers())) { - throwRestError("User : " + userName - + " is not allowed to edit zone Admin User of zone : " + existingSecurityZone.getName()); + private void ensureAdminAccess() { + if (!bizUtil.isAdmin()) { + String userName = bizUtil.getCurrentUserLoginId(); + + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Ranger Security Zone is not accessible for user '" + userName + "'.", true); + } + } + + private void ensureUserAllowOperationOnServiceForZone(RangerSecurityZone securityZone) { + if (!bizUtil.isAdmin()) { + String userName = bizUtil.getCurrentUserLoginId(); + RangerSecurityZone existingSecurityZone; + + try { + existingSecurityZone = svcStore.getSecurityZone(securityZone.getId()); + } catch (Exception ex) { + LOG.error("Unable to get Security Zone with id : {}", securityZone.getId(), ex); + + throw restErrorUtil.createRESTException(ex.getMessage()); + } + + if (existingSecurityZone != null) { + /* Validation for non service related fields of security zone */ + if (!Objects.equals(securityZone.getName(), existingSecurityZone.getName())) { + throwRestError("User : " + userName + " is not allowed to edit zone name of zone : " + existingSecurityZone.getName()); + } else if (!Objects.equals(securityZone.getDescription(), existingSecurityZone.getDescription())) { + throwRestError("User : " + userName + " is not allowed to edit zone description of zone : " + existingSecurityZone.getName()); + } + + if (!serviceMgr.isZoneAdmin(existingSecurityZone.getName())) { + if (!Objects.equals(securityZone.getAdminUserGroups(), existingSecurityZone.getAdminUserGroups())) { + throwRestError("User : " + userName + " is not allowed to edit zone Admin User Group of zone : " + existingSecurityZone.getName()); + } else if (!Objects.equals(securityZone.getAdminUsers(), existingSecurityZone.getAdminUsers())) { + throwRestError("User : " + userName + " is not allowed to edit zone Admin User of zone : " + existingSecurityZone.getName()); } else if (!Objects.equals(securityZone.getAdminRoles(), existingSecurityZone.getAdminRoles())) { - throwRestError("User : " + userName - + " is not allowed to edit zone Admin Roles of zone : " + existingSecurityZone.getName()); - } else if (!Objects.equals(securityZone.getAuditUsers(), existingSecurityZone.getAuditUsers())) { - throwRestError("User : " + userName - + " is not allowed to edit zone Audit User of zone : " + existingSecurityZone.getName()); - } else if (!Objects.equals(securityZone.getAuditUserGroups(), existingSecurityZone.getAuditUserGroups())) { - throwRestError("User : " - + userName - + " is not allowed to edit zone Audit User Group of zone : " + existingSecurityZone.getName()); + throwRestError("User : " + userName + " is not allowed to edit zone Admin Roles of zone : " + existingSecurityZone.getName()); + } else if (!Objects.equals(securityZone.getAuditUsers(), existingSecurityZone.getAuditUsers())) { + throwRestError("User : " + userName + " is not allowed to edit zone Audit User of zone : " + existingSecurityZone.getName()); + } else if (!Objects.equals(securityZone.getAuditUserGroups(), existingSecurityZone.getAuditUserGroups())) { + throwRestError("User : " + userName + " is not allowed to edit zone Audit User Group of zone : " + existingSecurityZone.getName()); } else if (!Objects.equals(securityZone.getAuditRoles(), existingSecurityZone.getAuditRoles())) { - throwRestError("User : " - + userName - + " is not allowed to edit zone Audit Roles of zone : " + existingSecurityZone.getName()); - } - } - - /* - * Validation on tag service association / disassociation with - * security zone - * */ - - List dbTagServices = existingSecurityZone - .getTagServices(); - List uiTagServices = securityZone.getTagServices(); - List addRmvTagSvc = new ArrayList(); - if (!dbTagServices.equals(uiTagServices)) { - for (String svc : dbTagServices) { - if (!uiTagServices.contains(svc)) { - addRmvTagSvc.add(svc); - } - } - - for (String svc : uiTagServices) { - if (!dbTagServices.contains(svc)) { - addRmvTagSvc.add(svc); - } - } - } - if (!addRmvTagSvc.isEmpty()) { - for (String svc : addRmvTagSvc) { - /* - * if user is neither svc admin nor admin then - * add/remove of svc in zone is not allowed - */ - if (!svcStore.isServiceAdminUser(svc, userName)) { - throwRestError("User : " - + userName - + " is not allowed to add/remove tag service : " - + svc + " in Ranger Security zone : " + existingSecurityZone.getName()); - - } - } - } - - - /* - * Validation on service association / disassociation with - * security zone - */ - Set existingRangerSecurityZoneService = existingSecurityZone - .getServices().keySet(); - Set newRangerSecurityZoneService = securityZone.getServices() - .keySet(); - Set diffServiceSet = new HashSet<>(Sets.difference( - newRangerSecurityZoneService, - existingRangerSecurityZoneService)); - diffServiceSet.addAll(Sets.difference( - existingRangerSecurityZoneService, - newRangerSecurityZoneService)); - - if (diffServiceSet != null && diffServiceSet.size() > 0) { - for (String svc : diffServiceSet) { - /* - * if user is neither svc admin nor admin then - * add/remove of svc in zone is not allowed - */ - if (!svcStore.isServiceAdminUser(svc, userName)) { - throwRestError("User : " - + userName - + " is not allowed to add/remove service : " - + svc + " in Ranger Security zone : " + existingSecurityZone.getName()); - - } - } - } - - /* Validation for resources on existing svc in security zone */ - for (String svc : existingRangerSecurityZoneService) { - RangerSecurityZoneService rangerSecurityZnSvcFromDB = existingSecurityZone - .getServices().get(svc); - - RangerSecurityZoneService rangerSecurityZnSvcFromUI = securityZone - .getServices().get(svc); - - if (rangerSecurityZnSvcFromUI != null) { - if (!Objects.equals(rangerSecurityZnSvcFromDB.getResources(), rangerSecurityZnSvcFromUI.getResources())) { - if (!svcStore.isServiceAdminUser(svc, userName)) { - throwRestError("User : " - + userName - + " is not allowed to edit resource in service : " - + svc + " in Ranger Security zone : " + existingSecurityZone.getName()); - } - } - } - - } - } - - } - } - - private void throwRestError(String message){ - throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, message, true); - } - - - private void ensureAdminAccess(RangerSecurityZone securityZone) { - if (!bizUtil.isAdmin()) { - String userName = bizUtil.getCurrentUserLoginId(); - throw restErrorUtil.createRESTException( - "Ranger Securtiy Zone is not accessible for user '" + userName + "'.", - MessageEnums.OPER_NO_PERMISSION); - } - else { - blockAdminFromKMSService(securityZone); - } - } - - private void blockAdminFromKMSService(RangerSecurityZone securityZone) { - if(securityZone != null) { - Map serviceMap = securityZone.getServices(); - if (serviceMap != null) { - for (String serviceName : serviceMap.keySet()) { - XXService xService = daoManager.getXXService().findByName(serviceName); - if (xService != null) { - XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); - if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) { - throw restErrorUtil.createRESTException( - "KMS Services/Service-Defs are not accessible for Zone operations", - MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); - } - } - } - } - } - } - - private void removeEmptyEntries(RangerSecurityZone securityZone) { - bizUtil.removeEmptyStrings(securityZone.getTagServices()); - bizUtil.removeEmptyStrings(securityZone.getAdminUsers()); - bizUtil.removeEmptyStrings(securityZone.getAdminUserGroups()); + throwRestError("User : " + userName + " is not allowed to edit zone Audit Roles of zone : " + existingSecurityZone.getName()); + } + } + + /* + * Validation on tag service association / disassociation with + * security zone + * */ + + List dbTagServices = existingSecurityZone.getTagServices(); + List uiTagServices = securityZone.getTagServices(); + List addRmvTagSvc = new ArrayList<>(); + + if (!dbTagServices.equals(uiTagServices)) { + for (String svc : dbTagServices) { + if (!uiTagServices.contains(svc)) { + addRmvTagSvc.add(svc); + } + } + + for (String svc : uiTagServices) { + if (!dbTagServices.contains(svc)) { + addRmvTagSvc.add(svc); + } + } + } + + if (!addRmvTagSvc.isEmpty()) { + for (String svc : addRmvTagSvc) { + /* + * if user is neither svc admin nor admin then + * add/remove of svc in zone is not allowed + */ + if (!svcStore.isServiceAdminUser(svc, userName)) { + throwRestError("User : " + userName + " is not allowed to add/remove tag service : " + svc + " in Ranger Security zone : " + existingSecurityZone.getName()); + } + } + } + + /* + * Validation on service association / disassociation with + * security zone + */ + Set existingRangerSecurityZoneService = existingSecurityZone.getServices().keySet(); + Set newRangerSecurityZoneService = securityZone.getServices().keySet(); + Set diffServiceSet = new HashSet<>(Sets.difference(newRangerSecurityZoneService, existingRangerSecurityZoneService)); + + diffServiceSet.addAll(Sets.difference(existingRangerSecurityZoneService, newRangerSecurityZoneService)); + + if (!diffServiceSet.isEmpty()) { + for (String svc : diffServiceSet) { + /* + * if user is neither svc admin nor admin then + * add/remove of svc in zone is not allowed + */ + if (!svcStore.isServiceAdminUser(svc, userName)) { + throwRestError("User : " + userName + " is not allowed to add/remove service : " + svc + " in Ranger Security zone : " + existingSecurityZone.getName()); + } + } + } + + /* Validation for resources on existing svc in security zone */ + for (String svc : existingRangerSecurityZoneService) { + RangerSecurityZoneService rangerSecurityZnSvcFromDB = existingSecurityZone.getServices().get(svc); + RangerSecurityZoneService rangerSecurityZnSvcFromUI = securityZone.getServices().get(svc); + + if (rangerSecurityZnSvcFromUI != null) { + if (!Objects.equals(rangerSecurityZnSvcFromDB.getResources(), rangerSecurityZnSvcFromUI.getResources())) { + if (!svcStore.isServiceAdminUser(svc, userName)) { + throwRestError("User : " + userName + " is not allowed to edit resource in service : " + svc + " in Ranger Security zone : " + existingSecurityZone.getName()); + } + } + } + } + } + } + } + + private void throwRestError(String message) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, message, true); + } + + private void ensureAdminAccess(RangerSecurityZone securityZone) { + if (!bizUtil.isAdmin()) { + String userName = bizUtil.getCurrentUserLoginId(); + + throw restErrorUtil.createRESTException("Ranger Security Zone is not accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION); + } else { + blockAdminFromKMSService(securityZone); + } + } + + private void blockAdminFromKMSService(RangerSecurityZone securityZone) { + if (securityZone != null) { + Map serviceMap = securityZone.getServices(); + + if (serviceMap != null) { + for (String serviceName : serviceMap.keySet()) { + XXService xService = daoManager.getXXService().findByName(serviceName); + + if (xService != null) { + XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); + + if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) { + throw restErrorUtil.createRESTException("KMS Services/Service-Defs are not accessible for Zone operations", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + } + } + } + } + + private void removeEmptyEntries(RangerSecurityZone securityZone) { + bizUtil.removeEmptyStrings(securityZone.getTagServices()); + bizUtil.removeEmptyStrings(securityZone.getAdminUsers()); + bizUtil.removeEmptyStrings(securityZone.getAdminUserGroups()); bizUtil.removeEmptyStrings(securityZone.getAdminRoles()); - bizUtil.removeEmptyStrings(securityZone.getAuditUsers()); - bizUtil.removeEmptyStrings(securityZone.getAuditUserGroups()); + bizUtil.removeEmptyStrings(securityZone.getAuditUsers()); + bizUtil.removeEmptyStrings(securityZone.getAuditUserGroups()); bizUtil.removeEmptyStrings(securityZone.getAdminRoles()); - Map serviceResouceMap=securityZone.getServices(); - if(serviceResouceMap!=null) { - Set> serviceResouceMapEntries = serviceResouceMap.entrySet(); - Iterator> iterator=serviceResouceMapEntries.iterator(); - while (iterator.hasNext()){ - Map.Entry serviceResouceMapEntry = iterator.next(); - RangerSecurityZoneService rangerSecurityZoneService=serviceResouceMapEntry.getValue(); - List>> resources=rangerSecurityZoneService.getResources(); - if(resources!=null) { - for (Map> resource : resources) { - if (resource!=null) { - for (Map.Entry> entry : resource.entrySet()) { - List resourceValues = entry.getValue(); - bizUtil.removeEmptyStrings(resourceValues); - } - } - } - } - } - } - } + + Map serviceResouceMap = securityZone.getServices(); + + if (serviceResouceMap != null) { + Set> serviceResouceMapEntries = serviceResouceMap.entrySet(); + + for (Map.Entry serviceResouceMapEntry : serviceResouceMapEntries) { + RangerSecurityZoneService rangerSecurityZoneService = serviceResouceMapEntry.getValue(); + List>> resources = rangerSecurityZoneService.getResources(); + + if (resources != null) { + for (Map> resource : resources) { + if (resource != null) { + for (Map.Entry> entry : resource.entrySet()) { + List resourceValues = entry.getValue(); + + bizUtil.removeEmptyStrings(resourceValues); + } + } + } + } + } + } + } private PList getResources(RangerSecurityZone zone, String serviceName, @Context HttpServletRequest request) { RangerSecurityZoneHelper zoneHelper = new RangerSecurityZoneHelper(zone, bizUtil.getCurrentUserLoginId()); diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 9d27309371..fb1a729952 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -19,31 +19,9 @@ package org.apache.ranger.rest; -import java.io.IOException; -import java.io.InputStream; -import java.security.SecureRandom; -import java.util.*; -import java.util.Map.Entry; -import java.util.stream.IntStream; - -import javax.annotation.Nonnull; -import javax.annotation.PostConstruct; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.ws.rs.Consumes; -import javax.ws.rs.DELETE; -import javax.ws.rs.DefaultValue; -import javax.ws.rs.GET; -import javax.ws.rs.POST; -import javax.ws.rs.PUT; -import javax.ws.rs.Path; -import javax.ws.rs.PathParam; -import javax.ws.rs.Produces; -import javax.ws.rs.QueryParam; -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.Context; -import javax.ws.rs.core.MediaType; - +import com.google.gson.JsonSyntaxException; +import com.sun.jersey.core.header.FormDataContentDisposition; +import com.sun.jersey.multipart.FormDataParam; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.collections.MapUtils; import org.apache.commons.io.IOUtils; @@ -55,8 +33,8 @@ import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.biz.AssetMgr; import org.apache.ranger.biz.PolicyRefUpdater; -import org.apache.ranger.biz.RangerPolicyAdmin; import org.apache.ranger.biz.RangerBizUtil; +import org.apache.ranger.biz.RangerPolicyAdmin; import org.apache.ranger.biz.RangerPolicyAdminCacheForEngineOptions; import org.apache.ranger.biz.RoleDBStore; import org.apache.ranger.biz.SecurityZoneDBStore; @@ -79,19 +57,28 @@ import org.apache.ranger.common.UserSessionBase; import org.apache.ranger.common.db.RangerTransactionSynchronizationAdapter; import org.apache.ranger.db.RangerDaoManager; +import org.apache.ranger.db.XXRoleDao; import org.apache.ranger.entity.XXPolicy; import org.apache.ranger.entity.XXPolicyExportAudit; +import org.apache.ranger.entity.XXPolicyLabel; +import org.apache.ranger.entity.XXRole; import org.apache.ranger.entity.XXSecurityZone; import org.apache.ranger.entity.XXSecurityZoneRefService; import org.apache.ranger.entity.XXSecurityZoneRefTagService; import org.apache.ranger.entity.XXService; import org.apache.ranger.entity.XXServiceDef; import org.apache.ranger.entity.XXTrxLogV2; -import org.apache.ranger.entity.XXRole; -import org.apache.ranger.plugin.model.*; +import org.apache.ranger.plugin.model.RangerPluginInfo; +import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.model.RangerPolicyDelta; +import org.apache.ranger.plugin.model.RangerPolicyResourceSignature; +import org.apache.ranger.plugin.model.RangerService; +import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerServiceHeaderInfo; +import org.apache.ranger.plugin.model.ServiceDeleteResponse; import org.apache.ranger.plugin.model.validation.RangerPolicyValidator; import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper; import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator; @@ -140,4533 +127,4528 @@ import org.springframework.transaction.annotation.Propagation; import org.springframework.transaction.annotation.Transactional; -import com.google.gson.JsonSyntaxException; -import com.sun.jersey.core.header.FormDataContentDisposition; -import com.sun.jersey.multipart.FormDataParam; +import javax.annotation.Nonnull; +import javax.annotation.PostConstruct; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.Consumes; +import javax.ws.rs.DELETE; +import javax.ws.rs.DefaultValue; +import javax.ws.rs.GET; +import javax.ws.rs.POST; +import javax.ws.rs.PUT; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; +import javax.ws.rs.QueryParam; +import javax.ws.rs.WebApplicationException; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.MediaType; -import static org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_GDS_NAME; +import java.io.IOException; +import java.io.InputStream; +import java.security.SecureRandom; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Comparator; +import java.util.HashMap; +import java.util.HashSet; +import java.util.LinkedHashMap; +import java.util.List; +import java.util.ListIterator; +import java.util.Map; +import java.util.Map.Entry; +import java.util.Objects; +import java.util.Set; +import java.util.TreeMap; +import java.util.stream.IntStream; +import static org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_GDS_NAME; @Path("plugins") @Component @Scope("request") @Transactional(propagation = Propagation.REQUIRES_NEW) public class ServiceREST { - private static final Logger LOG = LoggerFactory.getLogger(ServiceREST.class); - private static final Logger PERF_LOG = RangerPerfTracer.getPerfLogger("rest.ServiceREST"); - - final static public String PARAM_SERVICE_NAME = "serviceName"; - final static public String PARAM_SERVICE_TYPE = "serviceType"; - final static public String PARAM_POLICY_NAME = "policyName"; - final static public String PARAM_ZONE_NAME = "zoneName"; - final static public String PARAM_UPDATE_IF_EXISTS = "updateIfExists"; - final static public String PARAM_MERGE_IF_EXISTS = "mergeIfExists"; - final static public String PARAM_DELETE_IF_EXISTS = "deleteIfExists"; - final static public String PARAM_IMPORT_IN_PROGRESS = "importInProgress"; - public static final String Allowed_User_List_For_Download = "policy.download.auth.users"; - public static final String Allowed_User_List_For_Grant_Revoke = "policy.grantrevoke.auth.users"; - - public static final String isCSRF_ENABLED = "ranger.rest-csrf.enabled"; - public static final String BROWSER_USER_AGENT_PARAM = "ranger.rest-csrf.browser-useragents-regex"; - public static final String CUSTOM_METHODS_TO_IGNORE_PARAM = "ranger.rest-csrf.methods-to-ignore"; - public static final String CUSTOM_HEADER_PARAM = "ranger.rest-csrf.custom-header"; - public static final String CSRF_TOKEN_LENGTH = "ranger.rest-csrf.token.length"; - final static public String POLICY_MATCHING_ALGO_BY_POLICYNAME = "matchByName"; - final static public String POLICY_MATCHING_ALGO_BY_RESOURCE = "matchByPolicySignature"; - final static public String PARAM_POLICY_MATCHING_ALGORITHM = "policyMatchingAlgorithm"; - - public static final String PURGE_RECORD_TYPE_LOGIN_LOGS = "login_records"; - public static final String PURGE_RECORD_TYPE_TRX_LOGS = "trx_records"; - public static final String PURGE_RECORD_TYPE_POLICY_EXPORT_LOGS = "policy_export_logs"; - - @Autowired - RESTErrorUtil restErrorUtil; - - @Autowired - ServiceMgr serviceMgr; - - @Autowired - XUserService xUserService; - - @Autowired - AssetMgr assetMgr; - - @Autowired - XUserMgr userMgr; - - @Autowired - ServiceDBStore svcStore; - - @Autowired - RoleDBStore roleDBStore; - - @Autowired - SecurityZoneDBStore zoneStore; - - @Autowired - ServiceUtil serviceUtil; - - @Autowired - RangerPolicyService policyService; - - @Autowired - RangerPolicyLabelsService policyLabelsService; - - @Autowired - RangerServiceService svcService; - - @Autowired - RangerServiceDefService serviceDefService; - - @Autowired + private static final Logger LOG = LoggerFactory.getLogger(ServiceREST.class); + private static final Logger PERF_LOG = RangerPerfTracer.getPerfLogger("rest.ServiceREST"); + + public static final String PARAM_SERVICE_NAME = "serviceName"; + public static final String PARAM_SERVICE_TYPE = "serviceType"; + public static final String PARAM_POLICY_NAME = "policyName"; + public static final String PARAM_ZONE_NAME = "zoneName"; + public static final String PARAM_UPDATE_IF_EXISTS = "updateIfExists"; + public static final String PARAM_MERGE_IF_EXISTS = "mergeIfExists"; + public static final String PARAM_DELETE_IF_EXISTS = "deleteIfExists"; + public static final String PARAM_IMPORT_IN_PROGRESS = "importInProgress"; + public static final String Allowed_User_List_For_Download = "policy.download.auth.users"; + public static final String Allowed_User_List_For_Grant_Revoke = "policy.grantrevoke.auth.users"; + public static final String isCSRF_ENABLED = "ranger.rest-csrf.enabled"; + public static final String BROWSER_USER_AGENT_PARAM = "ranger.rest-csrf.browser-useragents-regex"; + public static final String CUSTOM_METHODS_TO_IGNORE_PARAM = "ranger.rest-csrf.methods-to-ignore"; + public static final String CUSTOM_HEADER_PARAM = "ranger.rest-csrf.custom-header"; + public static final String CSRF_TOKEN_LENGTH = "ranger.rest-csrf.token.length"; + public static final String POLICY_MATCHING_ALGO_BY_POLICYNAME = "matchByName"; + public static final String POLICY_MATCHING_ALGO_BY_RESOURCE = "matchByPolicySignature"; + public static final String PARAM_POLICY_MATCHING_ALGORITHM = "policyMatchingAlgorithm"; + public static final String PURGE_RECORD_TYPE_LOGIN_LOGS = "login_records"; + public static final String PURGE_RECORD_TYPE_TRX_LOGS = "trx_records"; + public static final String PURGE_RECORD_TYPE_POLICY_EXPORT_LOGS = "policy_export_logs"; + + private final RangerAdminConfig config = RangerAdminConfig.getInstance(); + private final int maxPolicyNameLength = config.getInt("ranger.policyname.maxlength", 255); + private final boolean isPolicyNameLengthValidationEnabled = config.getBoolean("ranger.policyname.maxlength.validation.enabled", true); + + @Autowired + RESTErrorUtil restErrorUtil; + + @Autowired + ServiceMgr serviceMgr; + + @Autowired + XUserService xUserService; + + @Autowired + AssetMgr assetMgr; + + @Autowired + XUserMgr userMgr; + + @Autowired + ServiceDBStore svcStore; + + @Autowired + RoleDBStore roleDBStore; + + @Autowired + SecurityZoneDBStore zoneStore; + + @Autowired + ServiceUtil serviceUtil; + + @Autowired + RangerPolicyService policyService; + + @Autowired + RangerPolicyLabelsService policyLabelsService; + + @Autowired + RangerServiceService svcService; + + @Autowired + RangerServiceDefService serviceDefService; + + @Autowired RangerPluginInfoService pluginInfoService; - @Autowired - RangerSearchUtil searchUtil; - + @Autowired + RangerSearchUtil searchUtil; + @Autowired RangerBizUtil bizUtil; - @Autowired - GUIDUtil guidUtil; - - @Autowired - RangerValidatorFactory validatorFactory; - - @Autowired - RangerDaoManager daoManager; - - @Autowired - TagDBStore tagStore; - - @Autowired - RangerTransactionSynchronizationAdapter rangerTransactionSynchronizationAdapter; - - private RangerPolicyEngineOptions delegateAdminOptions; - private RangerPolicyEngineOptions policySearchAdminOptions; - private RangerPolicyEngineOptions defaultAdminOptions; - private final RangerAdminConfig config = RangerAdminConfig.getInstance(); - - private final int maxPolicyNameLength = config.getInt("ranger.policyname.maxlength", 255); - private final boolean isPolicyNameLengthValidationEnabled = config.getBoolean("ranger.policyname.maxlength.validation.enabled", true); - - public ServiceREST() { - } - - @PostConstruct - public void initStore() { - tagStore.setServiceStore(svcStore); - delegateAdminOptions = getDelegatedAdminPolicyEngineOptions(); - policySearchAdminOptions = getPolicySearchRangerAdminPolicyEngineOptions(); - defaultAdminOptions = getDefaultRangerAdminPolicyEngineOptions(); - } - - @POST - @Path("/definitions") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_SERVICE_DEF + "\")") - public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.createServiceDef(" + serviceDef + ")"); - } - - RangerServiceDef ret = null; - RangerPerfTracer perf = null; - - /** - * If display name is blank (EMPTY String or NULL), use name. - */ - if (StringUtils.isBlank(serviceDef.getDisplayName())) { - serviceDef.setDisplayName(serviceDef.getName()); - } - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createServiceDef(serviceDefName=" + serviceDef.getName() + ")"); - } - RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore); - validator.validate(serviceDef, Action.CREATE); - - bizUtil.hasAdminPermissions("Service-Def"); - bizUtil.hasKMSPermissions("Service-Def", serviceDef.getImplClass()); - bizUtil.blockAuditorRoleUser(); - ret = svcStore.createServiceDef(serviceDef); - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("createServiceDef(" + serviceDef + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.createServiceDef(" + serviceDef + "): " + ret); - } - - return ret; - } - - @PUT - @Path("/definitions/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_SERVICE_DEF + "\")") - public RangerServiceDef updateServiceDef(RangerServiceDef serviceDef, @PathParam("id") Long id) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.updateServiceDef(serviceDefName=" + serviceDef.getName() + ")"); - } - - // if serviceDef.id and param 'id' are specified, serviceDef.id should be same as the param 'id' - // if serviceDef.id is null, then set param 'id' into serviceDef Object - if (serviceDef.getId() == null) { - serviceDef.setId(id); - } else if(StringUtils.isBlank(serviceDef.getName()) && !serviceDef.getId().equals(id)) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "serviceDef Id mismatch", true); - } - - RangerServiceDef ret = null; - RangerPerfTracer perf = null; - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updateServiceDef(" + serviceDef.getName() + ")"); - } - - /** - * If display name is blank (EMPTY String or NULL), use previous display name. - */ - if (StringUtils.isBlank(serviceDef.getDisplayName())) { - RangerServiceDef rangerServiceDef = svcStore.getServiceDef(serviceDef.getId()); - - // If previous display name is blank (EMPTY String or NULL), user name. - if (Objects.isNull(rangerServiceDef) || StringUtils.isBlank(rangerServiceDef.getDisplayName())) { - serviceDef.setDisplayName(serviceDef.getName()); - } else { - serviceDef.setDisplayName(rangerServiceDef.getDisplayName()); - } - } - - RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore); - validator.validate(serviceDef, Action.UPDATE); - - bizUtil.hasAdminPermissions("Service-Def"); - bizUtil.hasKMSPermissions("Service-Def", serviceDef.getImplClass()); - bizUtil.blockAuditorRoleUser(); - ret = svcStore.updateServiceDef(serviceDef); - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("updateServiceDef(" + serviceDef + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.updateServiceDef(" + serviceDef + "): " + ret); - } - - return ret; - } - - @DELETE - @Path("/definitions/{id}") - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_SERVICE_DEF + "\")") - public void deleteServiceDef(@PathParam("id") Long id, @Context HttpServletRequest request) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.deleteServiceDef(" + id + ")"); - } - RangerPerfTracer perf = null; - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.deleteServiceDef(serviceDefId=" + id + ")"); - } - RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore); - validator.validate(id, Action.DELETE); - - bizUtil.hasAdminPermissions("Service-Def"); - XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(id); - if (xServiceDef != null) { - bizUtil.hasKMSPermissions("Service-Def", xServiceDef.getImplclassname()); - - String forceDeleteStr = request.getParameter("forceDelete"); - boolean forceDelete = false; - if (!StringUtils.isEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr)) { - forceDelete = true; - } - - svcStore.deleteServiceDef(id, forceDelete); - } else { - LOG.error("Cannot retrieve service-definition:[" + id + "] for deletion"); - throw new Exception("deleteServiceDef(" + id + ") failed"); - } - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("deleteServiceDef(" + id + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.deleteServiceDef(" + id + ")"); - } - } - - @GET - @Path("/definitions/{id}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEF + "\")") - public RangerServiceDef getServiceDef(@PathParam("id") Long id) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getServiceDef(" + id + ")"); - } - - RangerServiceDef ret = null; - RangerPerfTracer perf = null; - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDef(serviceDefId=" + id + ")"); - } - XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(id); - if (xServiceDef != null) { - if (EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME.equals(xServiceDef.getName())) { - if (!bizUtil.hasModuleAccess(RangerConstants.MODULE_TAG_BASED_POLICIES)) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, - "User is not having permissions on the tag module.", true); - } - } - if (!bizUtil.hasAccess(xServiceDef, null)) { - throw restErrorUtil.createRESTException( - "User is not allowed to access service-def, id: " + xServiceDef.getId(), - MessageEnums.OPER_NO_PERMISSION); - } - } - - ret = svcStore.getServiceDef(id); - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("getServiceDef(" + id + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(ret == null) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getServiceDef(" + id + "): " + ret); - } - - return ret; - } - - @GET - @Path("/definitions/name/{name}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEF_BY_NAME + "\")") - public RangerServiceDef getServiceDefByName(@PathParam("name") String name) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getServiceDefByName(serviceDefName=" + name + ")"); - } - - RangerServiceDef ret = null; - RangerPerfTracer perf = null; - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDefByName(" + name + ")"); - } - XXServiceDef xServiceDef = daoManager.getXXServiceDef().findByName(name); - if (xServiceDef != null) { - if(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME.equals(xServiceDef.getName())) { - if (!bizUtil.hasModuleAccess(RangerConstants.MODULE_TAG_BASED_POLICIES)) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not having permissions on the tag module", true); - } - } - if (!bizUtil.hasAccess(xServiceDef, null)) { - throw restErrorUtil.createRESTException( - "User is not allowed to access service-def: " + xServiceDef.getName(), - MessageEnums.OPER_NO_PERMISSION); - } - } - - ret = svcStore.getServiceDefByName(name); - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("getServiceDefByName(" + name + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(ret == null) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getServiceDefByName(" + name + "): " + ret); - } - - return ret; - } - - @GET - @Path("/definitions") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEFS + "\")") - public RangerServiceDefList getServiceDefs(@Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getServiceDefs()"); - } - - if (!bizUtil.hasModuleAccess(RangerConstants.MODULE_RESOURCE_BASED_POLICIES)) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not having permissions on the "+RangerConstants.MODULE_RESOURCE_BASED_POLICIES+" module.", true); - } - - RangerServiceDefList ret = null; - RangerPerfTracer perf = null; - - PList paginatedSvcDefs = null; - - SearchFilter filter = searchUtil.getSearchFilter(request, serviceDefService.sortFields); - String pageSource= null; - pageSource=request.getParameter("pageSource"); - if(pageSource!=null) - filter.setParam("pageSource",pageSource); - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDefs()"); - } - paginatedSvcDefs = svcStore.getPaginatedServiceDefs(filter); - - if(paginatedSvcDefs != null) { - ret = new RangerServiceDefList(); - - ret.setServiceDefs(paginatedSvcDefs.getList()); - ret.setPageSize(paginatedSvcDefs.getPageSize()); - ret.setResultSize(paginatedSvcDefs.getResultSize()); - ret.setStartIndex(paginatedSvcDefs.getStartIndex()); - ret.setTotalCount(paginatedSvcDefs.getTotalCount()); - ret.setSortBy(paginatedSvcDefs.getSortBy()); - ret.setSortType(paginatedSvcDefs.getSortType()); - } - } catch(WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - LOG.error("getServiceDefs() failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getServiceDefs(): count=" + (ret == null ? 0 : ret.getListSize())); - } - return ret; - } - - @GET - @Path("/policies/{serviceDefName}/for-resource") - @Produces({ "application/json" }) - public List getPoliciesForResource(@PathParam("serviceDefName") String serviceDefName, - @DefaultValue("") @QueryParam("serviceName") String serviceName, - @Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getPoliciesForResource(service-type=" + serviceDefName + ", service-name=" + serviceName + ")"); - } - - List ret = new ArrayList<>(); - - List services = new ArrayList<>(); - Map resource = new HashMap<>(); - - String validationMessage = validateResourcePoliciesRequest(serviceDefName, serviceName, request, services, resource); - - if (StringUtils.isNotEmpty(validationMessage)) { - LOG.error("Invalid request: [" + validationMessage + "]"); - throw restErrorUtil.createRESTException(validationMessage, - MessageEnums.INVALID_INPUT_DATA); - } else { - RangerService service = services.get(0); - if (LOG.isDebugEnabled()) { - LOG.debug("getServicePolicies with service-name=" + service.getName()); - } - - RangerPolicyAdmin policyAdmin = null; - - try { - policyAdmin = getPolicyAdminForSearch(service.getName()); - } catch (Exception e) { - LOG.error("Cannot initialize Policy-Engine", e); - throw restErrorUtil.createRESTException("Cannot initialize Policy Engine", - MessageEnums.ERROR_SYSTEM); - } - - if (policyAdmin != null) { - ret = policyAdmin.getMatchingPolicies(new RangerAccessResourceImpl(resource)); - ret = applyAdminAccessFilter(ret); - } - - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getPoliciesForResource(service-type=" + serviceDefName + ", service-name=" + serviceName + ") : " + ret.toString()); - } - return ret; - } - - private String validateResourcePoliciesRequest(String serviceDefName, String serviceName, HttpServletRequest request, List services, Map resource) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.validatePoliciesForResourceRequest(service-type=" + serviceDefName + ", service-name=" + serviceName + ")"); - } - final String ret; - - if (MapUtils.isNotEmpty(request.getParameterMap())) { - for (Entry e : request.getParameterMap().entrySet()) { - String name = e.getKey(); - String[] values = e.getValue(); - - if (!StringUtils.isEmpty(name) && !ArrayUtils.isEmpty(values) - && name.startsWith(SearchFilter.RESOURCE_PREFIX)) { - resource.put(name.substring(SearchFilter.RESOURCE_PREFIX.length()), values[0]); - } - } - } - if (MapUtils.isEmpty(resource)) { - ret = "No resource specified"; - } else { - RangerServiceDef serviceDef = null; - try { - serviceDef = svcStore.getServiceDefByName(serviceDefName); - } catch (Exception e) { - LOG.error("Invalid service-type:[" + serviceDefName + "]", e); - } - if (serviceDef == null) { - ret = "Invalid service-type:[" + serviceDefName + "]"; - } else { - Set resourceDefNames = resource.keySet(); - RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef); - Set> resourceHierarchies = serviceDefHelper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS, resourceDefNames); - if (CollectionUtils.isEmpty(resourceHierarchies)) { - ret = "Invalid resource specified: resource-names:" + resourceDefNames +" are not part of any valid resource hierarchy for service-type:[" + serviceDefName + "]"; - } else { - if (StringUtils.isNotBlank(serviceName)) { - RangerService service = null; - try { - service = svcStore.getServiceByName(serviceName); - } catch (Exception e) { - LOG.error("Invalid service-name:[" + serviceName + "]"); - } - if (service == null || !StringUtils.equals(service.getType(), serviceDefName)) { - ret = "Invalid service-name:[" + serviceName + "] or service-type:[" + serviceDefName + "]"; - } else { - services.add(service); - ret = StringUtils.EMPTY; - } - } else { - SearchFilter filter = new SearchFilter(); - filter.setParam(SearchFilter.SERVICE_TYPE, serviceDefName); - List serviceList = null; - try { - serviceList = svcStore.getServices(filter); - } catch (Exception e) { - LOG.error("Cannot find service of service-type:[" + serviceDefName + "]"); - } - if (CollectionUtils.isEmpty(serviceList) || serviceList.size() != 1) { - ret = "Either 0 or more than 1 services found for service-type :[" + serviceDefName + "]"; - } else { - services.add(serviceList.get(0)); - ret = StringUtils.EMPTY; - } - } - } - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.validatePoliciesForResourceRequest(service-type=" + serviceDefName + ", service-name=" + serviceName + ") : " + ret); - } - return ret; - } - - @POST - @Path("/services") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_SERVICE + "\")") - public RangerService createService(RangerService service) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.createService(" + service + ")"); - } - - RangerService ret = null; - RangerPerfTracer perf = null; - - /** - * If display name is blank (EMPTY String or NULL), use name. - */ - if (StringUtils.isBlank(service.getDisplayName())) { - service.setDisplayName(service.getName()); - } - - try { - - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createService(serviceName=" + service.getName() + ")"); - } - RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore); - validator.validate(service, Action.CREATE); - - if(!StringUtils.isEmpty(service.getName().trim())){ - service.setName(service.getName().trim()); - } - - if(!StringUtils.isEmpty(service.getDisplayName().trim())){ - service.setDisplayName(service.getDisplayName().trim()); - } - - UserSessionBase session = ContextUtil.getCurrentUserSession(); - XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(service.getType()); - if(session != null && !session.isSpnegoEnabled()){ - bizUtil.hasAdminPermissions("Services"); - - // TODO: As of now we are allowing SYS_ADMIN to create all the - // services including KMS - bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname()); - } - if(session != null && session.isSpnegoEnabled()){ - if (session.isKeyAdmin() && !EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xxServiceDef.getImplclassname())) { - throw restErrorUtil.createRESTException("KeyAdmin can create/update/delete only KMS ", - MessageEnums.OPER_NO_PERMISSION); - } - if ((!session.isKeyAdmin() && !session.isUserAdmin()) && EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xxServiceDef.getImplclassname())) { - throw restErrorUtil.createRESTException("User cannot create/update/delete KMS Service", - MessageEnums.OPER_NO_PERMISSION); - } - } - bizUtil.blockAuditorRoleUser(); - - String serviceType = xxServiceDef != null ? xxServiceDef.getName() : null; - - if (StringUtils.isBlank(service.getTagService()) && - !StringUtils.equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME, serviceType) && - !StringUtils.equals(EMBEDDED_SERVICEDEF_GDS_NAME, serviceType) && - !StringUtils.equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_KMS_NAME , serviceType)) { - createOrGetLinkedServices(service); - } - - ret = svcStore.createService(service); - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("createService(" + service + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.createService(" + service + "): " + ret); - } - - return ret; - } - - @PUT - @Path("/services/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_SERVICE + "\")") - public RangerService updateService(RangerService service, - @Context HttpServletRequest request) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.updateService(): " + service); - } - - RangerService ret = null; - RangerPerfTracer perf = null; - - try { - - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updateService(serviceName=" + service.getName() + ")"); - } - - /** - * If display name is blank (EMPTY String or NULL), use previous display name. - */ - if (StringUtils.isBlank(service.getDisplayName())) { - RangerService rangerService = svcStore.getService(service.getId()); - - // If previous display name is blank (EMPTY String or NULL), user name. - if (Objects.isNull(rangerService) || StringUtils.isBlank(rangerService.getDisplayName())) { - service.setDisplayName(service.getName()); - } else { - service.setDisplayName(rangerService.getDisplayName()); - } - } - - RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore); - validator.validate(service, Action.UPDATE); - - if(!StringUtils.isEmpty(service.getName().trim())){ - service.setName(service.getName().trim()); - } - - if(!StringUtils.isEmpty(service.getDisplayName().trim())){ - service.setDisplayName(service.getDisplayName().trim()); - } - - bizUtil.hasAdminPermissions("Services"); - - // TODO: As of now we are allowing SYS_ADMIN to create all the - // services including KMS - - XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(service.getType()); - bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname()); - bizUtil.blockAuditorRoleUser(); - Map options = getOptions(request); + @Autowired + GUIDUtil guidUtil; - ret = svcStore.updateService(service, options); - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("updateService(" + service + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.updateService(" + service + "): " + ret); - } - - return ret; - } - - @DELETE - @Path("/services/{id}") - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_SERVICE + "\")") - public void deleteService(@PathParam("id") Long id) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.deleteService(" + id + ")"); - } - - String deletedServiceName = deleteServiceById(id); - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.deleteService() - [id="+deletedServiceName + "],[deletedServiceName="+deletedServiceName+"]"); - } - } - - @GET - @Path("/services/{id}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE + "\")") - public RangerService getService(@PathParam("id") Long id) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getService(" + id + ")"); - } - - RangerService ret = null; - RangerPerfTracer perf = null; - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getService(serviceId=" + id + ")"); - } - ret = svcStore.getService(id); - - if (ret != null) { - UserSessionBase userSession = ContextUtil - .getCurrentUserSession(); - if (userSession != null && userSession.getLoginId() != null) { - VXUser loggedInVXUser = xUserService - .getXUserByUserName(userSession.getLoginId()); - if (loggedInVXUser != null) { - if (loggedInVXUser.getUserRoleList().size() == 1 - && loggedInVXUser.getUserRoleList().contains( - RangerConstants.ROLE_USER)) { - - ret = hideCriticalServiceDetailsForRoleUser(ret); - } - } - } - } - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("getService(" + id + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(ret == null) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getService(" + id + "): " + ret); - } - - return ret; - } - - @GET - @Path("/services/name/{name}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_BY_NAME + "\")") - public RangerService getServiceByName(@PathParam("name") String name) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getServiceByName(" + name + ")"); - } - - RangerService ret = null; - RangerPerfTracer perf = null; - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getService(serviceName=" + name + ")"); - } - ret = svcStore.getServiceByName(name); - - if (ret != null) { - UserSessionBase userSession = ContextUtil - .getCurrentUserSession(); - if (userSession != null && userSession.getLoginId() != null) { - VXUser loggedInVXUser = xUserService - .getXUserByUserName(userSession.getLoginId()); - if (loggedInVXUser != null) { - if (loggedInVXUser.getUserRoleList().size() == 1 - && loggedInVXUser.getUserRoleList().contains( - RangerConstants.ROLE_USER)) { - - ret = hideCriticalServiceDetailsForRoleUser(ret); - } - } - } - } - - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("getServiceByName(" + name + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(ret == null) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getServiceByName(" + name + "): " + ret); - } - - return ret; - } - - @GET - @Path("/services") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICES + "\")") - public RangerServiceList getServices(@Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getServices()"); - } - - RangerServiceList ret = null; - RangerPerfTracer perf = null; - - PList paginatedSvcs = null; - - SearchFilter filter = searchUtil.getSearchFilter(request, svcService.sortFields); - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServices()"); - } - paginatedSvcs = svcStore.getPaginatedServices(filter); - - if(paginatedSvcs!= null && !paginatedSvcs.getList().isEmpty()){ - UserSessionBase userSession = ContextUtil - .getCurrentUserSession(); - if (userSession != null && userSession.getLoginId() != null) { - VXUser loggedInVXUser = xUserService - .getXUserByUserName(userSession.getLoginId()); - if (loggedInVXUser != null) { - if (loggedInVXUser.getUserRoleList().size() == 1 - && loggedInVXUser.getUserRoleList().contains( - RangerConstants.ROLE_USER)) { - - List updateServiceList = new ArrayList(); - for(RangerService rangerService : paginatedSvcs.getList()){ - - if(rangerService != null){ - updateServiceList.add(hideCriticalServiceDetailsForRoleUser(rangerService)); - } - } - - if(updateServiceList != null && !updateServiceList.isEmpty()){ - paginatedSvcs.setList(updateServiceList); - } - } - } - } - } - - if(paginatedSvcs != null) { - ret = new RangerServiceList(); - - ret.setServices(paginatedSvcs.getList()); - ret.setPageSize(paginatedSvcs.getPageSize()); - ret.setResultSize(paginatedSvcs.getResultSize()); - ret.setStartIndex(paginatedSvcs.getStartIndex()); - ret.setTotalCount(paginatedSvcs.getTotalCount()); - ret.setSortBy(paginatedSvcs.getSortBy()); - ret.setSortType(paginatedSvcs.getSortType()); - } - } catch(WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - LOG.error("getServices() failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getServices(): count=" + (ret == null ? 0 : ret.getListSize())); - } - return ret; - } - - public List getServices(SearchFilter filter) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getServices():"); - } - - List ret = null; - RangerPerfTracer perf = null; - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServices()"); - } - ret = svcStore.getServices(filter); - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("getServices() failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getServices(): count=" + (ret == null ? 0 : ret.size())); - } - - return ret; - } - - public List getServiceHeaders(@Context HttpServletRequest request) { - LOG.debug("==> ServiceREST.getServiceHeaders()"); - - String namePrefix = request.getParameter(SearchFilter.SERVICE_NAME_PREFIX); - String svcType = request.getParameter(SearchFilter.SERVICE_TYPE); - boolean filterByNamePrefix = StringUtils.isNotBlank(namePrefix); - boolean filterByType = StringUtils.isNotBlank(svcType); - - List ret = daoManager.getXXService().findServiceHeaders(); - - for (ListIterator iter = ret.listIterator(); iter.hasNext(); ) { - RangerServiceHeaderInfo serviceHeader = iter.next(); - - if (EMBEDDED_SERVICEDEF_GDS_NAME.equals(serviceHeader.getType())) { - iter.remove(); - } else if (filterByNamePrefix && !StringUtils.startsWithIgnoreCase(serviceHeader.getName(), namePrefix)) { - iter.remove(); - } else if (filterByType && !StringUtils.equals(serviceHeader.getType(), svcType)) { - iter.remove(); - } else if(!bizUtil.hasAccess(null, serviceHeader)) { - iter.remove(); - } - } - - LOG.debug("<== ServiceREST.getServiceHeaders(namePrefix={}, svcType={}): ret={}", namePrefix, svcType, ret); - - return ret; - } - - @GET - @Path("/services/count") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_SERVICES + "\")") - public Long countServices(@Context HttpServletRequest request) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.countServices():"); - } - - Long ret = null; - RangerPerfTracer perf = null; - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.countService()"); - } - List services = getServices(request).getServices(); - - ret = Long.valueOf(services == null ? 0 : services.size()); - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("countServices() failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.countServices(): " + ret); - } - - return ret; - } - - @POST - @Path("/services/validateConfig") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.VALIDATE_CONFIG + "\")") - public VXResponse validateConfig(RangerService service) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.validateConfig(" + service + ")"); - } - - VXResponse ret = new VXResponse(); - RangerPerfTracer perf = null; - - try { - if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.validateConfig(serviceName=" + service.getName() + ")"); - } - ret = serviceMgr.validateConfig(service, svcStore); - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("validateConfig(" + service + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.validateConfig(" + service + "): " + ret); - } - - return ret; - } - - @POST - @Path("/services/lookupResource/{serviceName}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.LOOKUP_RESOURCE + "\")") - public List lookupResource(@PathParam("serviceName") String serviceName, ResourceLookupContext context) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.lookupResource(" + serviceName + ")"); - } - - List ret = new ArrayList(); - RangerPerfTracer perf = null; - - try { - if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.lookupResource(serviceName=" + serviceName + ")"); - } - ret = serviceMgr.lookupResource(serviceName, context, svcStore); - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("lookupResource(" + serviceName + ", " + context + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.lookupResource(" + serviceName + "): " + ret); - } - - return ret; - } - - @POST - @Path("/services/grant/{serviceName}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RESTResponse grantAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest grantRequest, @Context HttpServletRequest request) throws Exception { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.grantAccess(" + serviceName + ", " + grantRequest + ")"); - } - - RESTResponse ret = new RESTResponse(); - RangerPerfTracer perf = null; - - if(grantRequest!=null){ - if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) { - - try { - bizUtil.failUnauthenticatedIfNotAllowed(); - - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.grantAccess(serviceName=" + serviceName + ")"); - } - - // This is an open API - dont care about who calls it. Caller is treated as privileged user - boolean hasAdminPrivilege = true; - String loggedInUser = null; - validateGrantRevokeRequest(grantRequest, hasAdminPrivilege, loggedInUser); - - String userName = grantRequest.getGrantor(); - Set userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName); - String ownerUser = grantRequest.getOwnerUser(); - RangerAccessResource resource = new RangerAccessResourceImpl(getAccessResourceObjectMap(grantRequest.getResource()), ownerUser); - Set accessTypes = grantRequest.getAccessTypes(); - VXUser vxUser = xUserService.getXUserByUserName(userName); - - if (vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) || vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) { - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_FORBIDDEN); - vXResponse.setMsgDesc("Operation denied. LoggedInUser=" + vxUser.getId() + " is not permitted to perform the action."); - throw restErrorUtil.generateRESTException(vXResponse); - } - RangerService rangerService = svcStore.getServiceByName(serviceName); - - String zoneName = getRangerAdminZoneName(serviceName, grantRequest); - boolean isAdmin = bizUtil.isUserRangerAdmin(userName) || bizUtil.isUserServiceAdmin(rangerService, userName) || hasAdminAccess(serviceName, zoneName, userName, userGroups, resource, accessTypes); - - if(!isAdmin) { - throw restErrorUtil.createGrantRevokeRESTException( "User doesn't have necessary permission to grant access"); - } - - RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, zoneName, userName); - - if(policy != null) { - boolean policyUpdated = false; - policyUpdated = ServiceRESTUtil.processGrantRequest(policy, grantRequest); - - if(policyUpdated) { - policy.setZoneName(zoneName); - ensureAdminAccess(policy); - svcStore.updatePolicy(policy); - } else { - LOG.error("processGrantRequest processing failed"); - throw new Exception("processGrantRequest processing failed"); - } - } else { - policy = new RangerPolicy(); - policy.setService(serviceName); - policy.setName("grant-" + System.currentTimeMillis()); // TODO: better policy name - policy.setDescription("created by grant"); - policy.setIsAuditEnabled(grantRequest.getEnableAudit()); - policy.setCreatedBy(userName); - - Map policyResources = new HashMap(); - Set resourceNames = resource.getKeys(); - - if(! CollectionUtils.isEmpty(resourceNames)) { - for(String resourceName : resourceNames) { - policyResources.put(resourceName, getPolicyResource(resource.getValue(resourceName), grantRequest)); - } - } - policy.setResources(policyResources); - - RangerPolicyItem policyItem = new RangerPolicyItem(); - - policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin()); - policyItem.addUsers(grantRequest.getUsers()); - policyItem.addGroups(grantRequest.getGroups()); - policyItem.addRoles(grantRequest.getRoles()); - - for(String accessType : grantRequest.getAccessTypes()) { - policyItem.addAccess(new RangerPolicyItemAccess(accessType, Boolean.TRUE)); - } - - policy.addPolicyItem(policyItem); - policy.setZoneName(zoneName); - - ensureAdminAccess(policy); - svcStore.createPolicy(policy); - } - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("grantAccess(" + serviceName + ", " + grantRequest + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - ret.setStatusCode(RESTResponse.STATUS_SUCCESS); - } - } - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.grantAccess(" + serviceName + ", " + grantRequest + "): " + ret); - } - - return ret; - } - - @POST - @Path("/secure/services/grant/{serviceName}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RESTResponse secureGrantAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest grantRequest, @Context HttpServletRequest request) throws Exception { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.secureGrantAccess(" + serviceName + ", " + grantRequest + ")"); - } - RESTResponse ret = new RESTResponse(); - RangerPerfTracer perf = null; - - bizUtil.blockAuditorRoleUser(); - - if(grantRequest != null) { - if (serviceUtil.isValidService(serviceName, request)) { - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.scureGrantAccess(serviceName=" + serviceName + ")"); - } - - XXService xService = daoManager.getXXService().findByName(serviceName); - XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); - RangerService rangerService = svcStore.getServiceByName(serviceName); - - String loggedInUser = bizUtil.getCurrentUserLoginId(); - boolean hasAdminPrivilege = bizUtil.isAdmin() || bizUtil.isUserServiceAdmin(rangerService, loggedInUser) || bizUtil.isUserAllowedForGrantRevoke(rangerService, loggedInUser); - - validateGrantRevokeRequest(grantRequest, hasAdminPrivilege, loggedInUser); - - String userName = grantRequest.getGrantor(); - Set userGroups = grantRequest.getGrantorGroups(); - String ownerUser = grantRequest.getOwnerUser(); - - RangerAccessResource resource = new RangerAccessResourceImpl(getAccessResourceObjectMap(grantRequest.getResource()), ownerUser); - Set accessTypes = grantRequest.getAccessTypes(); - String zoneName = getRangerAdminZoneName(serviceName, grantRequest); - - boolean isAllowed = false; - - if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { - if (bizUtil.isKeyAdmin() || bizUtil.isUserAllowedForGrantRevoke(rangerService, loggedInUser)) { - isAllowed = true; - } - } else { - isAllowed = bizUtil.isUserRangerAdmin(userName) || bizUtil.isUserServiceAdmin(rangerService, userName) || hasAdminAccess(serviceName, zoneName, userName, userGroups, resource, accessTypes); - } - - if (isAllowed) { - RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, zoneName, userName); - - if(policy != null) { - boolean policyUpdated = false; - policyUpdated = ServiceRESTUtil.processGrantRequest(policy, grantRequest); - - if(policyUpdated) { - policy.setZoneName(zoneName); - - ensureAdminAccess(policy); - - svcStore.updatePolicy(policy); - } else { - LOG.error("processSecureGrantRequest processing failed"); - throw new Exception("processSecureGrantRequest processing failed"); - } - } else { - policy = new RangerPolicy(); - policy.setService(serviceName); - policy.setName("grant-" + System.currentTimeMillis()); // TODO: better policy name - policy.setDescription("created by grant"); - policy.setIsAuditEnabled(grantRequest.getEnableAudit()); - policy.setCreatedBy(userName); - - Map policyResources = new HashMap(); - Set resourceNames = resource.getKeys(); - - if(! CollectionUtils.isEmpty(resourceNames)) { - for(String resourceName : resourceNames) { - policyResources.put(resourceName, getPolicyResource(resource.getValue(resourceName), grantRequest)); - } - } - policy.setResources(policyResources); - - RangerPolicyItem policyItem = new RangerPolicyItem(); - - policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin()); - policyItem.addUsers(grantRequest.getUsers()); - policyItem.addGroups(grantRequest.getGroups()); - policyItem.addRoles(grantRequest.getRoles()); - - for(String accessType : grantRequest.getAccessTypes()) { - policyItem.addAccess(new RangerPolicyItemAccess(accessType, Boolean.TRUE)); - } - - policy.addPolicyItem(policyItem); - policy.setZoneName(zoneName); - - ensureAdminAccess(policy); - - svcStore.createPolicy(policy); - } - }else{ - LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed as User doesn't have permission to grant Policy"); - throw restErrorUtil.createGrantRevokeRESTException( "User doesn't have necessary permission to grant access"); - } - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - ret.setStatusCode(RESTResponse.STATUS_SUCCESS); - } - } - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.secureGrantAccess(" + serviceName + ", " + grantRequest + "): " + ret); - } - return ret; - } - - @POST - @Path("/services/revoke/{serviceName}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RESTResponse revokeAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest revokeRequest, @Context HttpServletRequest request) throws Exception { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.revokeAccess(" + serviceName + ", " + revokeRequest + ")"); - } - - RESTResponse ret = new RESTResponse(); - RangerPerfTracer perf = null; - - if(revokeRequest!=null){ - if (serviceUtil.isValidateHttpsAuthentication(serviceName,request)) { - - try { - bizUtil.failUnauthenticatedIfNotAllowed(); - - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.revokeAccess(serviceName=" + serviceName + ")"); - } - - // This is an open API - dont care about who calls it. Caller is treated as privileged user - boolean hasAdminPrivilege = true; - String loggedInUser = null; - validateGrantRevokeRequest(revokeRequest, hasAdminPrivilege, loggedInUser); - - String userName = revokeRequest.getGrantor(); - Set userGroups = CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups()) ? revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName); - String ownerUser = revokeRequest.getOwnerUser(); - RangerAccessResource resource = new RangerAccessResourceImpl(getAccessResourceObjectMap(revokeRequest.getResource()), ownerUser); - Set accessTypes = revokeRequest.getAccessTypes(); - VXUser vxUser = xUserService.getXUserByUserName(userName); - - if (vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) || vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) { - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_FORBIDDEN); - vXResponse.setMsgDesc("Operation denied. LoggedInUser=" + vxUser.getId() + " is not permitted to perform the action."); - throw restErrorUtil.generateRESTException(vXResponse); - } - RangerService rangerService = svcStore.getServiceByName(serviceName); - String zoneName = getRangerAdminZoneName(serviceName, revokeRequest); - - boolean isAdmin = bizUtil.isUserRangerAdmin(userName) || bizUtil.isUserServiceAdmin(rangerService, userName) || hasAdminAccess(serviceName, zoneName, userName, userGroups, resource, accessTypes); - - if(!isAdmin) { - throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to revoke access"); - } - - RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, zoneName, userName); - - if(policy != null) { - boolean policyUpdated = false; - policyUpdated = ServiceRESTUtil.processRevokeRequest(policy, revokeRequest); - - if(policyUpdated) { - policy.setZoneName(zoneName); - - ensureAdminAccess(policy); - - svcStore.updatePolicy(policy); - } else { - LOG.error("processRevokeRequest processing failed"); - throw new Exception("processRevokeRequest processing failed"); - } - } - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("revokeAccess(" + serviceName + ", " + revokeRequest + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - ret.setStatusCode(RESTResponse.STATUS_SUCCESS); - } - } - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.revokeAccess(" + serviceName + ", " + revokeRequest + "): " + ret); - } - - return ret; - } - - @POST - @Path("/secure/services/revoke/{serviceName}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RESTResponse secureRevokeAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest revokeRequest, @Context HttpServletRequest request) throws Exception { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.secureRevokeAccess(" + serviceName + ", " + revokeRequest + ")"); - } - RESTResponse ret = new RESTResponse(); - RangerPerfTracer perf = null; - - bizUtil.blockAuditorRoleUser(); - - if (revokeRequest != null) { - if (serviceUtil.isValidService(serviceName,request)) { - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.secureRevokeAccess(serviceName=" + serviceName + ")"); - } - - XXService xService = daoManager.getXXService().findByName(serviceName); - XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); - RangerService rangerService = svcStore.getServiceByName(serviceName); - - String loggedInUser = bizUtil.getCurrentUserLoginId(); - boolean hasAdminPrivilege = bizUtil.isAdmin() || bizUtil.isUserServiceAdmin(rangerService, loggedInUser) || bizUtil.isUserAllowedForGrantRevoke(rangerService, loggedInUser); - - validateGrantRevokeRequest(revokeRequest, hasAdminPrivilege, loggedInUser); - - String userName = revokeRequest.getGrantor(); - Set userGroups = revokeRequest.getGrantorGroups(); - String ownerUser = revokeRequest.getOwnerUser(); - - RangerAccessResource resource = new RangerAccessResourceImpl(getAccessResourceObjectMap(revokeRequest.getResource()), ownerUser); - Set accessTypes = revokeRequest.getAccessTypes(); - String zoneName = getRangerAdminZoneName(serviceName, revokeRequest); - - - boolean isAllowed = false; - - if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { - if (bizUtil.isKeyAdmin() || bizUtil.isUserAllowedForGrantRevoke(rangerService, loggedInUser)) { - isAllowed = true; - } - } else { - isAllowed = bizUtil.isUserRangerAdmin(userName) || bizUtil.isUserServiceAdmin(rangerService, userName) || hasAdminAccess(serviceName, zoneName, userName, userGroups, resource, accessTypes); - } - - if (isAllowed) { - RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, zoneName, userName); - - if(policy != null) { - boolean policyUpdated = false; - policyUpdated = ServiceRESTUtil.processRevokeRequest(policy, revokeRequest); - - if(policyUpdated) { - policy.setZoneName(zoneName); - - ensureAdminAccess(policy); - - svcStore.updatePolicy(policy); - } else { - LOG.error("processSecureRevokeRequest processing failed"); - throw new Exception("processSecureRevokeRequest processing failed"); - } - } - }else{ - LOG.error("secureRevokeAccess(" + serviceName + ", " + revokeRequest + ") failed as User doesn't have permission to revoke Policy"); - throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to revoke access"); - } - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("secureRevokeAccess(" + serviceName + ", " + revokeRequest + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - ret.setStatusCode(RESTResponse.STATUS_SUCCESS); - } - } - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.secureRevokeAccess(" + serviceName + ", " + revokeRequest + "): " + ret); - } - return ret; - } - - @POST - @Path("/policies") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerPolicy createPolicy(RangerPolicy policy, @Context HttpServletRequest request) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.createPolicy(" + policy + ")"); - } - RangerPolicy ret = null; - RangerPerfTracer perf = null; - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createPolicy(policyName=" + policy.getName() + ")"); - } - - if(request != null) { - boolean deleteIfExists=("true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_DELETE_IF_EXISTS)))) ? true : false ; - if(deleteIfExists) { - boolean importInProgress=("true".equalsIgnoreCase(StringUtils.trimToEmpty(String.valueOf(request.getAttribute(PARAM_IMPORT_IN_PROGRESS))))) ? true : false ; - if (!importInProgress) { - List policies=new ArrayList() { { add(policy); } }; - deleteExactMatchPolicyForResource(policies, request.getRemoteUser(), null); - } - } - boolean updateIfExists=("true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_UPDATE_IF_EXISTS)))) ? true : false ; - boolean mergeIfExists = "true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_MERGE_IF_EXISTS))) ? true : false; - // Default POLICY_MATCHING_ALGO_BY_RESOURCE - String policyMatchingAlgo = POLICY_MATCHING_ALGO_BY_POLICYNAME.equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_POLICY_MATCHING_ALGORITHM))) ? POLICY_MATCHING_ALGO_BY_POLICYNAME : POLICY_MATCHING_ALGO_BY_RESOURCE; - if(LOG.isDebugEnabled()) { - LOG.debug(" policyMatchingAlgo : "+policyMatchingAlgo + " updateIfExists : " +updateIfExists + " mergeIfExists: "+mergeIfExists + " deleteIfExists : "+deleteIfExists); - } - if (mergeIfExists && updateIfExists) { - LOG.warn("Cannot use both updateIfExists and mergeIfExists for a createPolicy. mergeIfExists will override updateIfExists for policy :[" + policy.getName() + "]"); - } - - if (!mergeIfExists && !updateIfExists) { - ret = createPolicyUnconditionally(policy); - } else if (mergeIfExists) { - ret = applyPolicy(policy, request); - } else if (policyMatchingAlgo.equalsIgnoreCase(POLICY_MATCHING_ALGO_BY_RESOURCE)) { - ret = applyPolicy(policy, request); - } else if (policyMatchingAlgo.equalsIgnoreCase(POLICY_MATCHING_ALGO_BY_POLICYNAME)) { - RangerPolicy existingPolicy = getPolicyMatchByName(policy, request); - if (existingPolicy != null) { - policy.setId(existingPolicy.getId()); - ret = updatePolicy(policy, null); - } else { - ret = createPolicyUnconditionally(policy); - } - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.createPolicy(" + policy + "): " + ret); - } - return ret; - - } - - if(ret == null) { - ret = createPolicyUnconditionally(policy); - } - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("createPolicy(" + policy + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.createPolicy(" + policy + "): " + ret); - } - - return ret; - } - - /* - The verb for applyPolicy is POST as it could be partial update or a create - */ - - @POST - @Path("/policies/apply") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerPolicy applyPolicy(RangerPolicy policy, @Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.applyPolicy(" + policy + ")"); - } - - RangerPolicy ret = null; - - if (policy != null && StringUtils.isNotBlank(policy.getService())) { - try { - - final RangerPolicy existingPolicy; - String signature = (new RangerPolicyResourceSignature(policy)).getSignature(); - List policiesWithMatchingSignature = svcStore.getPoliciesByResourceSignature(policy.getService(), signature, true); - - if (CollectionUtils.isNotEmpty(policiesWithMatchingSignature)) { - if (policiesWithMatchingSignature.size() == 1) { - existingPolicy = policiesWithMatchingSignature.get(0); - } else { - throw new Exception("Multiple policies with matching policy-signature are found. Cannot determine target for applying policy"); - } - } else { - existingPolicy = null; - } - - if (existingPolicy == null) { - if (StringUtils.isNotEmpty(policy.getName())) { - String policyName = StringUtils.isNotBlank(policy.getName()) ? policy.getName() : null; - String serviceName = StringUtils.isNotBlank(policy.getService()) ? policy.getService() : null; - String zoneName = StringUtils.isNotBlank(policy.getZoneName()) ? policy.getZoneName() : null; - XXPolicy dbPolicy = daoManager.getXXPolicy().findPolicy(policyName, serviceName, zoneName); - //XXPolicy dbPolicy = daoManager.getXXPolicy().findPolicy(policy.getName(), policy.getService(), policy.getZoneName()); - if (dbPolicy != null) { - policy.setName(policy.getName() + System.currentTimeMillis()); - } - } - - ret = createPolicy(policy, null); - } else { - boolean mergeIfExists = "true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_MERGE_IF_EXISTS))); - - if (!mergeIfExists) { - boolean updateIfExists = "true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_UPDATE_IF_EXISTS))); - if (updateIfExists) { - // Called with explicit intent of updating an existing policy - mergeIfExists = false; - } else { - // Invoked through REST API. Merge with existing policy unless 'mergeIfExists' is explicitly set to false in HttpServletRequest - mergeIfExists = !"false".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_MERGE_IF_EXISTS))); - } - } - - if(mergeIfExists) { - if (!existingPolicy.getIsDenyAllElse() && policy.getIsDenyAllElse()) { - LOG.error("Attempt to change the isDenyAllElse flag from false to true! Not supported!!"); - throw new Exception("Merging existing policy(isDenyAllElse=false) with another policy(isDenyAllElse=true) is not allowed!"); - } - ServiceRESTUtil.processApplyPolicy(existingPolicy, policy); - policy = existingPolicy; - } else { - policy.setId(existingPolicy.getId()); - } - ret = updatePolicy(policy, policy.getId()); - } - } catch(WebApplicationException excp) { - throw excp; - } catch (Exception exception) { - LOG.error("Failed to apply policy:", exception); - throw restErrorUtil.createRESTException(exception.getMessage()); - } - } else { - throw restErrorUtil.createRESTException("Non-existing service specified:"); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.applyPolicy(" + policy + ") : " + ret); - } - - return ret; - } - - @PUT - @Path("/policies/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public RangerPolicy updatePolicy(RangerPolicy policy, @PathParam("id") Long id) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.updatePolicy(" + policy + ")"); - } - - // if policy.id and param 'id' are specified, policy.id should be same as the param 'id' - // if policy.id is null, then set param 'id' into policy Object - if (policy.getId() == null) { - policy.setId(id); - } else if(!policy.getId().equals(id)) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "policyID mismatch", true); - } - - RangerPolicy ret = null; - RangerPerfTracer perf = null; - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updatePolicy(policyId=" + policy.getId() + ")"); - } - if (isPolicyNameLengthValidationEnabled) { - if (policy.getName().length() > maxPolicyNameLength) { - throw restErrorUtil.createRESTException( - "Policy name should not be longer than " + maxPolicyNameLength + " characters", - MessageEnums.INPUT_DATA_OUT_OF_BOUND, null, "policy name", "" + policy.getName()); - } - } - RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); - validator.validate(policy, Action.UPDATE, bizUtil.isAdmin() || isServiceAdmin(policy.getService()) || isZoneAdmin(policy.getZoneName())); - - ensureAdminAccess(policy); - bizUtil.blockAuditorRoleUser(); - - ret = svcStore.updatePolicy(policy); - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("updatePolicy(" + policy + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.updatePolicy(" + policy + "): " + ret); - } - - return ret; - } - - @DELETE - @Path("/policies/{id}") - public void deletePolicy(@PathParam("id") Long id) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.deletePolicy(" + id + ")"); - } - - RangerPerfTracer perf = null; - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.deletePolicy(policyId=" + id + ")"); - } - RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); - validator.validate(id, Action.DELETE); - - RangerPolicy policy = svcStore.getPolicy(id); - - ensureAdminAccess(policy); - bizUtil.blockAuditorRoleUser(); - svcStore.deletePolicy(policy); - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("deletePolicy(" + id + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.deletePolicy(" + id + ")"); - } - } - - @GET - @Path("/policies/{id}") - @Produces({ "application/json" }) - public RangerPolicy getPolicy(@PathParam("id") Long id) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getPolicy(" + id + ")"); - } - - RangerPolicy ret = null; - RangerPerfTracer perf = null; - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicy(policyId=" + id + ")"); - } - ret = svcStore.getPolicy(id); - - if(ret != null) { - ensureAdminAndAuditAccess(ret); - } - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("getPolicy(" + id + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(ret == null) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getPolicy(" + id + "): " + ret); - } - - return ret; - } - - @GET - @Path("/policyLabels") - @Produces({ "application/json" }) - public List getPolicyLabels(@Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getPolicyLabels()"); - } - - List ret = new ArrayList(); - RangerPerfTracer perf = null; - - try { - if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicyLabels()"); - } - - SearchFilter filter = searchUtil.getSearchFilter(request, policyLabelsService.sortFields); - ret = svcStore.getPolicyLabels(filter); - } catch (WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - LOG.error("getPolicyLabels() failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getPolicyLabels()"); - } - return ret; - } - - @GET - @Path("/policies") - @Produces({ "application/json" }) - public RangerPolicyList getPolicies(@Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getPolicies()"); - } - - RangerPolicyList ret = new RangerPolicyList(); - RangerPerfTracer perf = null; - - SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicies()"); - } - // get all policies from the store; pick the page to return after applying filter - final int savedStartIndex = filter.getStartIndex(); - final int savedMaxRows = filter.getMaxRows(); - - filter.setStartIndex(0); - filter.setMaxRows(Integer.MAX_VALUE); - - List policies = svcStore.getPolicies(filter); - - filter.setStartIndex(savedStartIndex); - filter.setMaxRows(savedMaxRows); - - policies = applyAdminAccessFilter(policies); - - ret = toRangerPolicyList(policies, filter); - - } catch(WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - LOG.error("getPolicies() failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getPolicies(): count=" + (ret == null ? 0 : ret.getListSize())); - } - return ret; - } + @Autowired + RangerValidatorFactory validatorFactory; - /** - * Resets/ removes service policy cache for given service. - * @param serviceName non-empty serviceName - * @return {@code true} if successfully reseted/ removed for given service, {@code false} otherwise. - */ - @GET - @Path("/policies/cache/reset") - @Produces({ "application/json" }) - public boolean resetPolicyCache(@QueryParam("serviceName") String serviceName) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.resetPolicyCache(" + serviceName + ")"); - } + @Autowired + RangerDaoManager daoManager; - if (StringUtils.isEmpty(serviceName)) { - throw restErrorUtil.createRESTException("Required parameter [serviceName] is missing.", MessageEnums.INVALID_INPUT_DATA); - } + @Autowired + TagDBStore tagStore; - RangerService rangerService = null; - try { - rangerService = svcStore.getServiceByName(serviceName); - } catch (Exception e) { - LOG.error( HttpServletResponse.SC_BAD_REQUEST + "No Service Found for ServiceName:" + serviceName ); - } + @Autowired + RangerTransactionSynchronizationAdapter rangerTransactionSynchronizationAdapter; - if (rangerService == null) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "Invalid service name", true); - } + private RangerPolicyEngineOptions delegateAdminOptions; + private RangerPolicyEngineOptions policySearchAdminOptions; + private RangerPolicyEngineOptions defaultAdminOptions; - // check for ADMIN access - if (!bizUtil.isAdmin()) { - boolean isServiceAdmin = false; - String loggedInUser = bizUtil.getCurrentUserLoginId(); + public static Map getAccessResourceObjectMap(Map map) { + Map ret = null; - try { - isServiceAdmin = bizUtil.isUserServiceAdmin(rangerService, loggedInUser); - } catch (Exception e) { - LOG.warn("Failed to find if user [" + loggedInUser + "] has service admin privileges on service [" + serviceName + "]", e); - } + if (map != null) { + ret = new HashMap<>(map.size()); - if (!isServiceAdmin) { - throw restErrorUtil.createRESTException("User cannot reset policy cache", MessageEnums.OPER_NO_PERMISSION); + for (Map.Entry e : map.entrySet()) { + if (e.getValue().contains(",")) { + List values = Arrays.asList(e.getValue().split(",")); + + ret.put(e.getKey(), values); + } else { + ret.put(e.getKey(), e.getValue()); + } } } - boolean ret = svcStore.resetPolicyCache(serviceName); + return ret; + } + + @PostConstruct + public void initStore() { + tagStore.setServiceStore(svcStore); + + delegateAdminOptions = getDelegatedAdminPolicyEngineOptions(); + policySearchAdminOptions = getPolicySearchRangerAdminPolicyEngineOptions(); + defaultAdminOptions = getDefaultRangerAdminPolicyEngineOptions(); + } + + @POST + @Path("/definitions") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_SERVICE_DEF + "\")") + public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) { + LOG.debug("==> ServiceREST.createServiceDef({})", serviceDef); + + RangerServiceDef ret; + RangerPerfTracer perf = null; + + /** + * If display name is blank (EMPTY String or NULL), use name. + */ + if (StringUtils.isBlank(serviceDef.getDisplayName())) { + serviceDef.setDisplayName(serviceDef.getName()); + } - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.resetPolicyCache(): ret=" + ret); + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createServiceDef(serviceDefName=" + serviceDef.getName() + ")"); + } + + RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore); + + validator.validate(serviceDef, Action.CREATE); + + bizUtil.hasAdminPermissions("Service-Def"); + bizUtil.hasKMSPermissions("Service-Def", serviceDef.getImplClass()); + bizUtil.blockAuditorRoleUser(); + + ret = svcStore.createServiceDef(serviceDef); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("createServiceDef({}) failed", serviceDef, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } + LOG.debug("<== ServiceREST.createServiceDef({}): {}", serviceDef, ret); + return ret; } - /** - * Resets/ removes service policy cache for all. - * @return {@code true} if successfully reseted/ removed, {@code false} otherwise. - */ - @GET - @Path("/policies/cache/reset-all") - @Produces({ "application/json" }) - public boolean resetPolicyCacheAll() { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.resetPolicyCacheAll()"); + @PUT + @Path("/definitions/{id}") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_SERVICE_DEF + "\")") + public RangerServiceDef updateServiceDef(RangerServiceDef serviceDef, @PathParam("id") Long id) { + LOG.debug("==> ServiceREST.updateServiceDef(serviceDefName={})", serviceDef.getName()); + + // if serviceDef.id and param 'id' are specified, serviceDef.id should be same as the param 'id' + // if serviceDef.id is null, then set param 'id' into serviceDef Object + if (serviceDef.getId() == null) { + serviceDef.setId(id); + } else if (StringUtils.isBlank(serviceDef.getName()) && !serviceDef.getId().equals(id)) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "serviceDef Id mismatch", true); } - // check for ADMIN access - if (!bizUtil.isAdmin()) { - throw restErrorUtil.createRESTException("User cannot reset policy cache", MessageEnums.OPER_NO_PERMISSION); - } + RangerServiceDef ret; + RangerPerfTracer perf = null; - boolean ret = svcStore.resetPolicyCache(null); + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updateServiceDef(" + serviceDef.getName() + ")"); + } + + /** + * If display name is blank (EMPTY String or NULL), use previous display name. + */ + if (StringUtils.isBlank(serviceDef.getDisplayName())) { + RangerServiceDef rangerServiceDef = svcStore.getServiceDef(serviceDef.getId()); + + // If previous display name is blank (EMPTY String or NULL), user name. + if (Objects.isNull(rangerServiceDef) || StringUtils.isBlank(rangerServiceDef.getDisplayName())) { + serviceDef.setDisplayName(serviceDef.getName()); + } else { + serviceDef.setDisplayName(rangerServiceDef.getDisplayName()); + } + } + + RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore); + + validator.validate(serviceDef, Action.UPDATE); + + bizUtil.hasAdminPermissions("Service-Def"); + bizUtil.hasKMSPermissions("Service-Def", serviceDef.getImplClass()); + bizUtil.blockAuditorRoleUser(); + + ret = svcStore.updateServiceDef(serviceDef); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("updateServiceDef({}) failed", serviceDef, excp); - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.resetPolicyCacheAll(): ret=" + ret); + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } + LOG.debug("<== ServiceREST.updateServiceDef({}): {}", serviceDef, ret); + return ret; } - @GET - @Path("/policies/downloadExcel") - @Produces("application/ms-excel") - public void getPoliciesInExcel(@Context HttpServletRequest request, - @Context HttpServletResponse response) { - - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getPoliciesInExcel()"); - } - RangerPerfTracer perf = null; - SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); - - try { - if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPoliciesInExcel()"); - } - List policyLists = new ArrayList(); - - policyLists = getAllFilteredPolicyList(filter, request, policyLists); - if (CollectionUtils.isNotEmpty(policyLists)){ - Map mapServiceTypeAndImplClass = new HashMap(); - for (RangerPolicy rangerPolicy : policyLists) { - if (rangerPolicy != null) { - ensureAdminAndAuditAccess(rangerPolicy, mapServiceTypeAndImplClass); - } - } - svcStore.getPoliciesInExcel(policyLists, response); - }else{ - response.setStatus(HttpServletResponse.SC_NO_CONTENT); - LOG.error("No policies found to download!"); - } - - RangerExportPolicyList rangerExportPolicyList = new RangerExportPolicyList(); - rangerExportPolicyList.setMetaDataInfo(svcStore.getMetaDataInfo()); - String metaDataInfo = JsonUtilsV2.mapToJson(rangerExportPolicyList.getMetaDataInfo()); - - policyService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_POLICY, null, null, "EXPORT EXCEL"), "Export Excel", metaDataInfo, null); - } catch (WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - LOG.error("Error while downloading policy report", excp); - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - } - - @GET - @Path("/policies/csv") - @Produces("text/csv") - public void getPoliciesInCsv(@Context HttpServletRequest request, @Context HttpServletResponse response) throws IOException { - - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getPoliciesInCsv()"); - } - RangerPerfTracer perf = null; - - SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); - - try { - if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPoliciesInCsv()"); - } - List policyLists = new ArrayList(); - - policyLists = getAllFilteredPolicyList(filter, request, policyLists); - if (CollectionUtils.isNotEmpty(policyLists)){ - Map mapServiceTypeAndImplClass = new HashMap (); - for (RangerPolicy rangerPolicy : policyLists) { - if (rangerPolicy != null) { - ensureAdminAndAuditAccess(rangerPolicy, mapServiceTypeAndImplClass); - } - } - svcStore.getPoliciesInCSV(policyLists, response); - }else{ - response.setStatus(HttpServletResponse.SC_NO_CONTENT); - LOG.error("No policies found to download!"); - } - - RangerExportPolicyList rangerExportPolicyList = new RangerExportPolicyList(); - rangerExportPolicyList.setMetaDataInfo(svcStore.getMetaDataInfo()); - String metaDataInfo = JsonUtilsV2.mapToJson(rangerExportPolicyList.getMetaDataInfo()); - - policyService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_POLICY, null, null, "EXPORT CSV"), "Export CSV", metaDataInfo, null); - } catch (WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - LOG.error("Error while downloading policy report", excp); - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - } - - @GET - @Path("/policies/exportJson") - @Produces("text/json") - public void getPoliciesInJson(@Context HttpServletRequest request, - @Context HttpServletResponse response, - @QueryParam("checkPoliciesExists") Boolean checkPoliciesExists) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getPoliciesInJson()"); - } - - RangerPerfTracer perf = null; - SearchFilter filter = searchUtil.getSearchFilter(request,policyService.sortFields); - requestParamsValidation(filter); - try { - if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG,"ServiceREST.getPoliciesInJson()"); - } - if (checkPoliciesExists == null){ - checkPoliciesExists = false; - } - - List policyLists = new ArrayList(); - - policyLists = getAllFilteredPolicyList(filter, request, policyLists); - - if (CollectionUtils.isNotEmpty(policyLists)) { - Map mapServiceTypeAndImplClass = new HashMap (); - for (RangerPolicy rangerPolicy : policyLists) { - if (rangerPolicy != null) { - ensureAdminAndAuditAccess(rangerPolicy, mapServiceTypeAndImplClass); - } - } - bizUtil.blockAuditorRoleUser(); - svcStore.getObjectInJson(policyLists, response, JSON_FILE_NAME_TYPE.POLICY); - } else { - checkPoliciesExists = true; - response.setStatus(HttpServletResponse.SC_NO_CONTENT); - LOG.error("There is no Policy to Export!!"); - } - - if(!checkPoliciesExists){ - RangerExportPolicyList rangerExportPolicyList = new RangerExportPolicyList(); - rangerExportPolicyList.setMetaDataInfo(svcStore.getMetaDataInfo()); - String metaDataInfo = JsonUtilsV2.mapToJson(rangerExportPolicyList.getMetaDataInfo()); - - policyService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_POLICY, null, null, "EXPORT JSON"), "Export Json", metaDataInfo, null); - } - } catch (WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - LOG.error("Error while exporting policy file!!", excp); - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - } - - private void requestParamsValidation(SearchFilter filter) { - Boolean fetchAllZonePolicies = Boolean.valueOf(filter.getParam(SearchFilter.FETCH_ZONE_UNZONE_POLICIES)); - String zoneName = filter.getParam(SearchFilter.ZONE_NAME); - - if (fetchAllZonePolicies && StringUtils.isNotEmpty(zoneName)) { - throw restErrorUtil.createRESTException("Invalid parameter: " + SearchFilter.ZONE_NAME + " can not be provided, along with " + SearchFilter.FETCH_ZONE_UNZONE_POLICIES + "=true"); - } - } - - @POST - @Path("/policies/importPoliciesFromFile") - @Consumes({MediaType.MULTIPART_FORM_DATA, MediaType.APPLICATION_JSON}) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAdminOrKeyAdminRole()") - public void importPoliciesFromFile( - @Context HttpServletRequest request, - @FormDataParam("servicesMapJson") InputStream serviceMapStream, - @FormDataParam("zoneMapJson") InputStream zoneMapStream, - @FormDataParam("file") InputStream uploadedInputStream, - @FormDataParam("file") FormDataContentDisposition fileDetail, - @QueryParam("isOverride") Boolean isOverride, - @QueryParam("importType") String importType) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.importPoliciesFromFile()"); - } - - RangerContextHolder.getOrCreateOpContext().setBulkModeContext(true); - - RangerPerfTracer perf = null; - String metaDataInfo = null; - request.setAttribute(PARAM_IMPORT_IN_PROGRESS, true); - - try { - if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG,"ServiceREST.importPoliciesFromFile()"); - } - - policyService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_POLICY, null, null, "IMPORT START"), "Import", "IMPORT START", null); - - if (isOverride == null){ - isOverride = false; - } - List serviceNameList = new ArrayList(); - - getServiceNameList(request,serviceNameList); - Map servicesMappingMap = new LinkedHashMap(); - List sourceServices = new ArrayList(); - List destinationServices = new ArrayList(); - Map zoneMappingMap = new LinkedHashMap(); - List sourceZones = new ArrayList(); - List destinationZones = new ArrayList(); - if (zoneMapStream != null) { - zoneMappingMap = svcStore.getMapFromInputStream(zoneMapStream); - processZoneMapping(zoneMappingMap, sourceZones, destinationZones); - } - - if (serviceMapStream != null){ - servicesMappingMap = svcStore.getMapFromInputStream(serviceMapStream); - processServiceMapping(servicesMappingMap, sourceServices, destinationServices); - } - - String fileName = fileDetail.getFileName(); - int totalPolicyCreate = 0; - String zoneNameInJson = null; - Map policiesMap = new LinkedHashMap(); - List dataFileSourceServices = new ArrayList(); - if (fileName.endsWith("json")) { - try { - RangerExportPolicyList rangerExportPolicyList = null; - List policies = null; - rangerExportPolicyList = processPolicyInputJsonForMetaData(uploadedInputStream,rangerExportPolicyList); - if (rangerExportPolicyList != null && !CollectionUtils.sizeIsEmpty(rangerExportPolicyList.getMetaDataInfo())) { - metaDataInfo = JsonUtilsV2.mapToJson(rangerExportPolicyList.getMetaDataInfo()); - } else { - LOG.info("metadata info is not provided!!"); - } - policies = getPoliciesFromProvidedJson(rangerExportPolicyList); - - int i = 0; - if (CollectionUtils.sizeIsEmpty(servicesMappingMap) && isOverride){ - if(policies != null && !CollectionUtils.sizeIsEmpty(policies)){ - for (RangerPolicy policyInJson: policies){ - if (policyInJson != null ) { - if (i == 0 && StringUtils.isNotBlank(policyInJson.getZoneName())) { - zoneNameInJson = policyInJson.getZoneName().trim(); - } - if (StringUtils.isNotEmpty(policyInJson.getService().trim())) { - String serviceName = policyInJson.getService().trim(); - if (CollectionUtils.isNotEmpty(serviceNameList) && serviceNameList.contains(serviceName) && !sourceServices.contains(serviceName) && !destinationServices.contains(serviceName)) { - sourceServices.add(serviceName); - destinationServices.add(serviceName); - } else if (CollectionUtils.isEmpty(serviceNameList) - && !sourceServices.contains(serviceName) - && !destinationServices.contains(serviceName)) { - sourceServices.add(serviceName); - destinationServices.add(serviceName); - } - }else{ - LOG.error("Service Name or Policy Name is not provided!!"); - throw restErrorUtil.createRESTException("Service Name or Policy Name is not provided!!"); - } - } - i++; - } - } - }else if (!CollectionUtils.sizeIsEmpty(servicesMappingMap)) { - if (policies != null && !CollectionUtils.sizeIsEmpty(policies)){ - i = 0; - for (RangerPolicy policyInJson: policies){ - if (policyInJson != null){ - if (i == 0 && StringUtils.isNotBlank(policyInJson.getZoneName())) { - zoneNameInJson = policyInJson.getZoneName().trim(); - } - if (StringUtils.isNotEmpty(policyInJson.getService().trim())) { - dataFileSourceServices.add(policyInJson.getService().trim()); - }else{ - LOG.error("Service Name or Policy Name is not provided!!"); - throw restErrorUtil.createRESTException("Service Name or Policy Name is not provided!!"); - } - i++; - } - } - if(!dataFileSourceServices.containsAll(sourceServices)){ - LOG.error("Json File does not contain sepcified source service name."); - throw restErrorUtil.createRESTException("Json File does not contain sepcified source service name."); - } - } - } - boolean deleteIfExists=("true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_DELETE_IF_EXISTS)))) ? true : false ; - boolean updateIfExists=("true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_UPDATE_IF_EXISTS)))) ? true : false ; - String polResource = request.getParameter(SearchFilter.POL_RESOURCE); - if (updateIfExists) { - isOverride = false; - } - - String destinationZoneName = getDestinationZoneName(destinationZones,zoneNameInJson); - if (isOverride && !updateIfExists && StringUtils.isEmpty(polResource)) { - if (LOG.isDebugEnabled()) { - LOG.debug("Deleting Policy from provided services in servicesMapJson file..."); - } - if (CollectionUtils.isNotEmpty(sourceServices) && CollectionUtils.isNotEmpty(destinationServices)) { - deletePoliciesProvidedInServiceMap(sourceServices, destinationServices,destinationZoneName);//In order to delete Zone specific policies from service - } - } else if (updateIfExists && StringUtils.isNotEmpty(polResource)) { - if (LOG.isDebugEnabled()) { - LOG.debug("Deleting Policy from provided services in servicesMapJson file for specific resource..."); - } - if (CollectionUtils.isNotEmpty(sourceServices) && CollectionUtils.isNotEmpty(destinationServices)){ - deletePoliciesForResource(sourceServices, destinationServices, request, policies,destinationZoneName);//In order to delete Zone specific policies from service - } - } - if (policies != null && !CollectionUtils.sizeIsEmpty(policies)){ - for (RangerPolicy policyInJson: policies){ - if (policyInJson != null){ - if (StringUtils.isNotBlank(destinationZoneName)) { - boolean isZoneServiceExistAtDestination = validateDestZoneServiceMapping(destinationZoneName, policyInJson, servicesMappingMap); - if(!isZoneServiceExistAtDestination) { - LOG.warn("provided service of policy in File is not associated with zone"); - continue; - } - } - policiesMap = svcStore.createPolicyMap(zoneMappingMap, sourceZones, destinationZoneName, - servicesMappingMap, sourceServices, destinationServices, policyInJson, - policiesMap);// zone Info is also sent for creating policy map - } - } - if (deleteIfExists) { - //deleting target policies if already exist - deleteExactMatchPolicyForResource(policies, request.getRemoteUser(), destinationZoneName); - } - } - - totalPolicyCreate = createPolicesBasedOnPolicyMap(request,policiesMap, serviceNameList, updateIfExists, totalPolicyCreate); - if(!(totalPolicyCreate > 0)){ - LOG.error("zero policy is created from provided data file!!"); - throw restErrorUtil.createRESTException("zero policy is created from provided data file!!"); - } - - } catch (IOException e) { - LOG.error(e.getMessage()); - throw restErrorUtil.createRESTException(e.getMessage()); - } - }else{ - LOG.error("Provided file format is not supported!!"); - throw restErrorUtil.createRESTException("Provided file format is not supported!!"); - } - } catch(JsonSyntaxException ex) { - LOG.error("Provided json file is not valid!!", ex); - - policyService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_POLICY, null, null, "IMPORT ERROR"), "Import failed", StringUtils.isNotEmpty(metaDataInfo) ? metaDataInfo : null, null); - - throw restErrorUtil.createRESTException(ex.getMessage()); - }catch (WebApplicationException excp) { - LOG.error("Error while importing policy from file!!", excp); - - policyService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_POLICY, null, null, "IMPORT ERROR"), "Import failed", StringUtils.isNotEmpty(metaDataInfo) ? metaDataInfo : null, null); - - throw excp; - } catch (Throwable excp) { - LOG.error("Error while importing policy from file!!", excp); - - policyService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_POLICY, null, null, "IMPORT ERROR"), "Import failed", StringUtils.isNotEmpty(metaDataInfo) ? metaDataInfo : null, null); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - - policyService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_POLICY, null, null, "IMPORT END"), "IMPORT END", StringUtils.isNotEmpty(metaDataInfo) ? metaDataInfo : null, null); - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.importPoliciesFromFile()"); - } - } - } - - private int createPolicesBasedOnPolicyMap(HttpServletRequest request, Map policiesMap, - List serviceNameList, boolean updateIfExists, int totalPolicyCreate) { - boolean mergeIfExists = "true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_MERGE_IF_EXISTS))) ? true : false; - boolean deleteIfExists = "true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_DELETE_IF_EXISTS))) ? true : false; - if (!CollectionUtils.sizeIsEmpty(policiesMap.entrySet())) { - for (Entry entry : policiesMap.entrySet()) { - RangerPolicy policy = entry.getValue(); - if (policy != null){ - if (!CollectionUtils.isEmpty(serviceNameList)) { - for (String service : serviceNameList) { - if (StringUtils.isNotEmpty(service.trim()) && StringUtils.isNotEmpty(policy.getService().trim())){ - if (policy.getService().trim().equalsIgnoreCase(service.trim())) { - if (updateIfExists || mergeIfExists || deleteIfExists) { - request.setAttribute(PARAM_SERVICE_NAME, policy.getService()); - request.setAttribute(PARAM_POLICY_NAME, policy.getName()); - request.setAttribute(PARAM_ZONE_NAME, policy.getZoneName()); - if(mergeIfExists && !ServiceRESTUtil.containsRangerCondition(policy)) { - String user = request.getRemoteUser(); - RangerPolicy existingPolicy; - try { - existingPolicy = getExactMatchPolicyForResource(policy, StringUtils.isNotBlank(user) ? user :"admin"); - } catch (Exception e) { - existingPolicy=null; - } - if (existingPolicy == null) { - createPolicy(policy, request); - } else { - ServiceRESTUtil.mergeExactMatchPolicyForResource(existingPolicy, policy); - updatePolicy(existingPolicy, null); - } - } else { - createPolicy(policy, request); - } - } else { - createPolicy(policy, request); - } - totalPolicyCreate = totalPolicyCreate + 1; - if (LOG.isDebugEnabled()) { - LOG.debug("Policy " + policy.getName() + " created successfully."); - } - break; - } - } else { - LOG.error("Service Name or Policy Name is not provided!!"); - throw restErrorUtil.createRESTException("Service Name or Policy Name is not provided!!"); - } - } - } else { - if (updateIfExists || mergeIfExists || deleteIfExists) { - request.setAttribute(PARAM_SERVICE_NAME, policy.getService()); - request.setAttribute(PARAM_POLICY_NAME, policy.getName()); - request.setAttribute(PARAM_ZONE_NAME, policy.getZoneName()); - if(mergeIfExists && !ServiceRESTUtil.containsRangerCondition(policy)) { - String user = request.getRemoteUser(); - RangerPolicy existingPolicy; - try { - existingPolicy = getExactMatchPolicyForResource(policy, StringUtils.isNotBlank(user) ? user :"admin"); - } catch (Exception e) { - existingPolicy=null; - } - if (existingPolicy == null) { - createPolicy(policy, request); - } else { - ServiceRESTUtil.mergeExactMatchPolicyForResource(existingPolicy, policy); - updatePolicy(existingPolicy, null); - } - } else { - createPolicy(policy, request); - } - } else { - createPolicy(policy, request); - } - totalPolicyCreate = totalPolicyCreate + 1; - if (LOG.isDebugEnabled()) { - LOG.debug("Policy " + policy.getName() + " created successfully."); - } - } - } - if(totalPolicyCreate % RangerBizUtil.POLICY_BATCH_SIZE == 0) { - bizUtil.bulkModeOnlyFlushAndClear(); - } - } - bizUtil.bulkModeOnlyFlushAndClear(); - if (LOG.isDebugEnabled()) { - LOG.debug("Total Policy Created From Json file : " + totalPolicyCreate); - } - } - return totalPolicyCreate; - } - - private List getPoliciesFromProvidedJson(RangerExportPolicyList rangerExportPolicyList) { - List policies = null; - if (rangerExportPolicyList != null && !CollectionUtils.sizeIsEmpty(rangerExportPolicyList.getPolicies())) { - policies = rangerExportPolicyList.getPolicies(); - } else { - LOG.error("Provided json file does not contain any policy!!"); - throw restErrorUtil.createRESTException("Provided json file does not contain any policy!!"); - } - return policies; - } - - private RangerExportPolicyList processPolicyInputJsonForMetaData(InputStream uploadedInputStream, - RangerExportPolicyList rangerExportPolicyList) throws Exception { - String policiesString = IOUtils.toString(uploadedInputStream); - policiesString = policiesString.trim(); - if (StringUtils.isNotEmpty(policiesString)) { - rangerExportPolicyList = JsonUtilsV2.jsonToObj(policiesString, RangerExportPolicyList.class); - } else { - LOG.error("Provided json file is empty!!"); - throw restErrorUtil.createRESTException("Provided json file is empty!!"); - } - return rangerExportPolicyList; - } - - private void getServiceNameList(HttpServletRequest request, List serviceNameList) { - SearchFilter filter = searchUtil.getSearchFilter(request,policyService.sortFields); - String serviceType = null; - List serviceTypeList = null; - if (StringUtils.isNotEmpty(request.getParameter(PARAM_SERVICE_TYPE))){ - serviceType = request.getParameter(PARAM_SERVICE_TYPE); - } - if(StringUtils.isNotEmpty(serviceType)){ - serviceTypeList = new ArrayList(Arrays.asList(serviceType.split(","))); - } - List rangerServiceList = null; - List rangerServiceLists = new ArrayList(); - if (CollectionUtils.isNotEmpty(serviceTypeList)){ - for (String s : serviceTypeList) { - filter.removeParam(PARAM_SERVICE_TYPE); - filter.setParam(PARAM_SERVICE_TYPE, s.trim()); - rangerServiceList = getServices(filter); - rangerServiceLists.addAll(rangerServiceList); - } - } - if(!CollectionUtils.sizeIsEmpty(rangerServiceLists)){ - for(RangerService rService : rangerServiceLists){ - if (StringUtils.isNotEmpty(rService.getName())){ - serviceNameList.add(rService.getName()); - } - } - } - } - - private boolean validateDestZoneServiceMapping(String destinationZoneName, RangerPolicy policyInJson, - Map servicesMappingMap) { - boolean isZoneServiceExistAtDestination = false; - XXSecurityZone xdestZone = daoManager.getXXSecurityZoneDao().findByZoneName(destinationZoneName); - if (xdestZone == null) { - LOG.error("destination zone provided does not exist"); - throw restErrorUtil.createRESTException("destination zone provided does not exist"); - } - // CHECK IF json policies service is there on destination and asscioated with - // destination zone. - - String serviceNameToCheck = policyInJson.getService(); - - if (StringUtils.isNotBlank(serviceNameToCheck) && servicesMappingMap.containsKey(serviceNameToCheck)) { - serviceNameToCheck = servicesMappingMap.get(policyInJson.getService()); - } - List serviceZoneMapping = daoManager.getXXSecurityZoneRefService() - .findByServiceNameAndZoneId(serviceNameToCheck, xdestZone.getId()); - List tagServiceZoneMapping = daoManager.getXXSecurityZoneRefTagService() - .findByTagServiceNameAndZoneId(serviceNameToCheck, xdestZone.getId()); - - if (!CollectionUtils.isEmpty(serviceZoneMapping) || !CollectionUtils.isEmpty(tagServiceZoneMapping)) { - isZoneServiceExistAtDestination = true; - } - - return isZoneServiceExistAtDestination; - } - - private String getDestinationZoneName(List destinationZones, String zoneNameInJson) { - String destinationZoneName = null; - if (CollectionUtils.isNotEmpty(destinationZones)) { - destinationZoneName = destinationZones.get(0); - } else { - destinationZoneName = zoneNameInJson; - } - return destinationZoneName; - } - - private void processServiceMapping(Map servicesMappingMap, List sourceServices, - List destinationServices) { - if (!CollectionUtils.sizeIsEmpty(servicesMappingMap)) { - for (Entry map : servicesMappingMap.entrySet()) { - String sourceServiceName = null; - String destinationServiceName = null; - if (StringUtils.isNotEmpty(map.getKey().trim()) && StringUtils.isNotEmpty(map.getValue().trim())) { - sourceServiceName = map.getKey().trim(); - destinationServiceName = map.getValue().trim(); - } else { - LOG.error("Source service or destination service name is not provided!!"); - throw restErrorUtil - .createRESTException("Source service or destonation service name is not provided!!"); - } - if (StringUtils.isNotEmpty(sourceServiceName) && StringUtils.isNotEmpty(destinationServiceName)) { - sourceServices.add(sourceServiceName); - destinationServices.add(destinationServiceName); - } - } - } - } - - private void processZoneMapping(Map zoneMappingMap, List sourceZones, - List destinationZones) { - - if (!CollectionUtils.sizeIsEmpty(zoneMappingMap)) { - for (Entry map : zoneMappingMap.entrySet()) { - String sourceZoneName = null; - String destinationZoneName = null; - if (StringUtils.isNotEmpty(map.getKey().trim()) || StringUtils.isNotEmpty(map.getValue().trim())) { - // zone to zone - // zone to unzone - // unzone to zone - sourceZoneName = map.getKey().trim(); - destinationZoneName = map.getValue().trim(); - LOG.info("sourceZoneName =" + sourceZoneName + "destinationZoneName = " + destinationZoneName); - } else if (StringUtils.isEmpty(map.getKey().trim()) && StringUtils.isEmpty(map.getValue().trim())) { - LOG.info("Unzone to unzone policies import"); - } else { - LOG.error("Source zone or destination zone name is not provided!!"); - throw restErrorUtil.createRESTException("Source zone or destination zone name is not provided!!"); - } - if (StringUtils.isNotEmpty(sourceZoneName) || StringUtils.isNotEmpty(destinationZoneName)) { - sourceZones.add(sourceZoneName); - destinationZones.add(destinationZoneName); - } - } - } - } - - private List getAllFilteredPolicyList(SearchFilter filter, - HttpServletRequest request, List policyLists) { - String serviceNames = null; - String serviceType = null; - List serviceNameList = null; - List serviceTypeList = null; - List serviceNameInServiceTypeList = new ArrayList(); - boolean isServiceExists = false; - - if (request.getParameter(PARAM_SERVICE_NAME) != null){ - serviceNames = request.getParameter(PARAM_SERVICE_NAME); - } - if (StringUtils.isNotEmpty(serviceNames)) { - serviceNameList = new ArrayList(Arrays.asList(serviceNames.split(","))); - } - - if (request.getParameter(PARAM_SERVICE_TYPE) != null){ - serviceType = request.getParameter(PARAM_SERVICE_TYPE); - } - if(StringUtils.isNotEmpty(serviceType)){ - serviceTypeList = new ArrayList(Arrays.asList(serviceType.split(","))); - } - - List policyList = new ArrayList(); - List policyListByServiceName = new ArrayList(); - - if (filter != null) { - filter.setStartIndex(0); - filter.setMaxRows(Integer.MAX_VALUE); - - if (!CollectionUtils.isEmpty(serviceTypeList)) { - for (String s : serviceTypeList) { - filter.removeParam(PARAM_SERVICE_TYPE); - if (request.getParameter(PARAM_SERVICE_NAME) != null){ - filter.removeParam(PARAM_SERVICE_NAME); - } - filter.setParam(PARAM_SERVICE_TYPE, s.trim()); - policyList = getPolicies(filter); - policyLists.addAll(policyList); - } - if(!CollectionUtils.sizeIsEmpty(policyLists)){ - for (RangerPolicy rangerPolicy:policyLists){ - if (StringUtils.isNotEmpty(rangerPolicy.getService())){ - serviceNameInServiceTypeList.add(rangerPolicy.getService()); - } - } - } - } - if (!CollectionUtils.isEmpty(serviceNameList) && !CollectionUtils.isEmpty(serviceTypeList)){ - isServiceExists = serviceNameInServiceTypeList.containsAll(serviceNameList); - if(isServiceExists){ - for (String s : serviceNameList) { - filter.removeParam(PARAM_SERVICE_NAME); - filter.removeParam(PARAM_SERVICE_TYPE); - filter.setParam(PARAM_SERVICE_NAME, s.trim()); - policyList = getPolicies(filter); - policyListByServiceName.addAll(policyList); - } - policyLists = policyListByServiceName; - }else{ - policyLists = new ArrayList(); - } - }else if (CollectionUtils.isEmpty(serviceNameList) && CollectionUtils.isEmpty(serviceTypeList)){ - policyLists = getPolicies(filter); - } - if (!CollectionUtils.isEmpty(serviceNameList) && CollectionUtils.isEmpty(serviceTypeList)) { - for (String s : serviceNameList) { - filter.removeParam(PARAM_SERVICE_NAME); - filter.setParam(PARAM_SERVICE_NAME, s.trim()); - policyList = getPolicies(filter); - policyLists.addAll(policyList); - } - } - } - if (StringUtils.isNotEmpty(request.getParameter("resourceMatch")) - && "full".equalsIgnoreCase(request.getParameter("resourceMatch"))) { - policyLists = serviceUtil.getMatchingPoliciesForResource(request, policyLists); - } - Map orderedPolicies = new TreeMap(); - - if (!CollectionUtils.isEmpty(policyLists)) { - for (RangerPolicy policy : policyLists) { - if (policy != null) { - //set createTime & updateTime Time as null since exported policies dont need this - policy.setCreateTime(null); - policy.setUpdateTime(null); - orderedPolicies.put(policy.getId(), policy); - } - } - if (!orderedPolicies.isEmpty()) { - policyLists.clear(); - policyLists.addAll(orderedPolicies.values()); - } - } - return policyLists; - } - - private void deletePoliciesProvidedInServiceMap(List sourceServices, List destinationServices, String zoneName) throws Exception { - int totalDeletedPolicies = 0; - if (CollectionUtils.isNotEmpty(sourceServices) - && CollectionUtils.isNotEmpty(destinationServices)) { - RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); - for (int i = 0; i < sourceServices.size(); i++) { - if (!destinationServices.get(i).isEmpty() ) { - SearchFilter filter = new SearchFilter(); - filter.setParam(SearchFilter.ZONE_NAME, zoneName); - filter.setParam(SearchFilter.SERVICE_NAME, destinationServices.get(i)); - RangerService service=getServiceByName(destinationServices.get(i)); - final RangerPolicyList servicePolicies = getServicePolicies(destinationServices.get(i),filter); - if (servicePolicies != null) { - List rangerPolicyList = servicePolicies.getPolicies(); - if (CollectionUtils.isNotEmpty(rangerPolicyList)) { - for (RangerPolicy rangerPolicy : rangerPolicyList) { - if (rangerPolicy != null) { - validator.validate(rangerPolicy.getId(), Action.DELETE); - ensureAdminAccess(rangerPolicy); - bizUtil.blockAuditorRoleUser(); - svcStore.deletePolicy(rangerPolicy, service); - totalDeletedPolicies = totalDeletedPolicies + 1; - if (totalDeletedPolicies % RangerBizUtil.POLICY_BATCH_SIZE == 0) { - bizUtil.bulkModeOnlyFlushAndClear(); - } - if (LOG.isDebugEnabled()) { - LOG.debug("Policy " + rangerPolicy.getName() + " deleted successfully."); - LOG.debug("TotalDeletedPilicies: " + totalDeletedPolicies); - } - } - } - bizUtil.bulkModeOnlyFlushAndClear(); - } - } - } - } - } - if (LOG.isDebugEnabled()) { - LOG.debug("Total Deleted Policy : " + totalDeletedPolicies); - } - } - - private void deletePoliciesForResource(List sourceServices, List destinationServices, HttpServletRequest request, List exportPolicies, String zoneName) throws Exception { - int totalDeletedPolicies = 0; - if (CollectionUtils.isNotEmpty(sourceServices) - && CollectionUtils.isNotEmpty(destinationServices)) { - Set exportedPolicyNames=new HashSet(); - if (CollectionUtils.isNotEmpty(exportPolicies)) { - for (RangerPolicy rangerPolicy : exportPolicies) { - if (rangerPolicy!=null) { - exportedPolicyNames.add(rangerPolicy.getName()); - } - } - } - for (int i = 0; i < sourceServices.size(); i++) { - if (!destinationServices.get(i).isEmpty()) { - RangerPolicyList servicePolicies = null; - SearchFilter filter = searchUtil.getSearchFilter(request,policyService.sortFields); - filter.setParam("zoneName", zoneName); - servicePolicies = getServicePolicies(destinationServices.get(i), filter); - RangerService service=getServiceByName(destinationServices.get(i)); - if (servicePolicies != null) { - List rangerPolicyList = servicePolicies.getPolicies(); - if (CollectionUtils.isNotEmpty(rangerPolicyList)) { - List policiesToBeDeleted = new ArrayList(); - for (RangerPolicy rangerPolicy : rangerPolicyList) { - if (rangerPolicy != null) { - Map rangerPolicyResourceMap=rangerPolicy.getResources(); - if (rangerPolicyResourceMap!=null) { - RangerPolicyResource rangerPolicyResource=null; - if (rangerPolicyResourceMap.containsKey("path")) { - rangerPolicyResource=rangerPolicyResourceMap.get("path"); - } else if (rangerPolicyResourceMap.containsKey("database")) { - rangerPolicyResource=rangerPolicyResourceMap.get("database"); - } - if (rangerPolicyResource!=null) { - if (CollectionUtils.isNotEmpty(rangerPolicyResource.getValues()) && rangerPolicyResource.getValues().size()>1) { - continue; - } - } - } - if (rangerPolicy.getId() != null) { - if (!exportedPolicyNames.contains(rangerPolicy.getName())) { - policiesToBeDeleted.add(rangerPolicy); - } - } - } - } - if (CollectionUtils.isNotEmpty(policiesToBeDeleted)) { - for (RangerPolicy rangerPolicy : policiesToBeDeleted) { - svcStore.deletePolicy(rangerPolicy, service); - if (LOG.isDebugEnabled()) { - LOG.debug("Policy " + rangerPolicy.getName() + " deleted successfully."); - } - totalDeletedPolicies = totalDeletedPolicies + 1; - if (totalDeletedPolicies % RangerBizUtil.POLICY_BATCH_SIZE == 0) { - bizUtil.bulkModeOnlyFlushAndClear(); - } - } - bizUtil.bulkModeOnlyFlushAndClear(); - } - } - } - } - } - } - } - - public List getPolicies(SearchFilter filter) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getPolicies(filter)"); - } - - List ret = null; - RangerPerfTracer perf = null; - - try { - if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicies()"); - } - ret = svcStore.getPolicies(filter); - - ret = applyAdminAccessFilter(ret); - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("getPolicies() failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getPolicies(filter): count=" + (ret == null ? 0 : ret.size())); - } - - return ret; - } - - @GET - @Path("/policies/count") - @Produces({ "application/json" }) - public Long countPolicies( @Context HttpServletRequest request) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.countPolicies():"); - } - - Long ret = null; - RangerPerfTracer perf = null; - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.countPolicies()"); - } - List policies = getPolicies(request).getPolicies(); - - policies = applyAdminAccessFilter(policies); - - ret = Long.valueOf(policies == null ? 0 : policies.size()); - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("countPolicies() failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.countPolicies(): " + ret); - } - - return ret; - } - - @GET - @Path("/policies/service/{id}") - @Produces({ "application/json" }) - public RangerPolicyList getServicePolicies(@PathParam("id") Long serviceId, - @Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getServicePolicies(" + serviceId + ")"); - } - - RangerPolicyList ret = new RangerPolicyList(); - RangerPerfTracer perf = null; - - SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePolicies(serviceId=" + serviceId + ")"); - } - - String policyTypeStr = filter.getParam(SearchFilter.POLICY_TYPE); - if (policyTypeStr != null && !IntStream.of(RangerPolicy.POLICY_TYPES).anyMatch(x -> x == Integer.parseInt(policyTypeStr))) { - throw restErrorUtil.createRESTException("policyTypes with id: " + policyTypeStr + " does not exist", - MessageEnums.DATA_NOT_FOUND, Long.parseLong(policyTypeStr), null, - "readResource : No Object found with given id."); - } - - // get all policies from the store; pick the page to return after applying filter - int savedStartIndex = filter == null ? 0 : filter.getStartIndex(); - int savedMaxRows = filter == null ? Integer.MAX_VALUE : filter.getMaxRows(); - - if(filter != null) { - filter.setStartIndex(0); - filter.setMaxRows(Integer.MAX_VALUE); - } - - List servicePolicies = svcStore.getServicePolicies(serviceId, filter); - - if(filter != null) { - filter.setStartIndex(savedStartIndex); - filter.setMaxRows(savedMaxRows); - } - - servicePolicies = applyAdminAccessFilter(servicePolicies); - - ret = toRangerPolicyList(servicePolicies, filter); - - } catch(WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - LOG.error("getServicePolicies(" + serviceId + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getServicePolicies(" + serviceId + "): count=" - + (ret == null ? 0 : ret.getListSize())); - } - return ret; - } - - - @GET - @Path("/policies/service/name/{name}") - @Produces({ "application/json" }) - public RangerPolicyList getServicePoliciesByName(@PathParam("name") String serviceName, - @Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getServicePolicies(" + serviceName + ")"); - } - - SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); - - RangerPolicyList ret = getServicePolicies(serviceName, filter); - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getServicePolicies(" + serviceName + "): count=" - + (ret == null ? 0 : ret.getListSize())); - } - - return ret; - } - - private RangerPolicyList getServicePolicies(String serviceName, SearchFilter filter) { - RangerPerfTracer perf = null; - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePolicies(serviceName=" + serviceName + ")"); - } - - // get all policies from the store; pick the page to return after applying filter - int savedStartIndex = filter == null ? 0 : filter.getStartIndex(); - int savedMaxRows = filter == null ? Integer.MAX_VALUE : filter.getMaxRows(); - - if(filter != null) { - filter.setStartIndex(0); - filter.setMaxRows(Integer.MAX_VALUE); - } - - List servicePolicies = svcStore.getServicePolicies(serviceName, filter); - - if(filter != null) { - filter.setStartIndex(savedStartIndex); - filter.setMaxRows(savedMaxRows); - } - - servicePolicies = applyAdminAccessFilter(servicePolicies); - - return toRangerPolicyList(servicePolicies, filter); - - } catch(WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - LOG.error("getServicePolicies(" + serviceName + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - } - - @GET - @Path("/policies/download/{serviceName}") - @Produces({ "application/json" }) - public ServicePolicies getServicePoliciesIfUpdated( - @PathParam("serviceName") String serviceName, - @DefaultValue("-1") @QueryParam("lastKnownVersion") Long lastKnownVersion, - @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime, - @QueryParam("pluginId") String pluginId, - @DefaultValue("") @QueryParam("clusterName") String clusterName, - @DefaultValue("") @QueryParam("zoneName") String zoneName, - @DefaultValue("false") @QueryParam("supportsPolicyDeltas") Boolean supportsPolicyDeltas, - @DefaultValue("") @QueryParam("pluginCapabilities") String pluginCapabilities, - @Context HttpServletRequest request) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getServicePoliciesIfUpdated(" - + serviceName + ", " + lastKnownVersion + ", " - + lastActivationTime + ", " + pluginId + ", " - + clusterName + ", " + supportsPolicyDeltas + ")"); - } - - ServicePolicies ret = null; - int httpCode = HttpServletResponse.SC_OK; - String logMsg = null; - RangerPerfTracer perf = null; - Long downloadedVersion = null; - boolean isValid = false; - - try { - bizUtil.failUnauthenticatedDownloadIfNotAllowed(); - - isValid = serviceUtil.isValidateHttpsAuthentication(serviceName, request); - } catch (WebApplicationException webException) { - httpCode = webException.getResponse().getStatus(); - logMsg = webException.getResponse().getEntity().toString(); - } catch (Exception e) { - httpCode = HttpServletResponse.SC_BAD_REQUEST; - logMsg = e.getMessage(); - } - - if (isValid) { - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePoliciesIfUpdated(serviceName=" + serviceName + ",lastKnownVersion=" + lastKnownVersion + ",lastActivationTime=" + lastActivationTime + ")"); - } - ret = svcStore.getServicePoliciesIfUpdated(serviceName, lastKnownVersion, !supportsPolicyDeltas); - - if (ret == null) { - downloadedVersion = lastKnownVersion; - httpCode = HttpServletResponse.SC_NOT_MODIFIED; - logMsg = "No change since last update"; - } else { - downloadedVersion = ret.getPolicyVersion(); - httpCode = HttpServletResponse.SC_OK; - logMsg = "Returning " + (ret.getPolicies() != null ? ret.getPolicies().size() : (ret.getPolicyDeltas() != null ? ret.getPolicyDeltas().size() : 0)) + " policies. Policy version=" + ret.getPolicyVersion(); - } - } catch (Throwable excp) { - LOG.error("getServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + lastActivationTime + ") failed", excp); - - httpCode = HttpServletResponse.SC_BAD_REQUEST; - logMsg = excp.getMessage(); - } finally { - createPolicyDownloadAudit(serviceName, lastKnownVersion, pluginId, httpCode, clusterName, zoneName, request); - RangerPerfTracer.log(perf); - } - } - assetMgr.createPluginInfo(serviceName, pluginId, request, RangerPluginInfo.ENTITY_TYPE_POLICIES, downloadedVersion, lastKnownVersion, lastActivationTime, httpCode, clusterName, pluginCapabilities); - - if(httpCode != HttpServletResponse.SC_OK) { - boolean logError = httpCode != HttpServletResponse.SC_NOT_MODIFIED; - throw restErrorUtil.createRESTException(httpCode, logMsg, logError); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + lastActivationTime + ", " + pluginId + ", " + clusterName + ", " + supportsPolicyDeltas + "): count=" + ((ret == null || ret.getPolicies() == null) ? 0 : ret.getPolicies().size())); - } - - return ret; - } - - @GET - @Path("/secure/policies/download/{serviceName}") - @Produces({ "application/json" }) - public ServicePolicies getSecureServicePoliciesIfUpdated( - @PathParam("serviceName") String serviceName, - @DefaultValue("-1") @QueryParam("lastKnownVersion") Long lastKnownVersion, - @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime, - @QueryParam("pluginId") String pluginId, - @DefaultValue("") @QueryParam("clusterName") String clusterName, - @DefaultValue("") @QueryParam("zoneName") String zoneName, - @DefaultValue("false") @QueryParam("supportsPolicyDeltas") Boolean supportsPolicyDeltas, - @DefaultValue("") @QueryParam("pluginCapabilities") String pluginCapabilities, - @Context HttpServletRequest request) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getSecureServicePoliciesIfUpdated(" - + serviceName + ", " + lastKnownVersion + ", " - + lastActivationTime + ", " + pluginId + ", " - + clusterName + ", " + supportsPolicyDeltas + ")"); - } - ServicePolicies ret = null; - int httpCode = HttpServletResponse.SC_OK; - String logMsg = null; - RangerPerfTracer perf = null; - boolean isAllowed = false; - boolean isAdmin = bizUtil.isAdmin(); - boolean isKeyAdmin = bizUtil.isKeyAdmin(); - request.setAttribute("downloadPolicy", "secure"); - Long downloadedVersion = null; - boolean isValid = false; - try { - isValid = serviceUtil.isValidService(serviceName, request); - } catch (WebApplicationException webException) { - httpCode = webException.getResponse().getStatus(); - logMsg = webException.getResponse().getEntity().toString(); - } catch (Exception e) { - httpCode = HttpServletResponse.SC_BAD_REQUEST; - logMsg = e.getMessage(); - } - - if (isValid) { - try { - if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getSecureServicePoliciesIfUpdated(serviceName=" + serviceName + ",lastKnownVersion=" + lastKnownVersion + ",lastActivationTime=" + lastActivationTime + ")"); - } - XXService xService = daoManager.getXXService().findByName(serviceName); - XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); - RangerService rangerService = null; - - if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { - rangerService = svcStore.getServiceByNameForDP(serviceName); - if (isKeyAdmin) { - isAllowed = true; - } else { - if (rangerService != null) { - isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Download); - if (!isAllowed) { - isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Grant_Revoke); - } - } - } - } else { - rangerService = svcStore.getServiceByName(serviceName); - if (isAdmin) { - isAllowed = true; - } else { - if (rangerService != null) { - isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Download); - if (!isAllowed) { - isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Grant_Revoke); - } - } - } - } - if (isAllowed) { - ret = svcStore.getServicePoliciesIfUpdated(serviceName, lastKnownVersion, !supportsPolicyDeltas); - if (ret == null) { - downloadedVersion = lastKnownVersion; - httpCode = HttpServletResponse.SC_NOT_MODIFIED; - logMsg = "No change since last update"; - } else { - downloadedVersion = ret.getPolicyVersion(); - - httpCode = HttpServletResponse.SC_OK; - logMsg = "Returning " + (ret.getPolicies() != null ? ret.getPolicies().size() : (ret.getPolicyDeltas() != null ? ret.getPolicyDeltas().size() : 0)) + " policies. Policy version=" + ret.getPolicyVersion(); - } - - } else { - LOG.error("getSecureServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ") failed as User doesn't have permission to download Policy"); - httpCode = HttpServletResponse.SC_FORBIDDEN; // assert user is authenticated. - logMsg = "User doesn't have permission to download policy"; - } - } catch (Throwable excp) { - LOG.error("getSecureServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + lastActivationTime + ") failed", excp); - httpCode = HttpServletResponse.SC_BAD_REQUEST; - logMsg = excp.getMessage(); - } finally { - createPolicyDownloadAudit(serviceName, lastKnownVersion, pluginId, httpCode, clusterName, zoneName, request); - RangerPerfTracer.log(perf); - } - } - assetMgr.createPluginInfo(serviceName, pluginId, request, RangerPluginInfo.ENTITY_TYPE_POLICIES, downloadedVersion, lastKnownVersion, lastActivationTime, httpCode, clusterName, pluginCapabilities); - - if (httpCode != HttpServletResponse.SC_OK) { - boolean logError = httpCode != HttpServletResponse.SC_NOT_MODIFIED; - throw restErrorUtil.createRESTException(httpCode, logMsg, logError); - } - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getSecureServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + lastActivationTime + ", " + pluginId + ", " + clusterName + ", " + supportsPolicyDeltas + "): count=" + ((ret == null || ret.getPolicies() == null) ? 0 : ret.getPolicies().size())); - } - return ret; - } - - @DELETE - @Path("/server/policydeltas") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public void deletePolicyDeltas(@DefaultValue("7") @QueryParam("days") Integer olderThan, @Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.deletePolicyDeltas(" + olderThan + ")"); - } - - svcStore.resetPolicyUpdateLog(olderThan, RangerPolicyDelta.CHANGE_TYPE_INVALIDATE_POLICY_DELTAS); - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.deletePolicyDeltas(" + olderThan + ")"); - } - } - - @DELETE - @Path("/server/purgepolicies/{serviceName}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public void purgeEmptyPolicies(@PathParam("serviceName") String serviceName, @Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.purgeEmptyPolicies(" + serviceName + ")"); - } - - if (serviceName == null) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "Invalid service name", true); - } - - RangerPerfTracer perf = null; - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.purgeEmptyPolicies(serviceName=" + serviceName + ")"); - } - - if (svcStore.getServiceByName(serviceName) == null) { - throw new Exception("service does not exist - name=" + serviceName); - } - - ServicePolicies servicePolicies = svcStore.getServicePolicies(serviceName, -1L); - if (servicePolicies != null && CollectionUtils.isNotEmpty(servicePolicies.getPolicies())) { - for (RangerPolicy policy : servicePolicies.getPolicies()) { - if (CollectionUtils.isEmpty(PolicyRefUpdater.getAllPolicyItems(policy))) { - deletePolicy(policy.getId()); - } - } - } - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("purgeEmptyPolicies(" + serviceName + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.purgeEmptyPolicies(" + serviceName + ")"); - } - } - - private void createPolicyDownloadAudit(String serviceName, Long lastKnownVersion, String pluginId, int httpRespCode, String clusterName, String zoneName, HttpServletRequest request) { - try { - String ipAddress = request.getHeader("X-FORWARDED-FOR"); - - if (ipAddress == null) { - ipAddress = request.getRemoteAddr(); - } - - XXPolicyExportAudit policyExportAudit = new XXPolicyExportAudit(); - - policyExportAudit.setRepositoryName(serviceName); - policyExportAudit.setAgentId(pluginId); - policyExportAudit.setClientIP(ipAddress); - policyExportAudit.setRequestedEpoch(lastKnownVersion); - policyExportAudit.setHttpRetCode(httpRespCode); - policyExportAudit.setClusterName(clusterName); - policyExportAudit.setZoneName(zoneName); - assetMgr.createPolicyAudit(policyExportAudit); - } catch(Exception excp) { - LOG.error("error while creating policy download audit", excp); - } - } - - private RangerPolicy getExactMatchPolicyForResource(String serviceName, RangerAccessResource resource, String zoneName, String user) throws Exception { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + resource + ", " + zoneName + ", " + user + ")"); - } - - RangerPolicy ret = null; - RangerPolicyAdmin policyAdmin = getPolicyAdmin(serviceName); - List policies = policyAdmin != null ? policyAdmin.getExactMatchPolicies(resource, zoneName, null) : null; - - if(CollectionUtils.isNotEmpty(policies)) { - // at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store - ret = svcStore.getPolicy(policies.get(0).getId()); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getExactMatchPolicyForResource(" + resource + ", " + zoneName + ", " + user + "): " + ret); - } - - return ret; - } - - private RangerPolicy getExactMatchPolicyForResource(RangerPolicy policy, String user) throws Exception { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getExactMatchPolicyForResource(" + policy + ", " + user + ")"); - } - - RangerPolicy ret = null; - RangerPolicyAdmin policyAdmin = getPolicyAdmin(policy.getService()); - List policies = policyAdmin != null ? policyAdmin.getExactMatchPolicies(policy, null) : null; - - if(CollectionUtils.isNotEmpty(policies)) { - // at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store - if(policies.size()==1) { - ret = svcStore.getPolicy(policies.get(0).getId()); - } else { - if (StringUtils.isNotEmpty(policy.getZoneName())) { - for(RangerPolicy existingPolicy:policies) { - if (StringUtils.equals(policy.getZoneName(), existingPolicy.getZoneName())) { - ret = svcStore.getPolicy(existingPolicy.getId()); - break; - } - } - } - } - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getExactMatchPolicyForResource(" + policy + ", " + user + "): " + ret); - } - - return ret; - } - - @GET - @Path("/policies/eventTime") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_FROM_EVENT_TIME + "\")") - public RangerPolicy getPolicyFromEventTime(@Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getPolicyFromEventTime()"); - } - - String eventTimeStr = request.getParameter("eventTime"); - String policyIdStr = request.getParameter("policyId"); - String versionNoStr = request.getParameter("versionNo"); - - if (StringUtils.isEmpty(eventTimeStr) || StringUtils.isEmpty(policyIdStr)) { - throw restErrorUtil.createRESTException("EventTime or policyId cannot be null or empty string.", - MessageEnums.INVALID_INPUT_DATA); - } - - Long policyId = Long.parseLong(policyIdStr); - - RangerPolicy policy=null; - - if (!StringUtil.isEmpty(versionNoStr)) { - int policyVersion = Integer.parseInt(versionNoStr); - try { - policy = svcStore.getPolicyForVersionNumber(policyId, policyVersion); - if (policy != null) { - ensureAdminAndAuditAccess(policy); - } - } catch (WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - // Ignore any other exception and go for fetching the policy by eventTime - } - } - - if (policy == null) { - try { - policy = svcStore.getPolicyFromEventTime(eventTimeStr, policyId); - if (policy != null) { - ensureAdminAndAuditAccess(policy); - } - } catch (WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - LOG.error("getPolicy(" + policyId + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } - } - - if(policy == null) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getPolicy(" + policyId + "): " + policy); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getPolicyFromEventTime()"); - } - - return policy; - } - - @GET - @Path("/policy/{policyId}/versionList") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_VERSION_LIST + "\")") - public VXString getPolicyVersionList(@PathParam("policyId") Long policyId) { - - VXString policyVersionListStr = svcStore.getPolicyVersionList(policyId); - - return policyVersionListStr; - } - - @GET - @Path("/policy/{policyId}/version/{versionNo}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_FOR_VERSION_NO + "\")") - public RangerPolicy getPolicyForVersionNumber(@PathParam("policyId") Long policyId, - @PathParam("versionNo") int versionNo) { - RangerPolicy policy = svcStore.getPolicyForVersionNumber(policyId, versionNo); - if (policy != null) { - ensureAdminAndAuditAccess(policy); - } - return policy; - } - - @GET - @Path("/plugins/info") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_PLUGINS_INFO + "\")") - public RangerPluginInfoList getPluginsInfo(@Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getPluginsInfo()"); - } - - RangerPluginInfoList ret = null; - - SearchFilter filter = searchUtil.getSearchFilter(request, pluginInfoService.getSortFields()); - - try { - PList paginatedPluginsInfo = pluginInfoService.searchRangerPluginInfo(filter); - if (paginatedPluginsInfo != null) { - ret = new RangerPluginInfoList(); - - ret.setPluginInfoList(paginatedPluginsInfo.getList()); - ret.setPageSize(paginatedPluginsInfo.getPageSize()); - ret.setResultSize(paginatedPluginsInfo.getResultSize()); - ret.setStartIndex(paginatedPluginsInfo.getStartIndex()); - ret.setTotalCount(paginatedPluginsInfo.getTotalCount()); - ret.setSortBy(paginatedPluginsInfo.getSortBy()); - ret.setSortType(paginatedPluginsInfo.getSortType()); - } - } catch (WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - LOG.error("getPluginsInfo() failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getPluginsInfo()"); - } - - return ret; - } - - private List applyAdminAccessFilter(List policies) { - List ret = new ArrayList(); - RangerPerfTracer perf = null; - - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.applyAdminAccessFilter(policyCount=" + (policies == null ? 0 : policies.size()) + ")"); - } - - if (CollectionUtils.isNotEmpty(policies)) { - boolean isAdmin = bizUtil.isAdmin(); - boolean isKeyAdmin = bizUtil.isKeyAdmin(); - String userName = bizUtil.getCurrentUserLoginId(); - boolean isAuditAdmin = bizUtil.isAuditAdmin(); - boolean isAuditKeyAdmin = bizUtil.isAuditKeyAdmin(); - Set userGroups = null; - - Map> servicePoliciesMap = new HashMap>(); - Map evalContext = new HashMap<>(); - - RangerAccessRequestUtil.setCurrentUserInContext(evalContext, userName); - - for (int i = 0; i < policies.size(); i++) { - RangerPolicy policy = policies.get(i); - String serviceName = policy.getService(); - List policyList = servicePoliciesMap.get(serviceName); - - if (policyList == null) { - policyList = new ArrayList(); - - servicePoliciesMap.put(serviceName, policyList); - } - policyList.add(policy); - } - - for (Entry> entry : servicePoliciesMap.entrySet()) { - String serviceName = entry.getKey(); - List listToFilter = entry.getValue(); - - if (CollectionUtils.isNotEmpty(listToFilter)) { - boolean isServiceAdminUser = svcStore.isServiceAdminUser(serviceName, userName); - if (isServiceAdminUser) { - ret.addAll(listToFilter); - continue; - } else if (isAdmin || isKeyAdmin || isAuditAdmin || isAuditKeyAdmin) { - XXService xService = daoManager.getXXService().findByName(serviceName); - Long serviceDefId = xService.getType(); - boolean isKmsService = serviceDefId.equals(EmbeddedServiceDefsUtil.instance().getKmsServiceDefId()); - - if (isAdmin) { - if (!isKmsService) { - ret.addAll(listToFilter); - } - } else if (isAuditAdmin) { - if (!isKmsService) { - ret.addAll(listToFilter); - } - } else if (isAuditKeyAdmin) { - if (isKmsService) { - ret.addAll(listToFilter); - } - } else if (isKeyAdmin) { - if (isKmsService) { - ret.addAll(listToFilter); - } - } - continue; - } - - RangerPolicyAdmin policyAdmin = getPolicyAdminForDelegatedAdmin(serviceName); - - if (policyAdmin != null) { - if(userGroups == null) { - userGroups = daoManager.getXXGroupUser().findGroupNamesByUserName(userName); - } - - Set roles = policyAdmin.getRolesFromUserAndGroups(userName, userGroups); - - for (RangerPolicy policy : listToFilter) { - if ((policyAdmin.isDelegatedAdminAccessAllowedForRead(policy, userName, userGroups, roles, evalContext)) - || (!StringUtils.isEmpty(policy.getZoneName()) && (serviceMgr.isZoneAdmin(policy.getZoneName()) || serviceMgr.isZoneAuditor(policy.getZoneName())))) { - ret.add(policy); - } - } - } - - } - } - } - - RangerPerfTracer.log(perf); - - return ret; - } - - void ensureAdminAccess(RangerPolicy policy) { - blockIfGdsService(policy.getService()); - - boolean isAdmin = bizUtil.isAdmin(); - boolean isKeyAdmin = bizUtil.isKeyAdmin(); - String userName = bizUtil.getCurrentUserLoginId(); - boolean isSvcAdmin = isAdmin || svcStore.isServiceAdminUser(policy.getService(), userName); - - if (!isAdmin && !isKeyAdmin && !isSvcAdmin) { - boolean isAllowed = false; - - Set userGroups = userMgr.getGroupsForUser(userName); - - //for zone policy create /update / delete - if(!StringUtils.isEmpty(policy.getZoneName()) && serviceMgr.isZoneAdmin(policy.getZoneName())){ - isAllowed = true; - }else{ - isAllowed = hasAdminAccess(policy, userName, userGroups); - } - - - - if (!isAllowed) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, - "User '" + userName + "' does not have delegated-admin privilege on given resources", true); - } - } else { - - XXService xService = daoManager.getXXService().findByName(policy.getService()); - XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); - - if (isAdmin) { - if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) { - throw restErrorUtil.createRESTException( - "KMS Policies/Services/Service-Defs are not accessible for user '" + userName + "'.", - MessageEnums.OPER_NO_PERMISSION); - } - } else if (isKeyAdmin) { - if (!EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) { - throw restErrorUtil.createRESTException( - "Only KMS Policies/Services/Service-Defs are accessible for user '" + userName + "'.", - MessageEnums.OPER_NO_PERMISSION); - } - } - } - } - - public void blockIfGdsService(String serviceName) { - String serviceType = daoManager.getXXServiceDef().findServiceDefTypeByServiceName(serviceName); - - if (EMBEDDED_SERVICEDEF_GDS_NAME.equals(serviceType)) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, EMBEDDED_SERVICEDEF_GDS_NAME.toUpperCase() + " policies can't be managed via this API", true); - } - } - - private RangerPolicyEngineOptions getDelegatedAdminPolicyEngineOptions() { - RangerPolicyEngineOptions opts = new RangerPolicyEngineOptions(); - - final String propertyPrefix = "ranger.admin"; - - opts.configureDelegateAdmin(config, propertyPrefix); - - return opts; - } - - private RangerPolicyEngineOptions getPolicySearchRangerAdminPolicyEngineOptions() { - RangerPolicyEngineOptions opts = new RangerPolicyEngineOptions(); - - final String propertyPrefix = "ranger.admin"; - - opts.configureRangerAdminForPolicySearch(config, propertyPrefix); - return opts; - } - - private RangerPolicyEngineOptions getDefaultRangerAdminPolicyEngineOptions() { - RangerPolicyEngineOptions opts = new RangerPolicyEngineOptions(); - - final String propertyPrefix = "ranger.admin"; - - opts.configureDefaultRangerAdmin(config, propertyPrefix); - return opts; - } - - private boolean hasAdminAccess(RangerPolicy policy, String userName, Set userGroups) { - boolean isAllowed = false; - RangerPolicyAdmin policyAdmin = getPolicyAdminForDelegatedAdmin(policy.getService()); - - if(policyAdmin != null) { - Map evalContext = new HashMap<>(); - RangerAccessRequestUtil.setCurrentUserInContext(evalContext, userName); - - Set roles = policyAdmin.getRolesFromUserAndGroups(userName, userGroups); - - isAllowed = policyAdmin.isDelegatedAdminAccessAllowedForModify(policy, userName, userGroups, roles, evalContext); - } - - return isAllowed; - } - private boolean hasAdminAccess(String serviceName, String zoneName, String userName, Set userGroups, RangerAccessResource resource, Set accessTypes) { - boolean isAllowed = false; - - RangerPolicyAdmin policyAdmin = getPolicyAdminForDelegatedAdmin(serviceName); - - if(policyAdmin != null) { - isAllowed = CollectionUtils.isNotEmpty(accessTypes) && policyAdmin.isDelegatedAdminAccessAllowed(resource, zoneName, userName, userGroups, accessTypes); - } - - return isAllowed; - } - - public RangerPolicyAdmin getPolicyAdminForDelegatedAdmin(String serviceName) { - return RangerPolicyAdminCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName, svcStore, zoneStore, roleDBStore, delegateAdminOptions); - } - - private RangerPolicyAdmin getPolicyAdminForSearch(String serviceName) { - return RangerPolicyAdminCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName, svcStore, zoneStore, roleDBStore, policySearchAdminOptions); - } - - private RangerPolicyAdmin getPolicyAdmin(String serviceName) { - return RangerPolicyAdminCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName, svcStore, zoneStore,roleDBStore, defaultAdminOptions); - } + @DELETE + @Path("/definitions/{id}") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_SERVICE_DEF + "\")") + public void deleteServiceDef(@PathParam("id") Long id, @Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.deleteServiceDef({})", id); - public List getPoliciesWithMetaAttributes(List policies) { - return svcStore.getPoliciesWithMetaAttributes(policies); - } + RangerPerfTracer perf = null; - @GET - @Path("/checksso") - @Produces(MediaType.TEXT_PLAIN) - public String checkSSO() { - return String.valueOf(bizUtil.isSSOEnabled()); - } - - @GET - @Path("/csrfconf") - @Produces({ "application/json"}) - public HashMap getCSRFProperties(@Context HttpServletRequest request) { - return getCSRFPropertiesMap(request); - } + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.deleteServiceDef(serviceDefId=" + id + ")"); + } - @GET - @Path("/metrics/type/{type}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_METRICS_BY_TYPE + "\")") - public String getMetricByType(@PathParam("type") String type) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getMetricByType(serviceDefName=" + type + ")"); + RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore); + + validator.validate(id, Action.DELETE); + + bizUtil.hasAdminPermissions("Service-Def"); + + XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(id); + + if (xServiceDef != null) { + bizUtil.hasKMSPermissions("Service-Def", xServiceDef.getImplclassname()); + + String forceDeleteStr = request.getParameter("forceDelete"); + boolean forceDelete = !StringUtils.isEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr); + + svcStore.deleteServiceDef(id, forceDelete); + } else { + LOG.error("Cannot retrieve service-definition:[{}] for deletion", id); + + throw new Exception("deleteServiceDef(" + id + ") failed"); + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("deleteServiceDef({}) failed", id, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } - // as of now we are allowing only users with Admin role to access this - // API - bizUtil.checkSystemAdminAccess(); - bizUtil.blockAuditorRoleUser(); - String ret = null; + + LOG.debug("<== ServiceREST.deleteServiceDef({})", id); + } + + @GET + @Path("/definitions/{id}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEF + "\")") + public RangerServiceDef getServiceDef(@PathParam("id") Long id) { + LOG.debug("==> ServiceREST.getServiceDef({})", id); + + RangerServiceDef ret; + RangerPerfTracer perf = null; + try { - ServiceDBStore.METRIC_TYPE metricType = ServiceDBStore.METRIC_TYPE.getMetricTypeByName(type); - if (metricType == null) { - throw restErrorUtil.createRESTException("Metric type="+type+", not supported."); + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDef(serviceDefId=" + id + ")"); } - ret = svcStore.getMetricByType(metricType); + XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(id); + + if (xServiceDef != null) { + if (EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME.equals(xServiceDef.getName())) { + if (!bizUtil.hasModuleAccess(RangerConstants.MODULE_TAG_BASED_POLICIES)) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not having permissions on the tag module.", true); + } + } + + if (!bizUtil.hasAccess(xServiceDef, null)) { + throw restErrorUtil.createRESTException("User is not allowed to access service-def, id: " + xServiceDef.getId(), MessageEnums.OPER_NO_PERMISSION); + } + } + + ret = svcStore.getServiceDef(id); } catch (WebApplicationException excp) { throw excp; } catch (Throwable excp) { - LOG.error("getMetricByType(" + type + ") failed", excp); + LOG.error("getServiceDef({}) failed", id, excp); + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } + if (ret == null) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getMetricByType(" + type + "): " + ret); - } + LOG.debug("<== ServiceREST.getServiceDef({}): {}", id, ret); + return ret; } - /** - * Delete services/ repos associated with cluster. - * Only users with Ranger UserAdmin OR KeyAdmin are allowed to access this API. - * @param clusterName - * @return List of {@link ServiceDeleteResponse serviceDeleteResponse}. - */ - @DELETE - @Path("/cluster-services/{clusterName}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_CLUSTER_SERVICES + "\")") - public ResponseEntity> deleteClusterServices(@PathParam("clusterName") String clusterName) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.deleteClusterServices("+ clusterName +")"); - } - - List deletedServices = new ArrayList<>(); - HttpStatus responseStatus = HttpStatus.OK; - - try { - //check if user has ADMIN privileges - bizUtil.hasAdminPermissions("Services"); - - //get all service/ repo IDs to delete - List serviceIdsToBeDeleted = daoManager.getXXServiceConfigMap().findServiceIdsByClusterName(clusterName); - - if (serviceIdsToBeDeleted.isEmpty()) { - responseStatus = HttpStatus.NOT_FOUND; - } else { - //delete each service/ repo one by one - for (Long serviceId : serviceIdsToBeDeleted) { - ServiceDeleteResponse deleteResponse = new ServiceDeleteResponse(serviceId); - try { - String serviceName = this.deleteServiceById(serviceId); - deleteResponse.setServiceName(serviceName); - deleteResponse.setIsDeleted(Boolean.TRUE); - } catch (Throwable e) { - //log and proceed - LOG.warn("Skipping deletion of service with ID="+serviceId); - e.printStackTrace(); - deleteResponse.setIsDeleted(Boolean.FALSE); - deleteResponse.setErrorMsg(e.getMessage()); - } - deletedServices.add(deleteResponse); - - } - } - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("Deleting services associated with cluster=" + clusterName + " failed.", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.deleteClusterServices() - deletedServices: " +deletedServices); - } - - return new ResponseEntity<>(deletedServices, responseStatus); - } - - @GET - @Path("/policies/guid/{guid}") - @Produces({ "application/json" }) - public RangerPolicy getPolicyByGUIDAndServiceNameAndZoneName(@PathParam("guid") String guid, - @DefaultValue("") @QueryParam("serviceName") String serviceName, - @DefaultValue("") @QueryParam("zoneName") String zoneName) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getPolicyByGUIDAndServiceNameAndZoneName(" + guid + ", " + serviceName + ", " + zoneName + ")"); - } - RangerPolicy ret = null; - RangerPerfTracer perf = null; - try { - if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicyByGUIDAndServiceNameAndZoneName(policyGUID=" + guid + ", serviceName="+ serviceName + ", zoneName="+ zoneName + ")"); - } - ret = svcStore.getPolicy(guid, serviceName, zoneName); - if (ret != null) { - ensureAdminAndAuditAccess(ret); - } - } catch (WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - LOG.error("getPolicyByGUIDAndServiceNameAndZoneName(" + guid + "," + serviceName + ", " + zoneName + ") failed", excp); - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - if (ret == null) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); - } - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getPolicyByGUIDAndServiceNameAndZoneName(" + guid + ", " + serviceName + ", " + zoneName +"): " + ret); - } - return ret; - } - - @DELETE - @Path("/policies/guid/{guid}") - public void deletePolicyByGUIDAndServiceNameAndZoneName(@PathParam("guid") String guid, - @DefaultValue("") @QueryParam("serviceName") String serviceName, - @DefaultValue("") @QueryParam("zoneName") String zoneName) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.deletePolicyByGUIDAndServiceNameAndZoneName(" + guid + ", " + serviceName + ", " + zoneName +")"); - } - RangerPolicy ret = null; - RangerPerfTracer perf = null; - try { - if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.deletePolicyByGUIDAndServiceNameAndZoneName(policyGUID=" + guid + ", serviceName="+ serviceName + ", zoneName="+ zoneName +")"); - } - ret = getPolicyByGUIDAndServiceNameAndZoneName(guid, serviceName, zoneName); - if (ret != null) { - deletePolicy(ret.getId()); - } - } catch (WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - LOG.error("deletePolicyByGUIDAndServiceNameAndZoneName(" + guid + "," + serviceName + ", " + zoneName + ") failed", excp); - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.deletePolicyByGUIDAndServiceNameAndZoneName(" + guid + ", " + serviceName + ", " + zoneName +")"); - } - } - - @DELETE - @Path("/server/purge/records") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public List purgeRecords(@QueryParam("type") String recordType, @DefaultValue("180") @QueryParam("retentionDays") Integer olderThan, @Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.purgeRecords(" + recordType + ", " + olderThan + ")"); - } - - List ret = new ArrayList<>(); - RangerPerfTracer perf = null; - - try { - if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.purgeRecords(recordType=" + recordType + ", olderThan=" + olderThan + ")"); - } - - if (olderThan < 1) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Retention days can't be lesser than 1", true); - } - - if (PURGE_RECORD_TYPE_LOGIN_LOGS.equalsIgnoreCase(recordType)) { - svcStore.removeAuthSessions(olderThan, ret); - } else if (PURGE_RECORD_TYPE_TRX_LOGS.equalsIgnoreCase(recordType)) { - svcStore.removeTransactionLogs(olderThan, ret); - } else if (PURGE_RECORD_TYPE_POLICY_EXPORT_LOGS.equalsIgnoreCase(recordType)) { - svcStore.removePolicyExportLogs(olderThan, ret); - } else { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, - recordType + ": invalid record type. Valid values: [ " + PURGE_RECORD_TYPE_LOGIN_LOGS + ", " + PURGE_RECORD_TYPE_TRX_LOGS + ", " + PURGE_RECORD_TYPE_POLICY_EXPORT_LOGS + " ]", - true); - } - } catch (WebApplicationException excp) { - throw excp; - } catch (Throwable excp) { - LOG.error("purgeRecords(" + recordType + ", " + olderThan + ") failed", excp); - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.purgeRecords(" + recordType + ", " + olderThan + "): ret=" + ret); - } - - return ret; - } - - public RangerPolicyResource getPolicyResource(Object resourceName, GrantRevokeRequest grantRequest) { - RangerPolicyResource ret; - if (resourceName instanceof List) { - List resourceValues = (List) resourceName; - ret = new RangerPolicyResource(resourceValues, false, grantRequest.getIsRecursive()); - } else { - ret = new RangerPolicyResource((String) resourceName); - ret.setIsRecursive(grantRequest.getIsRecursive()); - } - return ret; - } - - public static Map getAccessResourceObjectMap(Map map) { - Map ret = null; - - if (map != null) { - ret = new HashMap<>(map.size()); - - for (Map.Entry e : map.entrySet()) { - if (e.getValue().contains(",")) { - List values = Arrays.asList(e.getValue().split(",")); - ret.put(e.getKey(),values); - } else { - ret.put(e.getKey(), e.getValue()); - } - } - } - - return ret; - } - - private HashMap getCSRFPropertiesMap(HttpServletRequest request) { - HashMap map = new HashMap(); - map.put(isCSRF_ENABLED, PropertiesUtil.getBooleanProperty(isCSRF_ENABLED, true)); - map.put(CUSTOM_HEADER_PARAM, PropertiesUtil.getProperty(CUSTOM_HEADER_PARAM, RangerCSRFPreventionFilter.HEADER_DEFAULT)); - map.put(BROWSER_USER_AGENT_PARAM, PropertiesUtil.getProperty(BROWSER_USER_AGENT_PARAM, RangerCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT)); - map.put(CUSTOM_METHODS_TO_IGNORE_PARAM, PropertiesUtil.getProperty(CUSTOM_METHODS_TO_IGNORE_PARAM, RangerCSRFPreventionFilter.METHODS_TO_IGNORE_DEFAULT)); - map.put(RangerCSRFPreventionFilter.CSRF_TOKEN, getCSRFToken(request)); - return map; - } - - private static String getCSRFToken(HttpServletRequest request) { - String salt = (String) request.getSession().getAttribute(RangerCSRFPreventionFilter.CSRF_TOKEN); - if (StringUtils.isEmpty(salt)) { - final int tokenLength = PropertiesUtil.getIntProperty(CSRF_TOKEN_LENGTH, 20); - salt = RandomStringUtils.random(tokenLength, 0, 0, true, true, null, new SecureRandom()); - request.getSession().setAttribute(RangerCSRFPreventionFilter.CSRF_TOKEN, salt); - } - return salt; - } - - private RangerPolicyList toRangerPolicyList(List policyList, SearchFilter filter) { - RangerPolicyList ret = new RangerPolicyList(); - - if(CollectionUtils.isNotEmpty(policyList)) { - int totalCount = policyList.size(); - int startIndex = filter.getStartIndex(); - int pageSize = filter.getMaxRows(); - int toIndex = Math.min(startIndex + pageSize, totalCount); - String sortType = filter.getSortType(); - String sortBy = filter.getSortBy(); - - if (StringUtils.isNotEmpty(sortBy) && StringUtils.isNotEmpty(sortType)) { - // By default policyList is sorted by policyId in asc order, So handling only desc case. - if (SearchFilter.POLICY_ID.equalsIgnoreCase(sortBy)) { - if (SORT_ORDER.DESC.name().equalsIgnoreCase(sortType)) { - policyList.sort(this.getPolicyComparator(sortBy, sortType)); - } - } else if (SearchFilter.POLICY_NAME.equalsIgnoreCase(sortBy)) { - if (SORT_ORDER.ASC.name().equalsIgnoreCase(sortType)) { - policyList.sort(this.getPolicyComparator(sortBy, sortType)); - } else if (SORT_ORDER.DESC.name().equalsIgnoreCase(sortType)) { - policyList.sort(this.getPolicyComparator(sortBy, sortType)); - } else { - LOG.info("Invalid or Unsupported sortType : " + sortType); - } - } else { - LOG.info("Invalid or Unsupported sortBy property : " + sortBy); - } - } - - List retList = new ArrayList(); - for(int i = startIndex; i < toIndex; i++) { - retList.add(policyList.get(i)); - } - - ret.setPolicies(retList); - ret.setPageSize(pageSize); - ret.setResultSize(retList.size()); - ret.setStartIndex(startIndex); - ret.setTotalCount(totalCount); - ret.setSortBy(sortBy); - ret.setSortType(sortType); - } - - return ret; - } - - private Comparator getPolicyComparator(String sortBy, String sortType) { - Comparator rangerPolComparator = (RangerPolicy me, RangerPolicy other) -> { - int ret = 0; - if (SearchFilter.POLICY_ID.equalsIgnoreCase(sortBy)) { - ret = Long.compare(other.getId(), me.getId()); - } else if (SearchFilter.POLICY_NAME.equalsIgnoreCase(sortBy)) { - if (SORT_ORDER.ASC.name().equalsIgnoreCase(sortType)) { - ret = me.getName().compareTo(other.getName()); - } else if (SORT_ORDER.DESC.name().equalsIgnoreCase(sortType)) { - ret = other.getName().compareTo(me.getName()); - } - } - return ret; - }; - return rangerPolComparator; - } - - private void validateGrantRevokeRequest(GrantRevokeRequest request, final boolean hasAdminPrivilege, final String loggedInUser) { - if (request != null) { - validateUsersGroupsAndRoles(request.getUsers(),request.getGroups(), request.getRoles()); - validateGrantor(request.getGrantor()); - validateGrantees(request.getUsers()); - validateGroups(request.getGroups()); - validateRoles(request.getRoles()); - - if (!hasAdminPrivilege) { - if (!StringUtils.equals(request.getGrantor(), loggedInUser) || StringUtils.isNotBlank(request.getOwnerUser())) { - throw restErrorUtil.createGrantRevokeRESTException("Invalid grant/revoke request - contains grantor or userOwner specification"); - } - request.setGrantorGroups(userMgr.getGroupsForUser(request.getGrantor())); - } - } - } - - private void validateUsersGroupsAndRoles(Set users, Set groups, Set roles){ - if(CollectionUtils.isEmpty(users) && CollectionUtils.isEmpty(groups) && CollectionUtils.isEmpty(roles)) { - throw restErrorUtil.createGrantRevokeRESTException("Grantee users/groups/roles list is empty"); - } - } - - private void validateGrantor(String grantor) { - VXUser vxUser = null; - if (grantor != null) { - try { - vxUser = xUserService.getXUserByUserName(grantor); - if (vxUser == null) { - throw restErrorUtil.createGrantRevokeRESTException("Grantor user " + grantor + " doesn't exist"); - } - } catch (Exception e) { - throw restErrorUtil.createGrantRevokeRESTException("Grantor user " + grantor + " doesn't exist"); - } - } - } - - private void validateGrantees(Set grantees) { - VXUser vxUser = null; - for (String userName : grantees) { - try { - vxUser = xUserService.getXUserByUserName(userName); - if (vxUser == null) { - throw restErrorUtil.createGrantRevokeRESTException("Grantee user " + userName + " doesn't exist"); - } - } catch (Exception e) { - throw restErrorUtil.createGrantRevokeRESTException("Grantee user " + userName + " doesn't exist"); - } - } - } - - private void validateGroups(Set groups) { - VXGroup vxGroup = null; - for (String groupName : groups) { - try { - vxGroup = userMgr.getGroupByGroupName(groupName); - if (vxGroup == null) { - throw restErrorUtil.createGrantRevokeRESTException( "Grantee group "+ groupName +" doesn't exist"); - } - } catch (Exception e) { - throw restErrorUtil.createGrantRevokeRESTException( "Grantee group "+ groupName +" doesn't exist"); - } - } - } - - private void validateRoles(Set roles) { - XXRole xxRole = null; - for (String role : roles) { - try { - xxRole = daoManager.getXXRole().findByRoleName(role); - if (xxRole == null) { - throw restErrorUtil.createGrantRevokeRESTException( "Grantee role "+ role +" doesn't exist"); - } - } catch (Exception e) { - throw restErrorUtil.createGrantRevokeRESTException( "Grantee role "+ role +" doesn't exist"); - } - } - } - - private Map getOptions(HttpServletRequest request) { - Map ret = null; - if (request != null) { - String isForceRenameOption = request.getParameter(ServiceStore.OPTION_FORCE_RENAME); - if (StringUtils.isNotBlank(isForceRenameOption)) { - ret = new HashMap(); - ret.put(ServiceStore.OPTION_FORCE_RENAME, Boolean.valueOf(isForceRenameOption)); + @GET + @Path("/definitions/name/{name}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEF_BY_NAME + "\")") + public RangerServiceDef getServiceDefByName(@PathParam("name") String name) { + LOG.debug("==> ServiceREST.getServiceDefByName(serviceDefName={})", name); + + RangerServiceDef ret; + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDefByName(" + name + ")"); + } + + XXServiceDef xServiceDef = daoManager.getXXServiceDef().findByName(name); + + if (xServiceDef != null) { + if (EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME.equals(xServiceDef.getName())) { + if (!bizUtil.hasModuleAccess(RangerConstants.MODULE_TAG_BASED_POLICIES)) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not having permissions on the tag module", true); + } + } + + if (!bizUtil.hasAccess(xServiceDef, null)) { + throw restErrorUtil.createRESTException("User is not allowed to access service-def: " + xServiceDef.getName(), MessageEnums.OPER_NO_PERMISSION); + } } + + ret = svcStore.getServiceDefByName(name); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getServiceDefByName({}) failed", name, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + if (ret == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); } + + LOG.debug("<== ServiceREST.getServiceDefByName({}): {}", name, ret); + return ret; } - - private RangerService hideCriticalServiceDetailsForRoleUser(RangerService rangerService){ - RangerService ret = rangerService; - - ret.setConfigs(null); - ret.setDescription(null); - ret.setCreatedBy(null); - ret.setUpdatedBy(null); - ret.setCreateTime(null); - ret.setUpdateTime(null); - ret.setPolicyVersion(null); - ret.setPolicyUpdateTime(null); - ret.setTagVersion(null); - ret.setTagUpdateTime(null); - ret.setVersion(null); - - return ret; - } - - void ensureAdminAndAuditAccess(RangerPolicy policy) { - ensureAdminAndAuditAccess (policy, new HashMap()); - } - - void ensureAdminAndAuditAccess(RangerPolicy policy, Map mapServiceTypeAndImplClass) { - boolean isAdmin = bizUtil.isAdmin(); - boolean isKeyAdmin = bizUtil.isKeyAdmin(); - String userName = bizUtil.getCurrentUserLoginId(); - boolean isAuditAdmin = bizUtil.isAuditAdmin(); - boolean isAuditKeyAdmin = bizUtil.isAuditKeyAdmin(); - boolean isSvcAdmin = isAdmin || svcStore.isServiceAdminUser(policy.getService(), userName) || (!StringUtils.isEmpty(policy.getZoneName()) && (serviceMgr.isZoneAdmin(policy.getZoneName()) || serviceMgr.isZoneAuditor(policy.getZoneName()))); - if (!isAdmin && !isKeyAdmin && !isSvcAdmin && !isAuditAdmin && !isAuditKeyAdmin) { - boolean isAllowed = false; - - Set userGroups = userMgr.getGroupsForUser(userName); - RangerPolicyAdmin policyAdmin = getPolicyAdminForDelegatedAdmin(policy.getService()); - - if(policyAdmin != null) { - Map evalContext = new HashMap<>(); - RangerAccessRequestUtil.setCurrentUserInContext(evalContext, userName); - - Set roles = policyAdmin.getRolesFromUserAndGroups(userName, userGroups); - - isAllowed = policyAdmin.isDelegatedAdminAccessAllowedForRead(policy, userName, userGroups, roles, evalContext); - } - - if (!isAllowed) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User '" - + userName + "' does not have delegated-admin privilege on given resources", true); - } - } else { - if (StringUtils.isBlank(policy.getServiceType())) { - XXService xService = daoManager.getXXService().findByName(policy.getService()); - XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); - mapServiceTypeAndImplClass.put(xServiceDef.getName(), xServiceDef.getImplclassname()); - policy.setServiceType(xServiceDef.getName()); - } else if (!mapServiceTypeAndImplClass.containsKey(policy.getServiceType())) { - XXService xService = daoManager.getXXService().findByName(policy.getService()); - XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); - mapServiceTypeAndImplClass.put(xServiceDef.getName(), xServiceDef.getImplclassname()); - } - String serviceDefImplClass = mapServiceTypeAndImplClass.get(policy.getServiceType()); - if (isAdmin || isAuditAdmin) { - if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(serviceDefImplClass)) { - throw restErrorUtil.createRESTException( - "KMS Policies/Services/Service-Defs are not accessible for user '" - + userName + "'.", MessageEnums.OPER_NO_PERMISSION); - } - } else if (isKeyAdmin || isAuditKeyAdmin) { - if (!EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(serviceDefImplClass)) { - throw restErrorUtil.createRESTException("Only KMS Policies/Services/Service-Defs are accessible for user '" - + userName + "'.", MessageEnums.OPER_NO_PERMISSION); - } - } - } - } - - private void createOrGetLinkedServices(RangerService resourceService) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> createOrGetLinkedServices(resourceService=" + resourceService.getName() + ")"); - } - - Runnable createAndLinkTagServiceTask = new Runnable() { - @Override - public void run() { - final LinkedServiceCreator creator = new LinkedServiceCreator(resourceService.getName(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME); - - creator.doCreateAndLinkService(); - } - }; - - rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(createAndLinkTagServiceTask); - - if (LOG.isDebugEnabled()) { - LOG.debug("<== createOrGetLinkedServices(resourceService=" + resourceService.getName() + ")"); - } - } - - private final class LinkedServiceCreator { - static final char SEP = '_'; - - final String resourceServiceName; - final String linkedServiceType; - final String linkedServiceName; - final boolean isAutoCreate; - final boolean isAutoLink; - - LinkedServiceCreator(@Nonnull String resourceServiceName, @Nonnull String linkedServiceType) { - this.resourceServiceName = resourceServiceName; - this.linkedServiceType = linkedServiceType; - this.linkedServiceName = computeLinkedServiceName(); - this.isAutoCreate = config.getBoolean("ranger." + linkedServiceType + "service.auto.create", true); - this.isAutoLink = config.getBoolean("ranger." + linkedServiceType + "service.auto.link", true); - } - - void doCreateAndLinkService() { - if (LOG.isDebugEnabled()) { - LOG.debug("==> doCreateAndLinkService()"); - } - - RangerService resourceService = null; - - try { - resourceService = svcStore.getServiceByName(resourceServiceName); - LOG.info("Successfully retrieved resource-service:[" + resourceService.getName() + "]"); - } catch (Exception e) { - LOG.error("Resource-service:[" + resourceServiceName + "] cannot be retrieved"); - } - - if (resourceService != null) { - try { - RangerService linkedService = svcStore.getServiceByName(linkedServiceName); - - if (linkedService == null && isAutoCreate) { - linkedService = new RangerService(); - - linkedService.setName(linkedServiceName); - linkedService.setDisplayName(linkedServiceName); //set DEFAULT display name - linkedService.setType(linkedServiceType); - - LOG.info("creating service [" + linkedServiceName + "]"); - - svcStore.createService(linkedService); - } - } catch (Exception e) { - throw new RuntimeException(e); - } - - if (isAutoLink) { - doLinkService(); - } - - } else { - LOG.info("Resource service :[" + resourceServiceName + "] not found! Returning without linking " + linkedServiceType + " service!!"); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== doCreateAndLinkService()"); - } - } - - private String computeLinkedServiceName() { - String ret = config.get("ranger." + linkedServiceType + "service.auto.name"); - - if (StringUtils.isBlank(ret)) { - final int lastIndexOfSep = StringUtils.lastIndexOf(resourceServiceName, SEP); - - ret = (lastIndexOfSep != -1) ? resourceServiceName.substring(0, lastIndexOfSep) + SEP + linkedServiceType : linkedServiceType; - } - - return ret; - } - - private void doLinkService() { - if (LOG.isDebugEnabled()) { - LOG.debug("==> doLinkTagService()"); - } - - try { - RangerService resourceService = svcStore.getServiceByName(resourceServiceName); - LOG.info("Successfully retrieved resource-service:[" + resourceService.getName() + "]"); - - RangerService linkedService = svcStore.getServiceByName(linkedServiceName); - - if (linkedService == null) { - LOG.error("Failed to link service[" + resourceServiceName + "] with service [" + linkedServiceName + "]: " + linkedServiceName + " not found"); - } else if (EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME.equals(linkedServiceType)) { - LOG.info("Successfully retrieved service:[" + linkedService.getName() + "]"); - - if (!StringUtils.equals(linkedService.getName(), resourceService.getTagService())) { - resourceService.setTagService(linkedService.getName()); - - LOG.info("Linking resource-service[" + resourceService.getName() + "] with tag-service [" + linkedService.getName() + "]"); - - RangerService service = svcStore.updateService(resourceService, null); - - LOG.info("Updated resource-service:[" + service.getName() + "]"); - } - } - } catch (Exception e) { - LOG.error("Failed to link service[" + resourceServiceName + "] with service [" + linkedServiceName + "]"); - } - if (LOG.isDebugEnabled()) { - LOG.debug("<== doLinkTagService()"); - } - } - - @Override - public String toString() { - return "{resourceServiceName=" + resourceServiceName + ", linkedServiceType=" + linkedServiceType + ", isAutoCreate=" + isAutoCreate + ", isAutoLink=" + isAutoLink + "}"; - } - } - - private void deleteExactMatchPolicyForResource(List policies, String user, String zoneName) throws Exception { - if (CollectionUtils.isNotEmpty(policies)) { - long totalDeletedPolicies = 0; - for (RangerPolicy rangerPolicy : policies) { - RangerPolicy existingPolicy = null ; - try { - if(zoneName!=null) { - rangerPolicy.setZoneName(zoneName); - } - existingPolicy = getExactMatchPolicyForResource(rangerPolicy, StringUtils.isNotBlank(user) ? user :"admin"); - } catch (Exception e) { - existingPolicy=null; - } - if (existingPolicy != null) { - svcStore.deletePolicy(existingPolicy, null); - totalDeletedPolicies = totalDeletedPolicies + 1; - if (totalDeletedPolicies % RangerBizUtil.POLICY_BATCH_SIZE == 0) { - bizUtil.bulkModeOnlyFlushAndClear(); - } - if (LOG.isDebugEnabled()) { - LOG.debug("Policy " + rangerPolicy.getName() + " deleted successfully."); - } - } - } - bizUtil.bulkModeOnlyFlushAndClear(); - } - } - - private String getRangerAdminZoneName(String serviceName, GrantRevokeRequest grantRevokeRequest) { - String ret = grantRevokeRequest.getZoneName(); - - if (StringUtils.isEmpty(ret)) { - RangerPolicyAdmin policyAdmin = getPolicyAdmin(serviceName); - if (policyAdmin != null) { - ret = policyAdmin.getUniquelyMatchedZoneName(grantRevokeRequest); - } - } - - return ret; - } - - /** - * Returns {@link RangerPolicy} for non-empty serviceName, policyName and zoneName null otherwise. - * @param serviceName - * @param policyName - * @param zoneName - * @return - */ - - public RangerPolicy getPolicyByName(String serviceName, String policyName, String zoneName) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getPolicyByName(" + serviceName + "," + policyName + "," + zoneName + ")"); + + @GET + @Path("/definitions") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEFS + "\")") + public RangerServiceDefList getServiceDefs(@Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.getServiceDefs()"); + + if (!bizUtil.hasModuleAccess(RangerConstants.MODULE_RESOURCE_BASED_POLICIES)) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not having permissions on the " + RangerConstants.MODULE_RESOURCE_BASED_POLICIES + " module.", true); } - RangerPolicy ret = null; - if (StringUtils.isNotBlank(serviceName) && StringUtils.isNotBlank(policyName)) { - XXPolicy dbPolicy = daoManager.getXXPolicy().findPolicy(policyName, serviceName, zoneName); + RangerServiceDefList ret = null; + RangerPerfTracer perf = null; + SearchFilter filter = searchUtil.getSearchFilter(request, serviceDefService.sortFields); + String pageSource = request.getParameter("pageSource"); - if (dbPolicy != null) { - ret = policyService.getPopulatedViewObject(dbPolicy); + if (pageSource != null) { + filter.setParam("pageSource", pageSource); + } + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDefs()"); } - if (ret != null) { - ensureAdminAndAuditAccess(ret); + PList paginatedSvcDefs = svcStore.getPaginatedServiceDefs(filter); + + if (paginatedSvcDefs != null) { + ret = new RangerServiceDefList(); + + ret.setServiceDefs(paginatedSvcDefs.getList()); + ret.setPageSize(paginatedSvcDefs.getPageSize()); + ret.setResultSize(paginatedSvcDefs.getResultSize()); + ret.setStartIndex(paginatedSvcDefs.getStartIndex()); + ret.setTotalCount(paginatedSvcDefs.getTotalCount()); + ret.setSortBy(paginatedSvcDefs.getSortBy()); + ret.setSortType(paginatedSvcDefs.getSortType()); } - } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getServiceDefs() failed", excp); - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getPolicyByName(" + serviceName + "," + policyName + "," + zoneName + ") " + (ret != null ? ret : "ret is null")); + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } + + LOG.debug("<== ServiceREST.getServiceDefs(): count={}", (ret == null ? 0 : ret.getListSize())); + return ret; } - private RangerPolicy createPolicyUnconditionally(RangerPolicy policy) throws Exception { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.createPolicyUnconditionally( "+ policy +")"); - } - RangerPolicy ret = null; - if (StringUtils.isBlank(policy.getName())) { - String guid = policy.getGuid(); - if (StringUtils.isBlank(guid)) { - guid = guidUtil.genGUID(); - policy.setGuid(guid); - if (LOG.isDebugEnabled()) { - LOG.debug("No GUID supplied on the policy! Ok, setting GUID to [" + guid + "]."); - } - } - String name = policy.getService() + "-" + guid; - policy.setName(name); - if (LOG.isDebugEnabled()) { - LOG.debug("Policy did not have its name set! Ok, setting name to [" + name + "]"); - } - } else if (isPolicyNameLengthValidationEnabled) { - if (policy.getName().length() > maxPolicyNameLength) { - throw restErrorUtil.createRESTException( - "Policy name should not be longer than " + maxPolicyNameLength + " characters", - MessageEnums.INPUT_DATA_OUT_OF_BOUND, null, "policy name", "" + policy.getName()); - } - } - RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); - validator.validate(policy, Action.CREATE, bizUtil.isAdmin() || isServiceAdmin(policy.getService()) || isZoneAdmin(policy.getZoneName())); - - ensureAdminAccess(policy); - bizUtil.blockAuditorRoleUser(); - - ret = svcStore.createPolicy(policy); - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.createPolicyUnconditionally( " + ret + ")"); - } - - return ret; - } - - private RangerPolicy getPolicyMatchByName(RangerPolicy policy, HttpServletRequest request) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.getPolicyMatchByName( " + policy + ")"); - } - RangerPolicy existingPolicy = null; - String serviceName = request.getParameter(PARAM_SERVICE_NAME); - if (serviceName == null) { - serviceName = (String) request.getAttribute(PARAM_SERVICE_NAME); - } - if (StringUtils.isNotEmpty(serviceName)) { - policy.setService(serviceName); - } - String policyName = request.getParameter(PARAM_POLICY_NAME); - if (policyName == null) { - policyName = (String) request.getAttribute(PARAM_POLICY_NAME); - } - if (StringUtils.isNotEmpty(policyName)) { - policy.setName(StringUtils.trim(policyName)); - } - if (StringUtils.isNotEmpty(serviceName) && StringUtils.isNotEmpty(policyName)) { - String zoneName = request.getParameter(PARAM_ZONE_NAME); - if (StringUtils.isBlank(zoneName)) { - zoneName = (String) request.getAttribute(PARAM_ZONE_NAME); - } - if (StringUtils.isNotBlank(zoneName)) { - policy.setZoneName(StringUtils.trim(zoneName)); - } - existingPolicy = getPolicyByName(policy.getService(), policy.getName(), policy.getZoneName()); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.getPolicyMatchByName( " + existingPolicy + ")"); - } - return existingPolicy; - } - - private String deleteServiceById(Long id) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.deleteServiceById( " + id + ")"); - } - - RangerContextHolder.getOrCreateOpContext().setBulkModeContext(true); - - RangerPerfTracer perf = null; - String deletedServiceName = null; - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.deleteService(serviceId=" + id + ")"); - } - RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore); - validator.validate(id, Action.DELETE); - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - XXService service = daoManager.getXXService().getById(id); - if (service != null) { - //if logged-in user is not the service creator then check admin priv. - if (!session.getUserId().equals(service.getAddedByUserId())) { - bizUtil.hasAdminPermissions("Services"); - } - EmbeddedServiceDefsUtil embeddedServiceDefsUtil = EmbeddedServiceDefsUtil.instance(); - if (service.getType().equals(embeddedServiceDefsUtil.getTagServiceDefId())) { - List referringServices = daoManager.getXXService().findByTagServiceId(id); - if (!CollectionUtils.isEmpty(referringServices)) { - Set referringServiceNames = new HashSet(); - for (XXService xXService : referringServices) { - referringServiceNames.add(xXService.getName()); - if (referringServiceNames.size() >= 10) { - break; - } - } - if (referringServices.size() <= 10) { - throw restErrorUtil.createRESTException("Tag service '" + service.getName() + "' is being referenced by " + referringServices.size() + " services: " + referringServiceNames, MessageEnums.OPER_NOT_ALLOWED_FOR_STATE); - } else { - throw restErrorUtil.createRESTException("Tag service '" + service.getName() + "' is being referenced by " + referringServices.size() + " services: " + referringServiceNames + " and more..", MessageEnums.OPER_NOT_ALLOWED_FOR_STATE); - } - } - } - XXServiceDef xxServiceDef = daoManager.getXXServiceDef().getById(service.getType()); - if (!session.getUserId().equals(service.getAddedByUserId())) { - bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname()); - bizUtil.blockAuditorRoleUser(); - } - - tagStore.deleteAllTagObjectsForService(service.getName()); - - deletedServiceName = service.getName(); - - svcStore.deleteService(id); - } else { - LOG.error("Cannot retrieve service:[" + id + "] for deletion"); - throw restErrorUtil.createRESTException( - "Data Not Found for given Id", - MessageEnums.DATA_NOT_FOUND, id, null, - "readResource : No Object found with given id."); - } - } else { - LOG.error("Cannot retrieve user session."); - throw new Exception("deleteService(" + id + ") failed"); - } - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("deleteService(" + id + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.deleteServiceById() - deletedServiceName="+deletedServiceName); - } - return deletedServiceName; - } - - boolean isServiceAdmin(String serviceName) { - boolean ret = bizUtil.isAdmin(); - - if (!ret && StringUtils.isNotEmpty(serviceName)) { - ret = svcStore.isServiceAdminUser(serviceName, bizUtil.getCurrentUserLoginId()); - } - - return ret; - } - - private boolean isZoneAdmin(String zoneName) { - boolean ret = bizUtil.isAdmin(); - - if (!ret && StringUtils.isNotEmpty(zoneName)) { - ret = serviceMgr.isZoneAdmin(zoneName); - } - - return ret; - } -} + @GET + @Path("/policies/{serviceDefName}/for-resource") + @Produces("application/json") + public List getPoliciesForResource(@PathParam("serviceDefName") String serviceDefName, @DefaultValue("") @QueryParam("serviceName") String serviceName, @Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.getPoliciesForResource(service-type={}, service-name={})", serviceDefName, serviceName); + + List ret = new ArrayList<>(); + List services = new ArrayList<>(); + Map resource = new HashMap<>(); + String validationMessage = validateResourcePoliciesRequest(serviceDefName, serviceName, request, services, resource); + + if (StringUtils.isNotEmpty(validationMessage)) { + LOG.error("Invalid request: [{}]", validationMessage); + throw restErrorUtil.createRESTException(validationMessage, MessageEnums.INVALID_INPUT_DATA); + } else { + RangerService service = services.get(0); + LOG.debug("getServicePolicies with service-name={}", service.getName()); + + RangerPolicyAdmin policyAdmin; + + try { + policyAdmin = getPolicyAdminForSearch(service.getName()); + } catch (Exception e) { + LOG.error("Cannot initialize Policy-Engine", e); + + throw restErrorUtil.createRESTException("Cannot initialize Policy Engine", MessageEnums.ERROR_SYSTEM); + } + + if (policyAdmin != null) { + ret = policyAdmin.getMatchingPolicies(new RangerAccessResourceImpl(resource)); + ret = applyAdminAccessFilter(ret); + } + } + + LOG.debug("<== ServiceREST.getPoliciesForResource(service-type={}, service-name={}) : {}", serviceDefName, serviceName, ret); + + return ret; + } + + @POST + @Path("/services") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_SERVICE + "\")") + public RangerService createService(RangerService service) { + LOG.debug("==> ServiceREST.createService({})", service); + + RangerService ret; + RangerPerfTracer perf = null; + + /** + * If display name is blank (EMPTY String or NULL), use name. + */ + if (StringUtils.isBlank(service.getDisplayName())) { + service.setDisplayName(service.getName()); + } + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createService(serviceName=" + service.getName() + ")"); + } + + RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore); + + validator.validate(service, Action.CREATE); + + if (!StringUtils.isEmpty(service.getName().trim())) { + service.setName(service.getName().trim()); + } + + if (!StringUtils.isEmpty(service.getDisplayName().trim())) { + service.setDisplayName(service.getDisplayName().trim()); + } + + UserSessionBase session = ContextUtil.getCurrentUserSession(); + XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(service.getType()); + + if (session != null && !session.isSpnegoEnabled()) { + bizUtil.hasAdminPermissions("Services"); + + // TODO: As of now we are allowing SYS_ADMIN to create all the + // services including KMS + bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname()); + } + + if (session != null && session.isSpnegoEnabled()) { + if (session.isKeyAdmin() && !EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xxServiceDef.getImplclassname())) { + throw restErrorUtil.createRESTException("KeyAdmin can create/update/delete only KMS ", MessageEnums.OPER_NO_PERMISSION); + } + + if ((!session.isKeyAdmin() && !session.isUserAdmin()) && EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xxServiceDef.getImplclassname())) { + throw restErrorUtil.createRESTException("User cannot create/update/delete KMS Service", MessageEnums.OPER_NO_PERMISSION); + } + } + + bizUtil.blockAuditorRoleUser(); + + String serviceType = xxServiceDef != null ? xxServiceDef.getName() : null; + + if (StringUtils.isBlank(service.getTagService()) && !StringUtils.equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME, serviceType) && !StringUtils.equals(EMBEDDED_SERVICEDEF_GDS_NAME, serviceType) && !StringUtils.equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_KMS_NAME, serviceType)) { + createOrGetLinkedServices(service); + } + + ret = svcStore.createService(service); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("createService({}) failed", service, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.createService({}): {}", service, ret); + + return ret; + } + + @PUT + @Path("/services/{id}") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_SERVICE + "\")") + public RangerService updateService(RangerService service, @Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.updateService(): {}", service); + + RangerService ret; + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updateService(serviceName=" + service.getName() + ")"); + } + + /** + * If display name is blank (EMPTY String or NULL), use previous display name. + */ + if (StringUtils.isBlank(service.getDisplayName())) { + RangerService rangerService = svcStore.getService(service.getId()); + + // If previous display name is blank (EMPTY String or NULL), user name. + if (Objects.isNull(rangerService) || StringUtils.isBlank(rangerService.getDisplayName())) { + service.setDisplayName(service.getName()); + } else { + service.setDisplayName(rangerService.getDisplayName()); + } + } + + RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore); + + validator.validate(service, Action.UPDATE); + + if (!StringUtils.isEmpty(service.getName().trim())) { + service.setName(service.getName().trim()); + } + + if (!StringUtils.isEmpty(service.getDisplayName().trim())) { + service.setDisplayName(service.getDisplayName().trim()); + } + + bizUtil.hasAdminPermissions("Services"); + + // TODO: As of now we are allowing SYS_ADMIN to create all the + // services including KMS + + XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(service.getType()); + + bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname()); + bizUtil.blockAuditorRoleUser(); + + Map options = getOptions(request); + + ret = svcStore.updateService(service, options); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("updateService({}) failed", service, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.updateService({}): {}", service, ret); + + return ret; + } + + @DELETE + @Path("/services/{id}") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_SERVICE + "\")") + public void deleteService(@PathParam("id") Long id) { + LOG.debug("==> ServiceREST.deleteService({})", id); + + String deletedServiceName = deleteServiceById(id); + + LOG.debug("<== ServiceREST.deleteService() - [id={}],[deletedServiceName={}]", deletedServiceName, deletedServiceName); + } + + @GET + @Path("/services/{id}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE + "\")") + public RangerService getService(@PathParam("id") Long id) { + LOG.debug("==> ServiceREST.getService({})", id); + + RangerService ret; + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getService(serviceId=" + id + ")"); + } + + ret = svcStore.getService(id); + + if (ret != null) { + UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + + if (userSession != null && userSession.getLoginId() != null) { + VXUser loggedInVXUser = xUserService.getXUserByUserName(userSession.getLoginId()); + + if (loggedInVXUser != null) { + if (loggedInVXUser.getUserRoleList().size() == 1 && loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) { + hideCriticalServiceDetailsForRoleUser(ret); + } + } + } + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getService({}) failed", id, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + if (ret == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); + } + + LOG.debug("<== ServiceREST.getService({}): {}", id, ret); + + return ret; + } + + @GET + @Path("/services/name/{name}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_BY_NAME + "\")") + public RangerService getServiceByName(@PathParam("name") String name) { + LOG.debug("==> ServiceREST.getServiceByName({})", name); + + RangerService ret; + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getService(serviceName=" + name + ")"); + } + + ret = svcStore.getServiceByName(name); + + if (ret != null) { + UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + + if (userSession != null && userSession.getLoginId() != null) { + VXUser loggedInVXUser = xUserService.getXUserByUserName(userSession.getLoginId()); + + if (loggedInVXUser != null) { + if (loggedInVXUser.getUserRoleList().size() == 1 && loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) { + hideCriticalServiceDetailsForRoleUser(ret); + } + } + } + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getServiceByName({}) failed", name, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + if (ret == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); + } + + LOG.debug("<== ServiceREST.getServiceByName({}): {}", name, ret); + + return ret; + } + + @GET + @Path("/services") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICES + "\")") + public RangerServiceList getServices(@Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.getServices()"); + + RangerServiceList ret = null; + RangerPerfTracer perf = null; + SearchFilter filter = searchUtil.getSearchFilter(request, svcService.sortFields); + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServices()"); + } + + PList paginatedSvcs = svcStore.getPaginatedServices(filter); + + if (paginatedSvcs != null && !paginatedSvcs.getList().isEmpty()) { + UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + + if (userSession != null && userSession.getLoginId() != null) { + VXUser loggedInVXUser = xUserService.getXUserByUserName(userSession.getLoginId()); + + if (loggedInVXUser != null) { + if (loggedInVXUser.getUserRoleList().size() == 1 && loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) { + List updateServiceList = new ArrayList<>(); + + for (RangerService rangerService : paginatedSvcs.getList()) { + if (rangerService != null) { + updateServiceList.add(hideCriticalServiceDetailsForRoleUser(rangerService)); + } + } + + if (!updateServiceList.isEmpty()) { + paginatedSvcs.setList(updateServiceList); + } + } + } + } + } + + if (paginatedSvcs != null) { + ret = new RangerServiceList(); + + ret.setServices(paginatedSvcs.getList()); + ret.setPageSize(paginatedSvcs.getPageSize()); + ret.setResultSize(paginatedSvcs.getResultSize()); + ret.setStartIndex(paginatedSvcs.getStartIndex()); + ret.setTotalCount(paginatedSvcs.getTotalCount()); + ret.setSortBy(paginatedSvcs.getSortBy()); + ret.setSortType(paginatedSvcs.getSortType()); + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getServices() failed", excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.getServices(): count={}", (ret == null ? 0 : ret.getListSize())); + + return ret; + } + + public List getServices(SearchFilter filter) { + LOG.debug("==> ServiceREST.getServices():"); + + List ret; + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServices()"); + } + + ret = svcStore.getServices(filter); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getServices() failed", excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.getServices(): count={}", (ret == null ? 0 : ret.size())); + + return ret; + } + + public List getServiceHeaders(@Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.getServiceHeaders()"); + + String namePrefix = request.getParameter(SearchFilter.SERVICE_NAME_PREFIX); + String svcType = request.getParameter(SearchFilter.SERVICE_TYPE); + boolean filterByNamePrefix = StringUtils.isNotBlank(namePrefix); + boolean filterByType = StringUtils.isNotBlank(svcType); + + List ret = daoManager.getXXService().findServiceHeaders(); + + for (ListIterator iter = ret.listIterator(); iter.hasNext(); ) { + RangerServiceHeaderInfo serviceHeader = iter.next(); + + if (EMBEDDED_SERVICEDEF_GDS_NAME.equals(serviceHeader.getType())) { + iter.remove(); + } else if (filterByNamePrefix && !StringUtils.startsWithIgnoreCase(serviceHeader.getName(), namePrefix)) { + iter.remove(); + } else if (filterByType && !StringUtils.equals(serviceHeader.getType(), svcType)) { + iter.remove(); + } else if (!bizUtil.hasAccess(null, serviceHeader)) { + iter.remove(); + } + } + + LOG.debug("<== ServiceREST.getServiceHeaders(namePrefix={}, svcType={}): ret={}", namePrefix, svcType, ret); + + return ret; + } + + @GET + @Path("/services/count") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_SERVICES + "\")") + public Long countServices(@Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.countServices():"); + + Long ret; + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.countService()"); + } + + List services = getServices(request).getServices(); + + ret = services == null ? 0L : services.size(); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("countServices() failed", excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.countServices(): {}", ret); + + return ret; + } + + @POST + @Path("/services/validateConfig") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.VALIDATE_CONFIG + "\")") + public VXResponse validateConfig(RangerService service) { + LOG.debug("==> ServiceREST.validateConfig({})", service); + + VXResponse ret; + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.validateConfig(serviceName=" + service.getName() + ")"); + } + + ret = serviceMgr.validateConfig(service, svcStore); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("validateConfig({}) failed", service, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.validateConfig({}) :{}", service, ret); + + return ret; + } + + @POST + @Path("/services/lookupResource/{serviceName}") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.LOOKUP_RESOURCE + "\")") + public List lookupResource(@PathParam("serviceName") String serviceName, ResourceLookupContext context) { + LOG.debug("==> ServiceREST.lookupResource({})", serviceName); + + List ret; + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.lookupResource(serviceName=" + serviceName + ")"); + } + + ret = serviceMgr.lookupResource(serviceName, context, svcStore); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("lookupResource({}, {}) failed", serviceName, context, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.lookupResource({}) :{}", serviceName, ret); + + return ret; + } + + @POST + @Path("/services/grant/{serviceName}") + @Consumes("application/json") + @Produces("application/json") + public RESTResponse grantAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest grantRequest, @Context HttpServletRequest request) throws Exception { + LOG.debug("==> ServiceREST.grantAccess({}, {})", serviceName, grantRequest); + + RESTResponse ret = new RESTResponse(); + RangerPerfTracer perf = null; + + if (grantRequest != null) { + if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) { + try { + bizUtil.failUnauthenticatedIfNotAllowed(); + + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.grantAccess(serviceName=" + serviceName + ")"); + } + + // This is an open API - dont care about who calls it. Caller is treated as privileged user + boolean hasAdminPrivilege = true; + String loggedInUser = null; + + validateGrantRevokeRequest(grantRequest, hasAdminPrivilege, loggedInUser); + + String userName = grantRequest.getGrantor(); + Set userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName); + String ownerUser = grantRequest.getOwnerUser(); + RangerAccessResource resource = new RangerAccessResourceImpl(getAccessResourceObjectMap(grantRequest.getResource()), ownerUser); + Set accessTypes = grantRequest.getAccessTypes(); + VXUser vxUser = xUserService.getXUserByUserName(userName); + + if (vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) || vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) { + VXResponse vXResponse = new VXResponse(); + + vXResponse.setStatusCode(HttpServletResponse.SC_FORBIDDEN); + vXResponse.setMsgDesc("Operation denied. LoggedInUser=" + vxUser.getId() + " is not permitted to perform the action."); + + throw restErrorUtil.generateRESTException(vXResponse); + } + + RangerService rangerService = svcStore.getServiceByName(serviceName); + String zoneName = getRangerAdminZoneName(serviceName, grantRequest); + boolean isAdmin = bizUtil.isUserRangerAdmin(userName) || bizUtil.isUserServiceAdmin(rangerService, userName) || hasAdminAccess(serviceName, zoneName, userName, userGroups, resource, accessTypes); + + if (!isAdmin) { + throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to grant access"); + } + + RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, zoneName, userName); + + if (policy != null) { + boolean policyUpdated = ServiceRESTUtil.processGrantRequest(policy, grantRequest); + + if (policyUpdated) { + policy.setZoneName(zoneName); + + ensureAdminAccess(policy); + + svcStore.updatePolicy(policy); + } else { + LOG.error("processGrantRequest processing failed"); + + throw new Exception("processGrantRequest processing failed"); + } + } else { + policy = new RangerPolicy(); + + policy.setService(serviceName); + policy.setName("grant-" + System.currentTimeMillis()); // TODO: better policy name + policy.setDescription("created by grant"); + policy.setIsAuditEnabled(grantRequest.getEnableAudit()); + policy.setCreatedBy(userName); + + Map policyResources = new HashMap<>(); + Set resourceNames = resource.getKeys(); + + if (!CollectionUtils.isEmpty(resourceNames)) { + for (String resourceName : resourceNames) { + policyResources.put(resourceName, getPolicyResource(resource.getValue(resourceName), grantRequest)); + } + } + + policy.setResources(policyResources); + + RangerPolicyItem policyItem = new RangerPolicyItem(); + + policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin()); + policyItem.addUsers(grantRequest.getUsers()); + policyItem.addGroups(grantRequest.getGroups()); + policyItem.addRoles(grantRequest.getRoles()); + + for (String accessType : grantRequest.getAccessTypes()) { + policyItem.addAccess(new RangerPolicyItemAccess(accessType, Boolean.TRUE)); + } + + policy.addPolicyItem(policyItem); + policy.setZoneName(zoneName); + + ensureAdminAccess(policy); + + svcStore.createPolicy(policy); + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("grantAccess({}, {}) failed", serviceName, grantRequest, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + ret.setStatusCode(RESTResponse.STATUS_SUCCESS); + } + } + + LOG.debug("<== ServiceREST.grantAccess({}, {}) :{}", serviceName, grantRequest, ret); + + return ret; + } + + @POST + @Path("/secure/services/grant/{serviceName}") + @Consumes("application/json") + @Produces("application/json") + public RESTResponse secureGrantAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest grantRequest, @Context HttpServletRequest request) throws Exception { + LOG.debug("==> ServiceREST.secureGrantAccess({}, {})", serviceName, grantRequest); + + RESTResponse ret = new RESTResponse(); + RangerPerfTracer perf = null; + + bizUtil.blockAuditorRoleUser(); + + if (grantRequest != null) { + if (serviceUtil.isValidService(serviceName, request)) { + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.scureGrantAccess(serviceName=" + serviceName + ")"); + } + + XXService xService = daoManager.getXXService().findByName(serviceName); + XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); + RangerService rangerService = svcStore.getServiceByName(serviceName); + String loggedInUser = bizUtil.getCurrentUserLoginId(); + boolean hasAdminPrivilege = bizUtil.isAdmin() || bizUtil.isUserServiceAdmin(rangerService, loggedInUser) || bizUtil.isUserAllowedForGrantRevoke(rangerService, loggedInUser); + + validateGrantRevokeRequest(grantRequest, hasAdminPrivilege, loggedInUser); + + String userName = grantRequest.getGrantor(); + Set userGroups = grantRequest.getGrantorGroups(); + String ownerUser = grantRequest.getOwnerUser(); + RangerAccessResource resource = new RangerAccessResourceImpl(getAccessResourceObjectMap(grantRequest.getResource()), ownerUser); + Set accessTypes = grantRequest.getAccessTypes(); + String zoneName = getRangerAdminZoneName(serviceName, grantRequest); + boolean isAllowed = false; + + if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { + if (bizUtil.isKeyAdmin() || bizUtil.isUserAllowedForGrantRevoke(rangerService, loggedInUser)) { + isAllowed = true; + } + } else { + isAllowed = bizUtil.isUserRangerAdmin(userName) || bizUtil.isUserServiceAdmin(rangerService, userName) || hasAdminAccess(serviceName, zoneName, userName, userGroups, resource, accessTypes); + } + + if (isAllowed) { + RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, zoneName, userName); + + if (policy != null) { + boolean policyUpdated = ServiceRESTUtil.processGrantRequest(policy, grantRequest); + + if (policyUpdated) { + policy.setZoneName(zoneName); + + ensureAdminAccess(policy); + + svcStore.updatePolicy(policy); + } else { + LOG.error("processSecureGrantRequest processing failed"); + + throw new Exception("processSecureGrantRequest processing failed"); + } + } else { + policy = new RangerPolicy(); + + policy.setService(serviceName); + policy.setName("grant-" + System.currentTimeMillis()); // TODO: better policy name + policy.setDescription("created by grant"); + policy.setIsAuditEnabled(grantRequest.getEnableAudit()); + policy.setCreatedBy(userName); + + Map policyResources = new HashMap<>(); + Set resourceNames = resource.getKeys(); + + if (!CollectionUtils.isEmpty(resourceNames)) { + for (String resourceName : resourceNames) { + policyResources.put(resourceName, getPolicyResource(resource.getValue(resourceName), grantRequest)); + } + } + + policy.setResources(policyResources); + + RangerPolicyItem policyItem = new RangerPolicyItem(); + + policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin()); + policyItem.addUsers(grantRequest.getUsers()); + policyItem.addGroups(grantRequest.getGroups()); + policyItem.addRoles(grantRequest.getRoles()); + + for (String accessType : grantRequest.getAccessTypes()) { + policyItem.addAccess(new RangerPolicyItemAccess(accessType, Boolean.TRUE)); + } + + policy.addPolicyItem(policyItem); + policy.setZoneName(zoneName); + + ensureAdminAccess(policy); + + svcStore.createPolicy(policy); + } + } else { + LOG.error("secureGrantAccess({}, {}) failed as User doesn't have permission to grant Policy", serviceName, grantRequest); + + throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to grant access"); + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("secureGrantAccess({}, {}) failed", serviceName, grantRequest, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + ret.setStatusCode(RESTResponse.STATUS_SUCCESS); + } + } + + LOG.debug("<== ServiceREST.secureGrantAccess({}, {}) :{}", serviceName, grantRequest, ret); + + return ret; + } + + @POST + @Path("/services/revoke/{serviceName}") + @Consumes("application/json") + @Produces("application/json") + public RESTResponse revokeAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest revokeRequest, @Context HttpServletRequest request) throws Exception { + LOG.debug("==> ServiceREST.revokeAccess({}, {})", serviceName, revokeRequest); + + RESTResponse ret = new RESTResponse(); + RangerPerfTracer perf = null; + + if (revokeRequest != null) { + if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) { + try { + bizUtil.failUnauthenticatedIfNotAllowed(); + + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.revokeAccess(serviceName=" + serviceName + ")"); + } + + // This is an open API - dont care about who calls it. Caller is treated as privileged user + boolean hasAdminPrivilege = true; + String loggedInUser = null; + + validateGrantRevokeRequest(revokeRequest, hasAdminPrivilege, loggedInUser); + + String userName = revokeRequest.getGrantor(); + Set userGroups = CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups()) ? revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName); + String ownerUser = revokeRequest.getOwnerUser(); + RangerAccessResource resource = new RangerAccessResourceImpl(getAccessResourceObjectMap(revokeRequest.getResource()), ownerUser); + Set accessTypes = revokeRequest.getAccessTypes(); + VXUser vxUser = xUserService.getXUserByUserName(userName); + + if (vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) || vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) { + VXResponse vXResponse = new VXResponse(); + + vXResponse.setStatusCode(HttpServletResponse.SC_FORBIDDEN); + vXResponse.setMsgDesc("Operation denied. LoggedInUser=" + vxUser.getId() + " is not permitted to perform the action."); + + throw restErrorUtil.generateRESTException(vXResponse); + } + + RangerService rangerService = svcStore.getServiceByName(serviceName); + String zoneName = getRangerAdminZoneName(serviceName, revokeRequest); + boolean isAdmin = bizUtil.isUserRangerAdmin(userName) || bizUtil.isUserServiceAdmin(rangerService, userName) || hasAdminAccess(serviceName, zoneName, userName, userGroups, resource, accessTypes); + + if (!isAdmin) { + throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to revoke access"); + } + + RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, zoneName, userName); + + if (policy != null) { + boolean policyUpdated = ServiceRESTUtil.processRevokeRequest(policy, revokeRequest); + + if (policyUpdated) { + policy.setZoneName(zoneName); + + ensureAdminAccess(policy); + + svcStore.updatePolicy(policy); + } else { + LOG.error("processRevokeRequest processing failed"); + throw new Exception("processRevokeRequest processing failed"); + } + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("secureGrantAccess({}, {}) failed", serviceName, revokeRequest, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + ret.setStatusCode(RESTResponse.STATUS_SUCCESS); + } + } + + LOG.debug("<== ServiceREST.revokeAccess({}, {}) :{}", serviceName, revokeRequest, ret); + + return ret; + } + + @POST + @Path("/secure/services/revoke/{serviceName}") + @Consumes("application/json") + @Produces("application/json") + public RESTResponse secureRevokeAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest revokeRequest, @Context HttpServletRequest request) throws Exception { + LOG.debug("==> ServiceREST.secureRevokeAccess({}, {})", serviceName, revokeRequest); + + RESTResponse ret = new RESTResponse(); + RangerPerfTracer perf = null; + + bizUtil.blockAuditorRoleUser(); + + if (revokeRequest != null) { + if (serviceUtil.isValidService(serviceName, request)) { + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.secureRevokeAccess(serviceName=" + serviceName + ")"); + } + + XXService xService = daoManager.getXXService().findByName(serviceName); + XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); + RangerService rangerService = svcStore.getServiceByName(serviceName); + String loggedInUser = bizUtil.getCurrentUserLoginId(); + boolean hasAdminPrivilege = bizUtil.isAdmin() || bizUtil.isUserServiceAdmin(rangerService, loggedInUser) || bizUtil.isUserAllowedForGrantRevoke(rangerService, loggedInUser); + + validateGrantRevokeRequest(revokeRequest, hasAdminPrivilege, loggedInUser); + + String userName = revokeRequest.getGrantor(); + Set userGroups = revokeRequest.getGrantorGroups(); + String ownerUser = revokeRequest.getOwnerUser(); + RangerAccessResource resource = new RangerAccessResourceImpl(getAccessResourceObjectMap(revokeRequest.getResource()), ownerUser); + Set accessTypes = revokeRequest.getAccessTypes(); + String zoneName = getRangerAdminZoneName(serviceName, revokeRequest); + boolean isAllowed = false; + + if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { + if (bizUtil.isKeyAdmin() || bizUtil.isUserAllowedForGrantRevoke(rangerService, loggedInUser)) { + isAllowed = true; + } + } else { + isAllowed = bizUtil.isUserRangerAdmin(userName) || bizUtil.isUserServiceAdmin(rangerService, userName) || hasAdminAccess(serviceName, zoneName, userName, userGroups, resource, accessTypes); + } + + if (isAllowed) { + RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, zoneName, userName); + + if (policy != null) { + boolean policyUpdated = ServiceRESTUtil.processRevokeRequest(policy, revokeRequest); + + if (policyUpdated) { + policy.setZoneName(zoneName); + + ensureAdminAccess(policy); + + svcStore.updatePolicy(policy); + } else { + LOG.error("processSecureRevokeRequest processing failed"); + + throw new Exception("processSecureRevokeRequest processing failed"); + } + } + } else { + LOG.error("secureRevokeAccess({}, {}) failed as User doesn't have permission to revoke Policy", serviceName, revokeRequest); + + throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to revoke access"); + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("secureRevokeAccess({}, {}) failed", serviceName, revokeRequest, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + ret.setStatusCode(RESTResponse.STATUS_SUCCESS); + } + } + + LOG.debug("<== ServiceREST.secureRevokeAccess({}, {}) :{}", serviceName, revokeRequest, ret); + + return ret; + } + + @POST + @Path("/policies") + @Consumes("application/json") + @Produces("application/json") + public RangerPolicy createPolicy(RangerPolicy policy, @Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.createPolicy({})", policy); + + RangerPolicy ret = null; + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createPolicy(policyName=" + policy.getName() + ")"); + } + + if (request != null) { + boolean deleteIfExists = "true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_DELETE_IF_EXISTS))); + + if (deleteIfExists) { + boolean importInProgress = "true".equalsIgnoreCase(StringUtils.trimToEmpty(String.valueOf(request.getAttribute(PARAM_IMPORT_IN_PROGRESS)))); + + if (!importInProgress) { + List policies = new ArrayList() { + { + add(policy); + } + }; + + deleteExactMatchPolicyForResource(policies, request.getRemoteUser(), null); + } + } + + boolean updateIfExists = "true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_UPDATE_IF_EXISTS))); + boolean mergeIfExists = "true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_MERGE_IF_EXISTS))); + + // Default POLICY_MATCHING_ALGO_BY_RESOURCE + String policyMatchingAlgo = POLICY_MATCHING_ALGO_BY_POLICYNAME.equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_POLICY_MATCHING_ALGORITHM))) ? POLICY_MATCHING_ALGO_BY_POLICYNAME : POLICY_MATCHING_ALGO_BY_RESOURCE; + + LOG.debug(" policyMatchingAlgo: {} updateIfExists: {} mergeIfExists: {} deleteIfExists: {}", policyMatchingAlgo, updateIfExists, mergeIfExists, deleteIfExists); + + if (mergeIfExists && updateIfExists) { + LOG.warn("Cannot use both updateIfExists and mergeIfExists for a createPolicy. mergeIfExists will override updateIfExists for policy :[{}]", policy.getName()); + } + + if (!mergeIfExists && !updateIfExists) { + ret = createPolicyUnconditionally(policy); + } else if (mergeIfExists) { + ret = applyPolicy(policy, request); + } else if (policyMatchingAlgo.equalsIgnoreCase(POLICY_MATCHING_ALGO_BY_RESOURCE)) { + ret = applyPolicy(policy, request); + } else if (policyMatchingAlgo.equalsIgnoreCase(POLICY_MATCHING_ALGO_BY_POLICYNAME)) { + RangerPolicy existingPolicy = getPolicyMatchByName(policy, request); + + if (existingPolicy != null) { + policy.setId(existingPolicy.getId()); + + ret = updatePolicy(policy, null); + } else { + ret = createPolicyUnconditionally(policy); + } + } + + LOG.debug("<== ServiceREST.createPolicy({}): {}", policy, ret); + + return ret; + } + + if (ret == null) { + ret = createPolicyUnconditionally(policy); + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("createPolicy({}) failed", policy, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.createPolicy({}): {}", policy, ret); + + return ret; + } + + /* + The verb for applyPolicy is POST as it could be partial update or a create + */ + + @POST + @Path("/policies/apply") + @Consumes("application/json") + @Produces("application/json") + public RangerPolicy applyPolicy(RangerPolicy policy, @Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.applyPolicy({})", policy); + + RangerPolicy ret; + + if (policy != null && StringUtils.isNotBlank(policy.getService())) { + try { + final RangerPolicy existingPolicy; + String signature = (new RangerPolicyResourceSignature(policy)).getSignature(); + List policiesWithMatchingSignature = svcStore.getPoliciesByResourceSignature(policy.getService(), signature, true); + + if (CollectionUtils.isNotEmpty(policiesWithMatchingSignature)) { + if (policiesWithMatchingSignature.size() == 1) { + existingPolicy = policiesWithMatchingSignature.get(0); + } else { + throw new Exception("Multiple policies with matching policy-signature are found. Cannot determine target for applying policy"); + } + } else { + existingPolicy = null; + } + + if (existingPolicy == null) { + if (StringUtils.isNotEmpty(policy.getName())) { + String policyName = StringUtils.isNotBlank(policy.getName()) ? policy.getName() : null; + String serviceName = StringUtils.isNotBlank(policy.getService()) ? policy.getService() : null; + String zoneName = StringUtils.isNotBlank(policy.getZoneName()) ? policy.getZoneName() : null; + XXPolicy dbPolicy = daoManager.getXXPolicy().findPolicy(policyName, serviceName, zoneName); + //XXPolicy dbPolicy = daoManager.getXXPolicy().findPolicy(policy.getName(), policy.getService(), policy.getZoneName()); + + if (dbPolicy != null) { + policy.setName(policy.getName() + System.currentTimeMillis()); + } + } + + ret = createPolicy(policy, null); + } else { + boolean mergeIfExists = "true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_MERGE_IF_EXISTS))); + + if (!mergeIfExists) { + boolean updateIfExists = "true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_UPDATE_IF_EXISTS))); + + if (updateIfExists) { + // Called with explicit intent of updating an existing policy + mergeIfExists = false; + } else { + // Invoked through REST API. Merge with existing policy unless 'mergeIfExists' is explicitly set to false in HttpServletRequest + mergeIfExists = !"false".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_MERGE_IF_EXISTS))); + } + } + + if (mergeIfExists) { + if (!existingPolicy.getIsDenyAllElse() && policy.getIsDenyAllElse()) { + LOG.error("Attempt to change the isDenyAllElse flag from false to true! Not supported!!"); + + throw new Exception("Merging existing policy(isDenyAllElse=false) with another policy(isDenyAllElse=true) is not allowed!"); + } + + ServiceRESTUtil.processApplyPolicy(existingPolicy, policy); + + policy = existingPolicy; + } else { + policy.setId(existingPolicy.getId()); + } + + ret = updatePolicy(policy, policy.getId()); + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Exception exception) { + LOG.error("Failed to apply policy:", exception); + + throw restErrorUtil.createRESTException(exception.getMessage()); + } + } else { + throw restErrorUtil.createRESTException("Non-existing service specified:"); + } + + LOG.debug("<== ServiceREST.applyPolicy({}): {}", policy, ret); + + return ret; + } + + @PUT + @Path("/policies/{id}") + @Consumes("application/json") + @Produces("application/json") + public RangerPolicy updatePolicy(RangerPolicy policy, @PathParam("id") Long id) { + LOG.debug("==> ServiceREST.updatePolicy({})", policy); + + // if policy.id and param 'id' are specified, policy.id should be same as the param 'id' + // if policy.id is null, then set param 'id' into policy Object + if (policy.getId() == null) { + policy.setId(id); + } else if (!policy.getId().equals(id)) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "policyID mismatch", true); + } + + RangerPolicy ret; + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updatePolicy(policyId=" + policy.getId() + ")"); + } + + if (isPolicyNameLengthValidationEnabled) { + if (policy.getName().length() > maxPolicyNameLength) { + throw restErrorUtil.createRESTException("Policy name should not be longer than " + maxPolicyNameLength + " characters", MessageEnums.INPUT_DATA_OUT_OF_BOUND, null, "policy name", policy.getName()); + } + } + + RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); + + validator.validate(policy, Action.UPDATE, bizUtil.isAdmin() || isServiceAdmin(policy.getService()) || isZoneAdmin(policy.getZoneName())); + + ensureAdminAccess(policy); + + bizUtil.blockAuditorRoleUser(); + + ret = svcStore.updatePolicy(policy); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("updatePolicy({}) failed", policy, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.updatePolicy({}): {}", policy, ret); + + return ret; + } + + @DELETE + @Path("/policies/{id}") + public void deletePolicy(@PathParam("id") Long id) { + LOG.debug("==> ServiceREST.deletePolicy({})", id); + + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.deletePolicy(policyId=" + id + ")"); + } + + RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); + + validator.validate(id, Action.DELETE); + + RangerPolicy policy = svcStore.getPolicy(id); + + ensureAdminAccess(policy); + + bizUtil.blockAuditorRoleUser(); + + svcStore.deletePolicy(policy); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("deletePolicy({}) failed", id, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.deletePolicy({})", id); + } + + @GET + @Path("/policies/{id}") + @Produces("application/json") + public RangerPolicy getPolicy(@PathParam("id") Long id) { + LOG.debug("==> ServiceREST.getPolicy({})", id); + + RangerPolicy ret; + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicy(policyId=" + id + ")"); + } + + ret = svcStore.getPolicy(id); + + if (ret != null) { + ensureAdminAndAuditAccess(ret); + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getPolicy({}) failed", id, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + if (ret == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); + } + + LOG.debug("<== ServiceREST.getPolicy({}): {}", id, ret); + + return ret; + } + + @GET + @Path("/policyLabels") + @Produces("application/json") + public List getPolicyLabels(@Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.getPolicyLabels()"); + + List ret; + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicyLabels()"); + } + + SearchFilter filter = searchUtil.getSearchFilter(request, policyLabelsService.sortFields); + + ret = svcStore.getPolicyLabels(filter); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getPolicyLabels() failed", excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.getPolicyLabels()"); + + return ret; + } + + @GET + @Path("/policies") + @Produces("application/json") + public RangerPolicyList getPolicies(@Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.getPolicies()"); + + RangerPolicyList ret; + RangerPerfTracer perf = null; + SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicies()"); + } + + // get all policies from the store; pick the page to return after applying filter + final int savedStartIndex = filter.getStartIndex(); + final int savedMaxRows = filter.getMaxRows(); + + filter.setStartIndex(0); + filter.setMaxRows(Integer.MAX_VALUE); + + List policies = svcStore.getPolicies(filter); + + filter.setStartIndex(savedStartIndex); + filter.setMaxRows(savedMaxRows); + + policies = applyAdminAccessFilter(policies); + ret = toRangerPolicyList(policies, filter); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getPolicies() failed", excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.getPolicies(): count={}", (ret == null ? 0 : ret.getListSize())); + + return ret; + } + + /** + * Resets/ removes service policy cache for given service. + * + * @param serviceName non-empty serviceName + * @return {@code true} if successfully reseted/ removed for given service, {@code false} otherwise. + */ + @GET + @Path("/policies/cache/reset") + @Produces("application/json") + public boolean resetPolicyCache(@QueryParam("serviceName") String serviceName) { + LOG.debug("==> ServiceREST.resetPolicyCache({})", serviceName); + + if (StringUtils.isEmpty(serviceName)) { + throw restErrorUtil.createRESTException("Required parameter [serviceName] is missing.", MessageEnums.INVALID_INPUT_DATA); + } + + RangerService rangerService = null; + + try { + rangerService = svcStore.getServiceByName(serviceName); + } catch (Exception e) { + LOG.error(" {} No Service Found for ServiceName:{}", HttpServletResponse.SC_BAD_REQUEST, serviceName); + } + + if (rangerService == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Invalid service name", true); + } + + // check for ADMIN access + if (!bizUtil.isAdmin()) { + boolean isServiceAdmin = false; + String loggedInUser = bizUtil.getCurrentUserLoginId(); + + try { + isServiceAdmin = bizUtil.isUserServiceAdmin(rangerService, loggedInUser); + } catch (Exception e) { + LOG.warn("Failed to find if user [{}] has service admin privileges on service [{}]", loggedInUser, serviceName, e); + } + + if (!isServiceAdmin) { + throw restErrorUtil.createRESTException("User cannot reset policy cache", MessageEnums.OPER_NO_PERMISSION); + } + } + + boolean ret = svcStore.resetPolicyCache(serviceName); + + LOG.debug("<== ServiceREST.resetPolicyCache(): ret={}", ret); + + return ret; + } + + /** + * Resets/ removes service policy cache for all. + * + * @return {@code true} if successfully reseted/ removed, {@code false} otherwise. + */ + @GET + @Path("/policies/cache/reset-all") + @Produces("application/json") + public boolean resetPolicyCacheAll() { + LOG.debug("==> ServiceREST.resetPolicyCacheAll()"); + + // check for ADMIN access + if (!bizUtil.isAdmin()) { + throw restErrorUtil.createRESTException("User cannot reset policy cache", MessageEnums.OPER_NO_PERMISSION); + } + + boolean ret = svcStore.resetPolicyCache(null); + + LOG.debug("<== ServiceREST.resetPolicyCacheAll(): ret={}", ret); + + return ret; + } + + @GET + @Path("/policies/downloadExcel") + @Produces("application/ms-excel") + public void getPoliciesInExcel(@Context HttpServletRequest request, @Context HttpServletResponse response) { + LOG.debug("==> ServiceREST.getPoliciesInExcel()"); + + RangerPerfTracer perf = null; + SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPoliciesInExcel()"); + } + + List policyLists = new ArrayList<>(); + + policyLists = getAllFilteredPolicyList(filter, request, policyLists); + + if (CollectionUtils.isNotEmpty(policyLists)) { + Map mapServiceTypeAndImplClass = new HashMap<>(); + + for (RangerPolicy rangerPolicy : policyLists) { + if (rangerPolicy != null) { + ensureAdminAndAuditAccess(rangerPolicy, mapServiceTypeAndImplClass); + } + } + + svcStore.getPoliciesInExcel(policyLists, response); + } else { + response.setStatus(HttpServletResponse.SC_NO_CONTENT); + + LOG.error("No policies found to download!"); + } + + RangerExportPolicyList rangerExportPolicyList = new RangerExportPolicyList(); + + rangerExportPolicyList.setMetaDataInfo(svcStore.getMetaDataInfo()); + + String metaDataInfo = JsonUtilsV2.mapToJson(rangerExportPolicyList.getMetaDataInfo()); + + policyService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_POLICY, null, null, "EXPORT EXCEL"), "Export Excel", metaDataInfo, null); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("Error while downloading policy report", excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + } + + @GET + @Path("/policies/csv") + @Produces("text/csv") + public void getPoliciesInCsv(@Context HttpServletRequest request, @Context HttpServletResponse response) throws IOException { + LOG.debug("==> ServiceREST.getPoliciesInCsv()"); + + RangerPerfTracer perf = null; + SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPoliciesInCsv()"); + } + + List policyLists = new ArrayList<>(); + + policyLists = getAllFilteredPolicyList(filter, request, policyLists); + + if (CollectionUtils.isNotEmpty(policyLists)) { + Map mapServiceTypeAndImplClass = new HashMap<>(); + + for (RangerPolicy rangerPolicy : policyLists) { + if (rangerPolicy != null) { + ensureAdminAndAuditAccess(rangerPolicy, mapServiceTypeAndImplClass); + } + } + + svcStore.getPoliciesInCSV(policyLists, response); + } else { + response.setStatus(HttpServletResponse.SC_NO_CONTENT); + + LOG.error("No policies found to download!"); + } + + RangerExportPolicyList rangerExportPolicyList = new RangerExportPolicyList(); + + rangerExportPolicyList.setMetaDataInfo(svcStore.getMetaDataInfo()); + + String metaDataInfo = JsonUtilsV2.mapToJson(rangerExportPolicyList.getMetaDataInfo()); + + policyService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_POLICY, null, null, "EXPORT CSV"), "Export CSV", metaDataInfo, null); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("Error while downloading policy report", excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + } + + @GET + @Path("/policies/exportJson") + @Produces("text/json") + public void getPoliciesInJson(@Context HttpServletRequest request, @Context HttpServletResponse response, @QueryParam("checkPoliciesExists") Boolean checkPoliciesExists) { + LOG.debug("==> ServiceREST.getPoliciesInJson()"); + + RangerPerfTracer perf = null; + SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); + + requestParamsValidation(filter); + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPoliciesInJson()"); + } + + if (checkPoliciesExists == null) { + checkPoliciesExists = false; + } + + List policyLists = new ArrayList<>(); + + policyLists = getAllFilteredPolicyList(filter, request, policyLists); + + if (CollectionUtils.isNotEmpty(policyLists)) { + Map mapServiceTypeAndImplClass = new HashMap<>(); + + for (RangerPolicy rangerPolicy : policyLists) { + if (rangerPolicy != null) { + ensureAdminAndAuditAccess(rangerPolicy, mapServiceTypeAndImplClass); + } + } + + bizUtil.blockAuditorRoleUser(); + + svcStore.getObjectInJson(policyLists, response, JSON_FILE_NAME_TYPE.POLICY); + } else { + checkPoliciesExists = true; + + response.setStatus(HttpServletResponse.SC_NO_CONTENT); + + LOG.error("There is no Policy to Export!!"); + } + + if (!checkPoliciesExists) { + RangerExportPolicyList rangerExportPolicyList = new RangerExportPolicyList(); + + rangerExportPolicyList.setMetaDataInfo(svcStore.getMetaDataInfo()); + + String metaDataInfo = JsonUtilsV2.mapToJson(rangerExportPolicyList.getMetaDataInfo()); + + policyService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_POLICY, null, null, "EXPORT JSON"), "Export Json", metaDataInfo, null); + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("Error while exporting policy file!!", excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + } + + @POST + @Path("/policies/importPoliciesFromFile") + @Consumes({MediaType.MULTIPART_FORM_DATA, MediaType.APPLICATION_JSON}) + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAdminOrKeyAdminRole()") + public void importPoliciesFromFile(@Context HttpServletRequest request, @FormDataParam("servicesMapJson") InputStream serviceMapStream, @FormDataParam("zoneMapJson") InputStream zoneMapStream, @FormDataParam("file") InputStream uploadedInputStream, @FormDataParam("file") FormDataContentDisposition fileDetail, @QueryParam("isOverride") Boolean isOverride, @QueryParam("importType") String importType) { + LOG.debug("==> ServiceREST.importPoliciesFromFile()"); + + RangerContextHolder.getOrCreateOpContext().setBulkModeContext(true); + + RangerPerfTracer perf = null; + String metaDataInfo = null; + + request.setAttribute(PARAM_IMPORT_IN_PROGRESS, true); + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.importPoliciesFromFile()"); + } + + policyService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_POLICY, null, null, "IMPORT START"), "Import", "IMPORT START", null); + + if (isOverride == null) { + isOverride = false; + } + + List serviceNameList = new ArrayList<>(); + + getServiceNameList(request, serviceNameList); + + Map servicesMappingMap = new LinkedHashMap<>(); + List sourceServices = new ArrayList<>(); + List destinationServices = new ArrayList<>(); + Map zoneMappingMap = new LinkedHashMap<>(); + List sourceZones = new ArrayList<>(); + List destinationZones = new ArrayList<>(); + + if (zoneMapStream != null) { + zoneMappingMap = svcStore.getMapFromInputStream(zoneMapStream); + + processZoneMapping(zoneMappingMap, sourceZones, destinationZones); + } + + if (serviceMapStream != null) { + servicesMappingMap = svcStore.getMapFromInputStream(serviceMapStream); + + processServiceMapping(servicesMappingMap, sourceServices, destinationServices); + } + + String fileName = fileDetail.getFileName(); + int totalPolicyCreate = 0; + String zoneNameInJson = null; + Map policiesMap = new LinkedHashMap<>(); + List dataFileSourceServices = new ArrayList<>(); + + if (fileName.endsWith("json")) { + try { + RangerExportPolicyList rangerExportPolicyList = processPolicyInputJsonForMetaData(uploadedInputStream, null); + + if (rangerExportPolicyList != null && !CollectionUtils.sizeIsEmpty(rangerExportPolicyList.getMetaDataInfo())) { + metaDataInfo = JsonUtilsV2.mapToJson(rangerExportPolicyList.getMetaDataInfo()); + } else { + LOG.info("metadata info is not provided!!"); + } + + List policies = getPoliciesFromProvidedJson(rangerExportPolicyList); + + int i = 0; + if (CollectionUtils.sizeIsEmpty(servicesMappingMap) && isOverride) { + if (policies != null && !CollectionUtils.sizeIsEmpty(policies)) { + for (RangerPolicy policyInJson : policies) { + if (policyInJson != null) { + if (i == 0 && StringUtils.isNotBlank(policyInJson.getZoneName())) { + zoneNameInJson = policyInJson.getZoneName().trim(); + } + + if (StringUtils.isNotEmpty(policyInJson.getService().trim())) { + String serviceName = policyInJson.getService().trim(); + + if (CollectionUtils.isNotEmpty(serviceNameList) && serviceNameList.contains(serviceName) && !sourceServices.contains(serviceName) && !destinationServices.contains(serviceName)) { + sourceServices.add(serviceName); + destinationServices.add(serviceName); + } else if (CollectionUtils.isEmpty(serviceNameList) && !sourceServices.contains(serviceName) && !destinationServices.contains(serviceName)) { + sourceServices.add(serviceName); + destinationServices.add(serviceName); + } + } else { + LOG.error("Service Name or Policy Name is not provided!!"); + + throw restErrorUtil.createRESTException("Service Name or Policy Name is not provided!!"); + } + } + + i++; + } + } + } else if (!CollectionUtils.sizeIsEmpty(servicesMappingMap)) { + if (policies != null && !CollectionUtils.sizeIsEmpty(policies)) { + i = 0; + + for (RangerPolicy policyInJson : policies) { + if (policyInJson != null) { + if (i == 0 && StringUtils.isNotBlank(policyInJson.getZoneName())) { + zoneNameInJson = policyInJson.getZoneName().trim(); + } + + if (StringUtils.isNotEmpty(policyInJson.getService().trim())) { + dataFileSourceServices.add(policyInJson.getService().trim()); + } else { + LOG.error("Service Name or Policy Name is not provided!!"); + + throw restErrorUtil.createRESTException("Service Name or Policy Name is not provided!!"); + } + + i++; + } + } + + if (!dataFileSourceServices.containsAll(sourceServices)) { + LOG.error("Json File does not contain specified source service name."); + + throw restErrorUtil.createRESTException("Json File does not contain specified source service name."); + } + } + } + + boolean deleteIfExists = "true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_DELETE_IF_EXISTS))); + boolean updateIfExists = "true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_UPDATE_IF_EXISTS))); + String polResource = request.getParameter(SearchFilter.POL_RESOURCE); + + if (updateIfExists) { + isOverride = false; + } + + String destinationZoneName = getDestinationZoneName(destinationZones, zoneNameInJson); + + if (isOverride && !updateIfExists && StringUtils.isEmpty(polResource)) { + LOG.debug("Deleting Policy from provided services in servicesMapJson file..."); + + if (CollectionUtils.isNotEmpty(sourceServices) && CollectionUtils.isNotEmpty(destinationServices)) { + deletePoliciesProvidedInServiceMap(sourceServices, destinationServices, destinationZoneName); //In order to delete Zone specific policies from service + } + } else if (updateIfExists && StringUtils.isNotEmpty(polResource)) { + LOG.debug("Deleting Policy from provided services in servicesMapJson file for specific resource..."); + + if (CollectionUtils.isNotEmpty(sourceServices) && CollectionUtils.isNotEmpty(destinationServices)) { + deletePoliciesForResource(sourceServices, destinationServices, request, policies, destinationZoneName); //In order to delete Zone specific policies from service + } + } + + if (policies != null && !CollectionUtils.sizeIsEmpty(policies)) { + for (RangerPolicy policyInJson : policies) { + if (policyInJson != null) { + if (StringUtils.isNotBlank(destinationZoneName)) { + boolean isZoneServiceExistAtDestination = validateDestZoneServiceMapping(destinationZoneName, policyInJson, servicesMappingMap); + + if (!isZoneServiceExistAtDestination) { + LOG.warn("provided service of policy in File is not associated with zone"); + + continue; + } + } + + policiesMap = svcStore.createPolicyMap(zoneMappingMap, sourceZones, destinationZoneName, servicesMappingMap, sourceServices, destinationServices, policyInJson, policiesMap); // zone Info is also sent for creating policy map + } + } + + if (deleteIfExists) { + //deleting target policies if already exist + deleteExactMatchPolicyForResource(policies, request.getRemoteUser(), destinationZoneName); + } + } + + totalPolicyCreate = createPolicesBasedOnPolicyMap(request, policiesMap, serviceNameList, updateIfExists, totalPolicyCreate); + + if (!(totalPolicyCreate > 0)) { + LOG.error("zero policy is created from provided data file!!"); + + throw restErrorUtil.createRESTException("zero policy is created from provided data file!!"); + } + } catch (IOException e) { + LOG.error(e.getMessage()); + + throw restErrorUtil.createRESTException(e.getMessage()); + } + } else { + LOG.error("Provided file format is not supported!!"); + + throw restErrorUtil.createRESTException("Provided file format is not supported!!"); + } + } catch (JsonSyntaxException ex) { + LOG.error("Provided json file is not valid!!", ex); + + policyService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_POLICY, null, null, "IMPORT ERROR"), "Import failed", StringUtils.isNotEmpty(metaDataInfo) ? metaDataInfo : null, null); + + throw restErrorUtil.createRESTException(ex.getMessage()); + } catch (WebApplicationException excp) { + LOG.error("Error while importing policy from file!!", excp); + + policyService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_POLICY, null, null, "IMPORT ERROR"), "Import failed", StringUtils.isNotEmpty(metaDataInfo) ? metaDataInfo : null, null); + + throw excp; + } catch (Throwable excp) { + LOG.error("Error while importing policy from file!!", excp); + + policyService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_POLICY, null, null, "IMPORT ERROR"), "Import failed", StringUtils.isNotEmpty(metaDataInfo) ? metaDataInfo : null, null); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + + policyService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_RANGER_POLICY, null, null, "IMPORT END"), "IMPORT END", StringUtils.isNotEmpty(metaDataInfo) ? metaDataInfo : null, null); + + LOG.debug("<== ServiceREST.importPoliciesFromFile()"); + } + } + + public List getPolicies(SearchFilter filter) { + LOG.debug("==> ServiceREST.getPolicies(filter)"); + + List ret; + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicies()"); + } + + ret = svcStore.getPolicies(filter); + ret = applyAdminAccessFilter(ret); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getPolicies() failed", excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.getPolicies(filter): count={}", (ret == null ? 0 : ret.size())); + + return ret; + } + + @GET + @Path("/policies/count") + @Produces("application/json") + public Long countPolicies(@Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.countPolicies():"); + + Long ret; + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.countPolicies()"); + } + + List policies = getPolicies(request).getPolicies(); + + policies = applyAdminAccessFilter(policies); + + ret = policies == null ? 0L : policies.size(); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("countPolicies() failed", excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.countPolicies(): {}", ret); + + return ret; + } + + @GET + @Path("/policies/service/{id}") + @Produces("application/json") + public RangerPolicyList getServicePolicies(@PathParam("id") Long serviceId, @Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.getServicePolicies({})", serviceId); + + RangerPolicyList ret; + RangerPerfTracer perf = null; + SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePolicies(serviceId=" + serviceId + ")"); + } + + String policyTypeStr = filter.getParam(SearchFilter.POLICY_TYPE); + + if (policyTypeStr != null) { + int policyType = Integer.parseInt(policyTypeStr); + + if (IntStream.of(RangerPolicy.POLICY_TYPES).noneMatch(x -> x == policyType)) { + throw restErrorUtil.createRESTException("policyTypes with id: " + policyTypeStr + " does not exist", MessageEnums.DATA_NOT_FOUND, Long.parseLong(policyTypeStr), null, "readResource : No Object found with given id."); + } + } + + // get all policies from the store; pick the page to return after applying filter + int savedStartIndex = filter.getStartIndex(); + int savedMaxRows = filter.getMaxRows(); + + filter.setStartIndex(0); + filter.setMaxRows(Integer.MAX_VALUE); + + List servicePolicies = svcStore.getServicePolicies(serviceId, filter); + + filter.setStartIndex(savedStartIndex); + filter.setMaxRows(savedMaxRows); + + servicePolicies = applyAdminAccessFilter(servicePolicies); + + ret = toRangerPolicyList(servicePolicies, filter); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getServicePolicies({}) failed", serviceId, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.getServicePolicies({}): count={}", serviceId, (ret == null ? 0 : ret.getListSize())); + + return ret; + } + + @GET + @Path("/policies/service/name/{name}") + @Produces("application/json") + public RangerPolicyList getServicePoliciesByName(@PathParam("name") String serviceName, @Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.getServicePolicies({})", serviceName); + + SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); + RangerPolicyList ret = getServicePolicies(serviceName, filter); + + LOG.debug("<== ServiceREST.getServicePolicies({}): count={}", serviceName, (ret == null ? 0 : ret.getListSize())); + + return ret; + } + + @GET + @Path("/policies/download/{serviceName}") + @Produces("application/json") + public ServicePolicies getServicePoliciesIfUpdated(@PathParam("serviceName") String serviceName, @DefaultValue("-1") @QueryParam("lastKnownVersion") Long lastKnownVersion, @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime, @QueryParam("pluginId") String pluginId, @DefaultValue("") @QueryParam("clusterName") String clusterName, @DefaultValue("") @QueryParam("zoneName") String zoneName, @DefaultValue("false") @QueryParam("supportsPolicyDeltas") Boolean supportsPolicyDeltas, @DefaultValue("") @QueryParam("pluginCapabilities") String pluginCapabilities, @Context HttpServletRequest request) throws Exception { + LOG.debug("==> ServiceREST.getServicePoliciesIfUpdated({}, {}, {}, {}, {}, {})", serviceName, lastKnownVersion, lastActivationTime, pluginId, clusterName, supportsPolicyDeltas); + + ServicePolicies ret = null; + int httpCode = HttpServletResponse.SC_OK; + String logMsg = null; + RangerPerfTracer perf = null; + Long downloadedVersion = null; + boolean isValid = false; + + try { + bizUtil.failUnauthenticatedDownloadIfNotAllowed(); + + isValid = serviceUtil.isValidateHttpsAuthentication(serviceName, request); + } catch (WebApplicationException webException) { + httpCode = webException.getResponse().getStatus(); + logMsg = webException.getResponse().getEntity().toString(); + } catch (Exception e) { + httpCode = HttpServletResponse.SC_BAD_REQUEST; + logMsg = e.getMessage(); + } + + if (isValid) { + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePoliciesIfUpdated(serviceName=" + serviceName + ",lastKnownVersion=" + lastKnownVersion + ",lastActivationTime=" + lastActivationTime + ")"); + } + + ret = svcStore.getServicePoliciesIfUpdated(serviceName, lastKnownVersion, !supportsPolicyDeltas); + + if (ret == null) { + downloadedVersion = lastKnownVersion; + httpCode = HttpServletResponse.SC_NOT_MODIFIED; + logMsg = "No change since last update"; + } else { + downloadedVersion = ret.getPolicyVersion(); + logMsg = "Returning " + (ret.getPolicies() != null ? ret.getPolicies().size() : (ret.getPolicyDeltas() != null ? ret.getPolicyDeltas().size() : 0)) + " policies. Policy version=" + ret.getPolicyVersion(); + } + } catch (Throwable excp) { + LOG.error("getServicePoliciesIfUpdated({}, {}, {}) failed", serviceName, lastKnownVersion, lastActivationTime, excp); + + httpCode = HttpServletResponse.SC_BAD_REQUEST; + logMsg = excp.getMessage(); + } finally { + createPolicyDownloadAudit(serviceName, lastKnownVersion, pluginId, httpCode, clusterName, zoneName, request); + RangerPerfTracer.log(perf); + } + } + assetMgr.createPluginInfo(serviceName, pluginId, request, RangerPluginInfo.ENTITY_TYPE_POLICIES, downloadedVersion, lastKnownVersion, lastActivationTime, httpCode, clusterName, pluginCapabilities); + + if (httpCode != HttpServletResponse.SC_OK) { + boolean logError = httpCode != HttpServletResponse.SC_NOT_MODIFIED; + + throw restErrorUtil.createRESTException(httpCode, logMsg, logError); + } + + LOG.debug("<== ServiceREST.getServicePoliciesIfUpdated({}, {}, {}, {}, {}, {}) : count={}", serviceName, lastKnownVersion, lastActivationTime, pluginId, clusterName, supportsPolicyDeltas, ((ret == null || ret.getPolicies() == null) ? 0 : ret.getPolicies().size())); + + return ret; + } + + @GET + @Path("/secure/policies/download/{serviceName}") + @Produces("application/json") + public ServicePolicies getSecureServicePoliciesIfUpdated(@PathParam("serviceName") String serviceName, @DefaultValue("-1") @QueryParam("lastKnownVersion") Long lastKnownVersion, @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime, @QueryParam("pluginId") String pluginId, @DefaultValue("") @QueryParam("clusterName") String clusterName, @DefaultValue("") @QueryParam("zoneName") String zoneName, @DefaultValue("false") @QueryParam("supportsPolicyDeltas") Boolean supportsPolicyDeltas, @DefaultValue("") @QueryParam("pluginCapabilities") String pluginCapabilities, @Context HttpServletRequest request) throws Exception { + LOG.debug("==> ServiceREST.getSecureServicePoliciesIfUpdated({}, {}, {}, {}, {}, {})", serviceName, lastKnownVersion, lastActivationTime, pluginId, clusterName, supportsPolicyDeltas); + + ServicePolicies ret = null; + int httpCode = HttpServletResponse.SC_OK; + String logMsg = null; + RangerPerfTracer perf = null; + boolean isAllowed = false; + boolean isAdmin = bizUtil.isAdmin(); + boolean isKeyAdmin = bizUtil.isKeyAdmin(); + Long downloadedVersion = null; + boolean isValid = false; + + request.setAttribute("downloadPolicy", "secure"); + + try { + isValid = serviceUtil.isValidService(serviceName, request); + } catch (WebApplicationException webException) { + httpCode = webException.getResponse().getStatus(); + logMsg = webException.getResponse().getEntity().toString(); + } catch (Exception e) { + httpCode = HttpServletResponse.SC_BAD_REQUEST; + logMsg = e.getMessage(); + } + + if (isValid) { + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getSecureServicePoliciesIfUpdated(serviceName=" + serviceName + ",lastKnownVersion=" + lastKnownVersion + ",lastActivationTime=" + lastActivationTime + ")"); + } + + XXService xService = daoManager.getXXService().findByName(serviceName); + XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); + RangerService rangerService; + + if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { + rangerService = svcStore.getServiceByNameForDP(serviceName); + + if (isKeyAdmin) { + isAllowed = true; + } else { + if (rangerService != null) { + isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Download); + + if (!isAllowed) { + isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Grant_Revoke); + } + } + } + } else { + rangerService = svcStore.getServiceByName(serviceName); + + if (isAdmin) { + isAllowed = true; + } else { + if (rangerService != null) { + isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Download); + + if (!isAllowed) { + isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Grant_Revoke); + } + } + } + } + + if (isAllowed) { + ret = svcStore.getServicePoliciesIfUpdated(serviceName, lastKnownVersion, !supportsPolicyDeltas); + + if (ret == null) { + downloadedVersion = lastKnownVersion; + httpCode = HttpServletResponse.SC_NOT_MODIFIED; + logMsg = "No change since last update"; + } else { + downloadedVersion = ret.getPolicyVersion(); + logMsg = "Returning " + (ret.getPolicies() != null ? ret.getPolicies().size() : (ret.getPolicyDeltas() != null ? ret.getPolicyDeltas().size() : 0)) + " policies. Policy version=" + ret.getPolicyVersion(); + } + } else { + LOG.error("getSecureServicePoliciesIfUpdated({}, {}) failed as User doesn't have permission to download Policy", serviceName, lastKnownVersion); + + httpCode = HttpServletResponse.SC_FORBIDDEN; // assert user is authenticated. + logMsg = "User doesn't have permission to download policy"; + } + } catch (Throwable excp) { + LOG.error("getSecureServicePoliciesIfUpdated({}, {}, {}) failed", serviceName, lastKnownVersion, lastActivationTime, excp); + + httpCode = HttpServletResponse.SC_BAD_REQUEST; + logMsg = excp.getMessage(); + } finally { + createPolicyDownloadAudit(serviceName, lastKnownVersion, pluginId, httpCode, clusterName, zoneName, request); + RangerPerfTracer.log(perf); + } + } + + assetMgr.createPluginInfo(serviceName, pluginId, request, RangerPluginInfo.ENTITY_TYPE_POLICIES, downloadedVersion, lastKnownVersion, lastActivationTime, httpCode, clusterName, pluginCapabilities); + + if (httpCode != HttpServletResponse.SC_OK) { + boolean logError = httpCode != HttpServletResponse.SC_NOT_MODIFIED; + + throw restErrorUtil.createRESTException(httpCode, logMsg, logError); + } + + LOG.debug("<== ServiceREST.getSecureServicePoliciesIfUpdated({}, {}, {}, {}, {}, {}) : count={}", serviceName, lastKnownVersion, lastActivationTime, pluginId, clusterName, supportsPolicyDeltas, ((ret == null || ret.getPolicies() == null) ? 0 : ret.getPolicies().size())); + + return ret; + } + + @DELETE + @Path("/server/policydeltas") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void deletePolicyDeltas(@DefaultValue("7") @QueryParam("days") Integer olderThan, @Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.deletePolicyDeltas({})", olderThan); + + svcStore.resetPolicyUpdateLog(olderThan, RangerPolicyDelta.CHANGE_TYPE_INVALIDATE_POLICY_DELTAS); + + LOG.debug("<== ServiceREST.deletePolicyDeltas({})", olderThan); + } + + @DELETE + @Path("/server/purgepolicies/{serviceName}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void purgeEmptyPolicies(@PathParam("serviceName") String serviceName, @Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.purgeEmptyPolicies({})", serviceName); + + if (serviceName == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Invalid service name", true); + } + + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.purgeEmptyPolicies(serviceName=" + serviceName + ")"); + } + + if (svcStore.getServiceByName(serviceName) == null) { + throw new Exception("service does not exist - name=" + serviceName); + } + + ServicePolicies servicePolicies = svcStore.getServicePolicies(serviceName, -1L); + + if (servicePolicies != null && CollectionUtils.isNotEmpty(servicePolicies.getPolicies())) { + for (RangerPolicy policy : servicePolicies.getPolicies()) { + if (CollectionUtils.isEmpty(PolicyRefUpdater.getAllPolicyItems(policy))) { + deletePolicy(policy.getId()); + } + } + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("purgeEmptyPolicies({}) failed", serviceName, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.purgeEmptyPolicies({})", serviceName); + } + + @GET + @Path("/policies/eventTime") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_FROM_EVENT_TIME + "\")") + public RangerPolicy getPolicyFromEventTime(@Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.getPolicyFromEventTime()"); + + String eventTimeStr = request.getParameter("eventTime"); + String policyIdStr = request.getParameter("policyId"); + String versionNoStr = request.getParameter("versionNo"); + + if (StringUtils.isEmpty(eventTimeStr) || StringUtils.isEmpty(policyIdStr)) { + throw restErrorUtil.createRESTException("EventTime or policyId cannot be null or empty string.", MessageEnums.INVALID_INPUT_DATA); + } + + Long policyId = Long.parseLong(policyIdStr); + RangerPolicy policy = null; + + if (!StringUtil.isEmpty(versionNoStr)) { + int policyVersion = Integer.parseInt(versionNoStr); + + try { + policy = svcStore.getPolicyForVersionNumber(policyId, policyVersion); + + if (policy != null) { + ensureAdminAndAuditAccess(policy); + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + // Ignore any other exception and go for fetching the policy by eventTime + } + } + + if (policy == null) { + try { + policy = svcStore.getPolicyFromEventTime(eventTimeStr, policyId); + + if (policy != null) { + ensureAdminAndAuditAccess(policy); + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getPolicy({}) failed", policyId, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } + } + + if (policy == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); + } + + LOG.debug("<== ServiceREST.getPolicy({}): {}", policyId, policy); + LOG.debug("<== ServiceREST.getPolicyFromEventTime()"); + + return policy; + } + + @GET + @Path("/policy/{policyId}/versionList") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_VERSION_LIST + "\")") + public VXString getPolicyVersionList(@PathParam("policyId") Long policyId) { + return svcStore.getPolicyVersionList(policyId); + } + + @GET + @Path("/policy/{policyId}/version/{versionNo}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_FOR_VERSION_NO + "\")") + public RangerPolicy getPolicyForVersionNumber(@PathParam("policyId") Long policyId, @PathParam("versionNo") int versionNo) { + RangerPolicy policy = svcStore.getPolicyForVersionNumber(policyId, versionNo); + + if (policy != null) { + ensureAdminAndAuditAccess(policy); + } + + return policy; + } + + @GET + @Path("/plugins/info") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_PLUGINS_INFO + "\")") + public RangerPluginInfoList getPluginsInfo(@Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.getPluginsInfo()"); + + RangerPluginInfoList ret = null; + SearchFilter filter = searchUtil.getSearchFilter(request, pluginInfoService.getSortFields()); + + try { + PList paginatedPluginsInfo = pluginInfoService.searchRangerPluginInfo(filter); + if (paginatedPluginsInfo != null) { + ret = new RangerPluginInfoList(); + + ret.setPluginInfoList(paginatedPluginsInfo.getList()); + ret.setPageSize(paginatedPluginsInfo.getPageSize()); + ret.setResultSize(paginatedPluginsInfo.getResultSize()); + ret.setStartIndex(paginatedPluginsInfo.getStartIndex()); + ret.setTotalCount(paginatedPluginsInfo.getTotalCount()); + ret.setSortBy(paginatedPluginsInfo.getSortBy()); + ret.setSortType(paginatedPluginsInfo.getSortType()); + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getPluginsInfo() failed", excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } + + LOG.debug("<== ServiceREST.getPluginsInfo()"); + + return ret; + } + + public void blockIfGdsService(String serviceName) { + String serviceType = daoManager.getXXServiceDef().findServiceDefTypeByServiceName(serviceName); + + if (EMBEDDED_SERVICEDEF_GDS_NAME.equals(serviceType)) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, EMBEDDED_SERVICEDEF_GDS_NAME.toUpperCase() + " policies can't be managed via this API", true); + } + } + + public RangerPolicyAdmin getPolicyAdminForDelegatedAdmin(String serviceName) { + return RangerPolicyAdminCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName, svcStore, zoneStore, roleDBStore, delegateAdminOptions); + } + + public List getPoliciesWithMetaAttributes(List policies) { + return svcStore.getPoliciesWithMetaAttributes(policies); + } + + @GET + @Path("/checksso") + @Produces(MediaType.TEXT_PLAIN) + public String checkSSO() { + return String.valueOf(bizUtil.isSSOEnabled()); + } + + @GET + @Path("/csrfconf") + @Produces("application/json") + public HashMap getCSRFProperties(@Context HttpServletRequest request) { + return getCSRFPropertiesMap(request); + } + + @GET + @Path("/metrics/type/{type}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_METRICS_BY_TYPE + "\")") + public String getMetricByType(@PathParam("type") String type) { + LOG.debug("==> ServiceREST.getMetricByType(serviceDefName={})", type); + + // as of now we are allowing only users with Admin role to access this + // API + bizUtil.checkSystemAdminAccess(); + bizUtil.blockAuditorRoleUser(); + + String ret; + + try { + ServiceDBStore.METRIC_TYPE metricType = ServiceDBStore.METRIC_TYPE.getMetricTypeByName(type); + + if (metricType == null) { + throw restErrorUtil.createRESTException("Metric type=" + type + ", not supported."); + } + + ret = svcStore.getMetricByType(metricType); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getMetricByType({}) failed", type, excp); + throw restErrorUtil.createRESTException(excp.getMessage()); + } + + if (ret == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); + } + + LOG.debug("<== ServiceREST.getMetricByType({}): {}", type, ret); + + return ret; + } + + /** + * Delete services/ repos associated with cluster. + * Only users with Ranger UserAdmin OR KeyAdmin are allowed to access this API. + * + * @param clusterName + * @return List of {@link ServiceDeleteResponse serviceDeleteResponse}. + */ + @DELETE + @Path("/cluster-services/{clusterName}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_CLUSTER_SERVICES + "\")") + public ResponseEntity> deleteClusterServices(@PathParam("clusterName") String clusterName) { + LOG.debug("==> ServiceREST.deleteClusterServices({})", clusterName); + + List deletedServices = new ArrayList<>(); + HttpStatus responseStatus = HttpStatus.OK; + + try { + //check if user has ADMIN privileges + bizUtil.hasAdminPermissions("Services"); + + //get all service/ repo IDs to delete + List serviceIdsToBeDeleted = daoManager.getXXServiceConfigMap().findServiceIdsByClusterName(clusterName); + + if (serviceIdsToBeDeleted.isEmpty()) { + responseStatus = HttpStatus.NOT_FOUND; + } else { + //delete each service/ repo one by one + for (Long serviceId : serviceIdsToBeDeleted) { + ServiceDeleteResponse deleteResponse = new ServiceDeleteResponse(serviceId); + + try { + String serviceName = this.deleteServiceById(serviceId); + + deleteResponse.setServiceName(serviceName); + deleteResponse.setIsDeleted(Boolean.TRUE); + } catch (Throwable e) { + //log and proceed + LOG.warn("Skipping deletion of service with ID={}", serviceId); + + e.printStackTrace(); + deleteResponse.setIsDeleted(Boolean.FALSE); + deleteResponse.setErrorMsg(e.getMessage()); + } + + deletedServices.add(deleteResponse); + } + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("Deleting services associated with cluster=({}) failed", clusterName, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } + + LOG.debug("<== ServiceREST.deleteClusterServices() - deletedServices: {}", deletedServices); + + return new ResponseEntity<>(deletedServices, responseStatus); + } + + @GET + @Path("/policies/guid/{guid}") + @Produces("application/json") + public RangerPolicy getPolicyByGUIDAndServiceNameAndZoneName(@PathParam("guid") String guid, @DefaultValue("") @QueryParam("serviceName") String serviceName, @DefaultValue("") @QueryParam("zoneName") String zoneName) { + LOG.debug("==> ServiceREST.getPolicyByGUIDAndServiceNameAndZoneName({}, {}, {})", guid, serviceName, zoneName); + + RangerPolicy ret; + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicyByGUIDAndServiceNameAndZoneName(policyGUID=" + guid + ", serviceName=" + serviceName + ", zoneName=" + zoneName + ")"); + } + + ret = svcStore.getPolicy(guid, serviceName, zoneName); + + if (ret != null) { + ensureAdminAndAuditAccess(ret); + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getPolicyByGUIDAndServiceNameAndZoneName({}, {}, {}) failed", guid, serviceName, zoneName, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + if (ret == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); + } + + LOG.debug("<== ServiceREST.getPolicyByGUIDAndServiceNameAndZoneName({}, {}, {}) : {}", guid, serviceName, zoneName, ret); + + return ret; + } + + @DELETE + @Path("/policies/guid/{guid}") + public void deletePolicyByGUIDAndServiceNameAndZoneName(@PathParam("guid") String guid, @DefaultValue("") @QueryParam("serviceName") String serviceName, @DefaultValue("") @QueryParam("zoneName") String zoneName) { + LOG.debug("==> ServiceREST.deletePolicyByGUIDAndServiceNameAndZoneName({}, {}, {})", guid, serviceName, zoneName); + + RangerPolicy ret; + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.deletePolicyByGUIDAndServiceNameAndZoneName(policyGUID=" + guid + ", serviceName=" + serviceName + ", zoneName=" + zoneName + ")"); + } + + ret = getPolicyByGUIDAndServiceNameAndZoneName(guid, serviceName, zoneName); + + if (ret != null) { + deletePolicy(ret.getId()); + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("deletePolicyByGUIDAndServiceNameAndZoneName({}, {}, {}) failed", guid, serviceName, zoneName, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.deletePolicyByGUIDAndServiceNameAndZoneName({}, {}, {}) : {}", guid, serviceName, zoneName, ret); + } + + @DELETE + @Path("/server/purge/records") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public List purgeRecords(@QueryParam("type") String recordType, @DefaultValue("180") @QueryParam("retentionDays") Integer olderThan, @Context HttpServletRequest request) { + LOG.debug("==> ServiceREST.purgeRecords({}, {})", recordType, olderThan); + + List ret = new ArrayList<>(); + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.purgeRecords(recordType=" + recordType + ", olderThan=" + olderThan + ")"); + } + + if (olderThan < 1) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Retention days can't be lesser than 1", true); + } + + if (PURGE_RECORD_TYPE_LOGIN_LOGS.equalsIgnoreCase(recordType)) { + svcStore.removeAuthSessions(olderThan, ret); + } else if (PURGE_RECORD_TYPE_TRX_LOGS.equalsIgnoreCase(recordType)) { + svcStore.removeTransactionLogs(olderThan, ret); + } else if (PURGE_RECORD_TYPE_POLICY_EXPORT_LOGS.equalsIgnoreCase(recordType)) { + svcStore.removePolicyExportLogs(olderThan, ret); + } else { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, recordType + ": invalid record type. Valid values: [ " + PURGE_RECORD_TYPE_LOGIN_LOGS + ", " + PURGE_RECORD_TYPE_TRX_LOGS + ", " + PURGE_RECORD_TYPE_POLICY_EXPORT_LOGS + " ]", true); + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("purgeRecords({}, {}) failed", recordType, olderThan, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.purgeRecords({}, {}) : {}", recordType, olderThan, ret); + + return ret; + } + + public RangerPolicyResource getPolicyResource(Object resourceName, GrantRevokeRequest grantRequest) { + RangerPolicyResource ret; + + if (resourceName instanceof List) { + List resourceValues = (List) resourceName; + + ret = new RangerPolicyResource(resourceValues, false, grantRequest.getIsRecursive()); + } else { + ret = new RangerPolicyResource((String) resourceName); + + ret.setIsRecursive(grantRequest.getIsRecursive()); + } + + return ret; + } + + /** + * Returns {@link RangerPolicy} for non-empty serviceName, policyName and zoneName null otherwise. + * + * @param serviceName + * @param policyName + * @param zoneName + * @return + */ + public RangerPolicy getPolicyByName(String serviceName, String policyName, String zoneName) { + LOG.debug("==> ServiceREST.getPolicyByName({}, {}, {})", serviceName, policyName, zoneName); + + RangerPolicy ret = null; + + if (StringUtils.isNotBlank(serviceName) && StringUtils.isNotBlank(policyName)) { + XXPolicy dbPolicy = daoManager.getXXPolicy().findPolicy(policyName, serviceName, zoneName); + + if (dbPolicy != null) { + ret = policyService.getPopulatedViewObject(dbPolicy); + } + + if (ret != null) { + ensureAdminAndAuditAccess(ret); + } + } + + LOG.debug("<== ServiceREST.getPolicyByName({}, {}, {}) : {}", serviceName, policyName, zoneName, (ret != null ? ret : "ret is null")); + + return ret; + } + + void ensureAdminAccess(RangerPolicy policy) { + blockIfGdsService(policy.getService()); + + boolean isAdmin = bizUtil.isAdmin(); + boolean isKeyAdmin = bizUtil.isKeyAdmin(); + String userName = bizUtil.getCurrentUserLoginId(); + boolean isSvcAdmin = isAdmin || svcStore.isServiceAdminUser(policy.getService(), userName); + + if (!isAdmin && !isKeyAdmin && !isSvcAdmin) { + Set userGroups = userMgr.getGroupsForUser(userName); + boolean isAllowed; + + //for zone policy create /update / delete + if (!StringUtils.isEmpty(policy.getZoneName()) && serviceMgr.isZoneAdmin(policy.getZoneName())) { + isAllowed = true; + } else { + isAllowed = hasAdminAccess(policy, userName, userGroups); + } + + if (!isAllowed) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User '" + userName + "' does not have delegated-admin privilege on given resources", true); + } + } else { + XXService xService = daoManager.getXXService().findByName(policy.getService()); + XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); + + if (isAdmin) { + if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) { + throw restErrorUtil.createRESTException("KMS Policies/Services/Service-Defs are not accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION); + } + } else if (isKeyAdmin) { + if (!EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) { + throw restErrorUtil.createRESTException("Only KMS Policies/Services/Service-Defs are accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION); + } + } + } + } + + void ensureAdminAndAuditAccess(RangerPolicy policy) { + ensureAdminAndAuditAccess(policy, new HashMap<>()); + } + + void ensureAdminAndAuditAccess(RangerPolicy policy, Map mapServiceTypeAndImplClass) { + boolean isAdmin = bizUtil.isAdmin(); + boolean isKeyAdmin = bizUtil.isKeyAdmin(); + String userName = bizUtil.getCurrentUserLoginId(); + boolean isAuditAdmin = bizUtil.isAuditAdmin(); + boolean isAuditKeyAdmin = bizUtil.isAuditKeyAdmin(); + boolean isSvcAdmin = isAdmin || svcStore.isServiceAdminUser(policy.getService(), userName) || (!StringUtils.isEmpty(policy.getZoneName()) && (serviceMgr.isZoneAdmin(policy.getZoneName()) || serviceMgr.isZoneAuditor(policy.getZoneName()))); + + if (!isAdmin && !isKeyAdmin && !isSvcAdmin && !isAuditAdmin && !isAuditKeyAdmin) { + boolean isAllowed = false; + Set userGroups = userMgr.getGroupsForUser(userName); + RangerPolicyAdmin policyAdmin = getPolicyAdminForDelegatedAdmin(policy.getService()); + + if (policyAdmin != null) { + Map evalContext = new HashMap<>(); + + RangerAccessRequestUtil.setCurrentUserInContext(evalContext, userName); + + Set roles = policyAdmin.getRolesFromUserAndGroups(userName, userGroups); + + isAllowed = policyAdmin.isDelegatedAdminAccessAllowedForRead(policy, userName, userGroups, roles, evalContext); + } + + if (!isAllowed) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User '" + userName + "' does not have delegated-admin privilege on given resources", true); + } + } else { + if (StringUtils.isBlank(policy.getServiceType())) { + XXService xService = daoManager.getXXService().findByName(policy.getService()); + XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); + + mapServiceTypeAndImplClass.put(xServiceDef.getName(), xServiceDef.getImplclassname()); + policy.setServiceType(xServiceDef.getName()); + } else if (!mapServiceTypeAndImplClass.containsKey(policy.getServiceType())) { + XXService xService = daoManager.getXXService().findByName(policy.getService()); + XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); + + mapServiceTypeAndImplClass.put(xServiceDef.getName(), xServiceDef.getImplclassname()); + } + + String serviceDefImplClass = mapServiceTypeAndImplClass.get(policy.getServiceType()); + + if (isAdmin || isAuditAdmin) { + if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(serviceDefImplClass)) { + throw restErrorUtil.createRESTException("KMS Policies/Services/Service-Defs are not accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION); + } + } else if (isKeyAdmin || isAuditKeyAdmin) { + if (!EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(serviceDefImplClass)) { + throw restErrorUtil.createRESTException("Only KMS Policies/Services/Service-Defs are accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION); + } + } + } + } + + boolean isServiceAdmin(String serviceName) { + boolean ret = bizUtil.isAdmin(); + + if (!ret && StringUtils.isNotEmpty(serviceName)) { + ret = svcStore.isServiceAdminUser(serviceName, bizUtil.getCurrentUserLoginId()); + } + + return ret; + } + + private String validateResourcePoliciesRequest(String serviceDefName, String serviceName, HttpServletRequest request, List services, Map resource) { + LOG.debug("==> ServiceREST.validatePoliciesForResourceRequest(service-type={}, service-name={})", serviceDefName, serviceName); + + final String ret; + + if (MapUtils.isNotEmpty(request.getParameterMap())) { + for (Entry e : request.getParameterMap().entrySet()) { + String name = e.getKey(); + String[] values = e.getValue(); + + if (!StringUtils.isEmpty(name) && !ArrayUtils.isEmpty(values) && name.startsWith(SearchFilter.RESOURCE_PREFIX)) { + resource.put(name.substring(SearchFilter.RESOURCE_PREFIX.length()), values[0]); + } + } + } + + if (MapUtils.isEmpty(resource)) { + ret = "No resource specified"; + } else { + RangerServiceDef serviceDef = null; + + try { + serviceDef = svcStore.getServiceDefByName(serviceDefName); + } catch (Exception e) { + LOG.error("Invalid service-type:[{}]", serviceDefName, e); + } + + if (serviceDef == null) { + ret = "Invalid service-type:[" + serviceDefName + "]"; + } else { + Set resourceDefNames = resource.keySet(); + RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef); + Set> resourceHierarchies = serviceDefHelper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS, resourceDefNames); + + if (CollectionUtils.isEmpty(resourceHierarchies)) { + ret = "Invalid resource specified: resource-names:" + resourceDefNames + " are not part of any valid resource hierarchy for service-type:[" + serviceDefName + "]"; + } else { + if (StringUtils.isNotBlank(serviceName)) { + RangerService service = null; + + try { + service = svcStore.getServiceByName(serviceName); + } catch (Exception e) { + LOG.error("Invalid service-name:[{}]", serviceName); + } + + if (service == null || !StringUtils.equals(service.getType(), serviceDefName)) { + ret = "Invalid service-name:[" + serviceName + "] or service-type:[" + serviceDefName + "]"; + } else { + services.add(service); + ret = StringUtils.EMPTY; + } + } else { + SearchFilter filter = new SearchFilter(); + + filter.setParam(SearchFilter.SERVICE_TYPE, serviceDefName); + + List serviceList = null; + + try { + serviceList = svcStore.getServices(filter); + } catch (Exception e) { + LOG.error("Cannot find service of service-type:[{}]", serviceDefName); + } + + if (CollectionUtils.isEmpty(serviceList) || serviceList.size() != 1) { + ret = "Either 0 or more than 1 services found for service-type :[" + serviceDefName + "]"; + } else { + services.add(serviceList.get(0)); + + ret = StringUtils.EMPTY; + } + } + } + } + } + + LOG.debug("<== ServiceREST.validatePoliciesForResourceRequest(service-type={}, service-name={}) : {}", serviceDefName, serviceName, ret); + + return ret; + } + + private void requestParamsValidation(SearchFilter filter) { + boolean fetchAllZonePolicies = Boolean.parseBoolean(filter.getParam(SearchFilter.FETCH_ZONE_UNZONE_POLICIES)); + String zoneName = filter.getParam(SearchFilter.ZONE_NAME); + + if (fetchAllZonePolicies && StringUtils.isNotEmpty(zoneName)) { + throw restErrorUtil.createRESTException("Invalid parameter: " + SearchFilter.ZONE_NAME + " can not be provided, along with " + SearchFilter.FETCH_ZONE_UNZONE_POLICIES + "=true"); + } + } + + private int createPolicesBasedOnPolicyMap(HttpServletRequest request, Map policiesMap, List serviceNameList, boolean updateIfExists, int totalPolicyCreate) { + boolean mergeIfExists = "true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_MERGE_IF_EXISTS))); + boolean deleteIfExists = "true".equalsIgnoreCase(StringUtils.trimToEmpty(request.getParameter(PARAM_DELETE_IF_EXISTS))); + + if (!CollectionUtils.sizeIsEmpty(policiesMap.entrySet())) { + for (Entry entry : policiesMap.entrySet()) { + RangerPolicy policy = entry.getValue(); + + if (policy != null) { + if (!CollectionUtils.isEmpty(serviceNameList)) { + for (String service : serviceNameList) { + if (StringUtils.isNotEmpty(service.trim()) && StringUtils.isNotEmpty(policy.getService().trim())) { + if (policy.getService().trim().equalsIgnoreCase(service.trim())) { + if (updateIfExists || mergeIfExists || deleteIfExists) { + request.setAttribute(PARAM_SERVICE_NAME, policy.getService()); + request.setAttribute(PARAM_POLICY_NAME, policy.getName()); + request.setAttribute(PARAM_ZONE_NAME, policy.getZoneName()); + + if (mergeIfExists && !ServiceRESTUtil.containsRangerCondition(policy)) { + String user = request.getRemoteUser(); + RangerPolicy existingPolicy; + + try { + existingPolicy = getExactMatchPolicyForResource(policy, StringUtils.isNotBlank(user) ? user : "admin"); + } catch (Exception e) { + existingPolicy = null; + } + + if (existingPolicy == null) { + createPolicy(policy, request); + } else { + ServiceRESTUtil.mergeExactMatchPolicyForResource(existingPolicy, policy); + + updatePolicy(existingPolicy, null); + } + } else { + createPolicy(policy, request); + } + } else { + createPolicy(policy, request); + } + + totalPolicyCreate = totalPolicyCreate + 1; + + LOG.debug("Policy {} created successfully.", policy.getName()); + + break; + } + } else { + LOG.error("Service Name or Policy Name is not provided!!"); + + throw restErrorUtil.createRESTException("Service Name or Policy Name is not provided!!"); + } + } + } else { + if (updateIfExists || mergeIfExists || deleteIfExists) { + request.setAttribute(PARAM_SERVICE_NAME, policy.getService()); + request.setAttribute(PARAM_POLICY_NAME, policy.getName()); + request.setAttribute(PARAM_ZONE_NAME, policy.getZoneName()); + + if (mergeIfExists && !ServiceRESTUtil.containsRangerCondition(policy)) { + String user = request.getRemoteUser(); + RangerPolicy existingPolicy; + + try { + existingPolicy = getExactMatchPolicyForResource(policy, StringUtils.isNotBlank(user) ? user : "admin"); + } catch (Exception e) { + existingPolicy = null; + } + + if (existingPolicy == null) { + createPolicy(policy, request); + } else { + ServiceRESTUtil.mergeExactMatchPolicyForResource(existingPolicy, policy); + + updatePolicy(existingPolicy, null); + } + } else { + createPolicy(policy, request); + } + } else { + createPolicy(policy, request); + } + + totalPolicyCreate = totalPolicyCreate + 1; + + LOG.debug("Policy {} created successfully.", policy.getName()); + } + } + + if (totalPolicyCreate % RangerBizUtil.POLICY_BATCH_SIZE == 0) { + bizUtil.bulkModeOnlyFlushAndClear(); + } + } + + bizUtil.bulkModeOnlyFlushAndClear(); + + LOG.debug("Total Policy Created From Json file : {}", totalPolicyCreate); + } + + return totalPolicyCreate; + } + + private List getPoliciesFromProvidedJson(RangerExportPolicyList rangerExportPolicyList) { + List policies; + + if (rangerExportPolicyList != null && !CollectionUtils.sizeIsEmpty(rangerExportPolicyList.getPolicies())) { + policies = rangerExportPolicyList.getPolicies(); + } else { + LOG.error("Provided json file does not contain any policy!!"); + + throw restErrorUtil.createRESTException("Provided json file does not contain any policy!!"); + } + + return policies; + } + + private RangerExportPolicyList processPolicyInputJsonForMetaData(InputStream uploadedInputStream, RangerExportPolicyList rangerExportPolicyList) throws Exception { + String policiesString = IOUtils.toString(uploadedInputStream).trim(); + + if (StringUtils.isNotEmpty(policiesString)) { + rangerExportPolicyList = JsonUtilsV2.jsonToObj(policiesString, RangerExportPolicyList.class); + } else { + LOG.error("Provided json file is empty!!"); + + throw restErrorUtil.createRESTException("Provided json file is empty!!"); + } + + return rangerExportPolicyList; + } + + private void getServiceNameList(HttpServletRequest request, List serviceNameList) { + SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); + String serviceType = null; + List serviceTypeList = null; + + if (StringUtils.isNotEmpty(request.getParameter(PARAM_SERVICE_TYPE))) { + serviceType = request.getParameter(PARAM_SERVICE_TYPE); + } + + if (StringUtils.isNotEmpty(serviceType)) { + serviceTypeList = new ArrayList<>(Arrays.asList(serviceType.split(","))); + } + + List rangerServiceList; + List rangerServiceLists = new ArrayList<>(); + + if (CollectionUtils.isNotEmpty(serviceTypeList)) { + for (String s : serviceTypeList) { + filter.removeParam(PARAM_SERVICE_TYPE); + filter.setParam(PARAM_SERVICE_TYPE, s.trim()); + + rangerServiceList = getServices(filter); + + rangerServiceLists.addAll(rangerServiceList); + } + } + + if (!CollectionUtils.sizeIsEmpty(rangerServiceLists)) { + for (RangerService rService : rangerServiceLists) { + if (StringUtils.isNotEmpty(rService.getName())) { + serviceNameList.add(rService.getName()); + } + } + } + } + + private boolean validateDestZoneServiceMapping(String destinationZoneName, RangerPolicy policyInJson, Map servicesMappingMap) { + boolean isZoneServiceExistAtDestination = false; + XXSecurityZone xdestZone = daoManager.getXXSecurityZoneDao().findByZoneName(destinationZoneName); + + if (xdestZone == null) { + LOG.error("destination zone provided does not exist"); + throw restErrorUtil.createRESTException("destination zone provided does not exist"); + } + + // CHECK IF json policies service is there on destination and asscioated with + // destination zone. + + String serviceNameToCheck = policyInJson.getService(); + + if (StringUtils.isNotBlank(serviceNameToCheck) && servicesMappingMap.containsKey(serviceNameToCheck)) { + serviceNameToCheck = servicesMappingMap.get(policyInJson.getService()); + } + + List serviceZoneMapping = daoManager.getXXSecurityZoneRefService().findByServiceNameAndZoneId(serviceNameToCheck, xdestZone.getId()); + List tagServiceZoneMapping = daoManager.getXXSecurityZoneRefTagService().findByTagServiceNameAndZoneId(serviceNameToCheck, xdestZone.getId()); + + if (!CollectionUtils.isEmpty(serviceZoneMapping) || !CollectionUtils.isEmpty(tagServiceZoneMapping)) { + isZoneServiceExistAtDestination = true; + } + + return isZoneServiceExistAtDestination; + } + + private String getDestinationZoneName(List destinationZones, String zoneNameInJson) { + String destinationZoneName; + + if (CollectionUtils.isNotEmpty(destinationZones)) { + destinationZoneName = destinationZones.get(0); + } else { + destinationZoneName = zoneNameInJson; + } + + return destinationZoneName; + } + + private void processServiceMapping(Map servicesMappingMap, List sourceServices, List destinationServices) { + if (!CollectionUtils.sizeIsEmpty(servicesMappingMap)) { + for (Entry map : servicesMappingMap.entrySet()) { + String sourceServiceName; + String destinationServiceName; + + if (StringUtils.isNotEmpty(map.getKey().trim()) && StringUtils.isNotEmpty(map.getValue().trim())) { + sourceServiceName = map.getKey().trim(); + destinationServiceName = map.getValue().trim(); + } else { + LOG.error("Source service or destination service name is not provided!!"); + + throw restErrorUtil.createRESTException("Source service or destonation service name is not provided!!"); + } + + if (StringUtils.isNotEmpty(sourceServiceName) && StringUtils.isNotEmpty(destinationServiceName)) { + sourceServices.add(sourceServiceName); + destinationServices.add(destinationServiceName); + } + } + } + } + + private void processZoneMapping(Map zoneMappingMap, List sourceZones, List destinationZones) { + if (!CollectionUtils.sizeIsEmpty(zoneMappingMap)) { + for (Entry map : zoneMappingMap.entrySet()) { + String sourceZoneName = null; + String destinationZoneName = null; + + if (StringUtils.isNotEmpty(map.getKey().trim()) || StringUtils.isNotEmpty(map.getValue().trim())) { + // zone to zone + // zone to unzone + // unzone to zone + sourceZoneName = map.getKey().trim(); + destinationZoneName = map.getValue().trim(); + + LOG.info("sourceZoneName = {} destinationZoneName = {}", sourceZoneName, destinationZoneName); + } else if (StringUtils.isEmpty(map.getKey().trim()) && StringUtils.isEmpty(map.getValue().trim())) { + LOG.info("Unzone to unzone policies import"); + } else { + LOG.error("Source zone or destination zone name is not provided!!"); + + throw restErrorUtil.createRESTException("Source zone or destination zone name is not provided!!"); + } + + if (StringUtils.isNotEmpty(sourceZoneName) || StringUtils.isNotEmpty(destinationZoneName)) { + sourceZones.add(sourceZoneName); + destinationZones.add(destinationZoneName); + } + } + } + } + + private List getAllFilteredPolicyList(SearchFilter filter, HttpServletRequest request, List policyLists) { + String serviceNames = null; + String serviceType = null; + List serviceNameList = null; + List serviceTypeList = null; + List serviceNameInServiceTypeList = new ArrayList<>(); + boolean isServiceExists; + + if (request.getParameter(PARAM_SERVICE_NAME) != null) { + serviceNames = request.getParameter(PARAM_SERVICE_NAME); + } + + if (StringUtils.isNotEmpty(serviceNames)) { + serviceNameList = new ArrayList<>(Arrays.asList(serviceNames.split(","))); + } + + if (request.getParameter(PARAM_SERVICE_TYPE) != null) { + serviceType = request.getParameter(PARAM_SERVICE_TYPE); + } + + if (StringUtils.isNotEmpty(serviceType)) { + serviceTypeList = new ArrayList<>(Arrays.asList(serviceType.split(","))); + } + + List policyList; + List policyListByServiceName = new ArrayList<>(); + + if (filter != null) { + filter.setStartIndex(0); + filter.setMaxRows(Integer.MAX_VALUE); + + if (!CollectionUtils.isEmpty(serviceTypeList)) { + for (String s : serviceTypeList) { + filter.removeParam(PARAM_SERVICE_TYPE); + + if (request.getParameter(PARAM_SERVICE_NAME) != null) { + filter.removeParam(PARAM_SERVICE_NAME); + } + + filter.setParam(PARAM_SERVICE_TYPE, s.trim()); + + policyList = getPolicies(filter); + + policyLists.addAll(policyList); + } + if (!CollectionUtils.sizeIsEmpty(policyLists)) { + for (RangerPolicy rangerPolicy : policyLists) { + if (StringUtils.isNotEmpty(rangerPolicy.getService())) { + serviceNameInServiceTypeList.add(rangerPolicy.getService()); + } + } + } + } + if (!CollectionUtils.isEmpty(serviceNameList) && !CollectionUtils.isEmpty(serviceTypeList)) { + isServiceExists = serviceNameInServiceTypeList.containsAll(serviceNameList); + + if (isServiceExists) { + for (String s : serviceNameList) { + filter.removeParam(PARAM_SERVICE_NAME); + filter.removeParam(PARAM_SERVICE_TYPE); + filter.setParam(PARAM_SERVICE_NAME, s.trim()); + + policyList = getPolicies(filter); + + policyListByServiceName.addAll(policyList); + } + + policyLists = policyListByServiceName; + } else { + policyLists = new ArrayList<>(); + } + } else if (CollectionUtils.isEmpty(serviceNameList) && CollectionUtils.isEmpty(serviceTypeList)) { + policyLists = getPolicies(filter); + } + if (!CollectionUtils.isEmpty(serviceNameList) && CollectionUtils.isEmpty(serviceTypeList)) { + for (String s : serviceNameList) { + filter.removeParam(PARAM_SERVICE_NAME); + filter.setParam(PARAM_SERVICE_NAME, s.trim()); + + policyList = getPolicies(filter); + + policyLists.addAll(policyList); + } + } + } + + if (StringUtils.isNotEmpty(request.getParameter("resourceMatch")) && "full".equalsIgnoreCase(request.getParameter("resourceMatch"))) { + policyLists = serviceUtil.getMatchingPoliciesForResource(request, policyLists); + } + + Map orderedPolicies = new TreeMap<>(); + + if (!CollectionUtils.isEmpty(policyLists)) { + for (RangerPolicy policy : policyLists) { + if (policy != null) { + //set createTime & updateTime Time as null since exported policies dont need this + policy.setCreateTime(null); + policy.setUpdateTime(null); + + orderedPolicies.put(policy.getId(), policy); + } + } + if (!orderedPolicies.isEmpty()) { + policyLists.clear(); + + policyLists.addAll(orderedPolicies.values()); + } + } + + return policyLists; + } + + private void deletePoliciesProvidedInServiceMap(List sourceServices, List destinationServices, String zoneName) throws Exception { + int totalDeletedPolicies = 0; + + if (CollectionUtils.isNotEmpty(sourceServices) && CollectionUtils.isNotEmpty(destinationServices)) { + RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); + + for (int i = 0; i < sourceServices.size(); i++) { + if (!destinationServices.get(i).isEmpty()) { + SearchFilter filter = new SearchFilter(); + + filter.setParam(SearchFilter.ZONE_NAME, zoneName); + filter.setParam(SearchFilter.SERVICE_NAME, destinationServices.get(i)); + + RangerService service = getServiceByName(destinationServices.get(i)); + final RangerPolicyList servicePolicies = getServicePolicies(destinationServices.get(i), filter); + + if (servicePolicies != null) { + List rangerPolicyList = servicePolicies.getPolicies(); + + if (CollectionUtils.isNotEmpty(rangerPolicyList)) { + for (RangerPolicy rangerPolicy : rangerPolicyList) { + if (rangerPolicy != null) { + validator.validate(rangerPolicy.getId(), Action.DELETE); + + ensureAdminAccess(rangerPolicy); + + bizUtil.blockAuditorRoleUser(); + svcStore.deletePolicy(rangerPolicy, service); + + totalDeletedPolicies = totalDeletedPolicies + 1; + + if (totalDeletedPolicies % RangerBizUtil.POLICY_BATCH_SIZE == 0) { + bizUtil.bulkModeOnlyFlushAndClear(); + } + + LOG.debug("Policy {} deleted successfully.", rangerPolicy.getName()); + LOG.debug("TotalDeletedPolicies: {}", totalDeletedPolicies); + } + } + + bizUtil.bulkModeOnlyFlushAndClear(); + } + } + } + } + } + + LOG.debug("Total Deleted Policy : {}", totalDeletedPolicies); + } + + private void deletePoliciesForResource(List sourceServices, List destinationServices, HttpServletRequest request, List exportPolicies, String zoneName) throws Exception { + int totalDeletedPolicies = 0; + if (CollectionUtils.isNotEmpty(sourceServices) && CollectionUtils.isNotEmpty(destinationServices)) { + Set exportedPolicyNames = new HashSet<>(); + + if (CollectionUtils.isNotEmpty(exportPolicies)) { + for (RangerPolicy rangerPolicy : exportPolicies) { + if (rangerPolicy != null) { + exportedPolicyNames.add(rangerPolicy.getName()); + } + } + } + + for (int i = 0; i < sourceServices.size(); i++) { + if (!destinationServices.get(i).isEmpty()) { + SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields); + + filter.setParam("zoneName", zoneName); + + RangerPolicyList servicePolicies = getServicePolicies(destinationServices.get(i), filter); + RangerService service = getServiceByName(destinationServices.get(i)); + + if (servicePolicies != null) { + List rangerPolicyList = servicePolicies.getPolicies(); + + if (CollectionUtils.isNotEmpty(rangerPolicyList)) { + List policiesToBeDeleted = new ArrayList<>(); + + for (RangerPolicy rangerPolicy : rangerPolicyList) { + if (rangerPolicy != null) { + Map rangerPolicyResourceMap = rangerPolicy.getResources(); + + if (rangerPolicyResourceMap != null) { + RangerPolicyResource rangerPolicyResource = null; + + if (rangerPolicyResourceMap.containsKey("path")) { + rangerPolicyResource = rangerPolicyResourceMap.get("path"); + } else if (rangerPolicyResourceMap.containsKey("database")) { + rangerPolicyResource = rangerPolicyResourceMap.get("database"); + } + + if (rangerPolicyResource != null) { + if (CollectionUtils.isNotEmpty(rangerPolicyResource.getValues()) && rangerPolicyResource.getValues().size() > 1) { + continue; + } + } + } + + if (rangerPolicy.getId() != null) { + if (!exportedPolicyNames.contains(rangerPolicy.getName())) { + policiesToBeDeleted.add(rangerPolicy); + } + } + } + } + + if (CollectionUtils.isNotEmpty(policiesToBeDeleted)) { + for (RangerPolicy rangerPolicy : policiesToBeDeleted) { + svcStore.deletePolicy(rangerPolicy, service); + + LOG.debug("Policy {} deleted successfully.", rangerPolicy.getName()); + + totalDeletedPolicies = totalDeletedPolicies + 1; + + if (totalDeletedPolicies % RangerBizUtil.POLICY_BATCH_SIZE == 0) { + bizUtil.bulkModeOnlyFlushAndClear(); + } + } + + bizUtil.bulkModeOnlyFlushAndClear(); + } + } + } + } + } + } + } + + private RangerPolicyList getServicePolicies(String serviceName, SearchFilter filter) { + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePolicies(serviceName=" + serviceName + ")"); + } + + // get all policies from the store; pick the page to return after applying filter + int savedStartIndex = filter == null ? 0 : filter.getStartIndex(); + int savedMaxRows = filter == null ? Integer.MAX_VALUE : filter.getMaxRows(); + + if (filter != null) { + filter.setStartIndex(0); + filter.setMaxRows(Integer.MAX_VALUE); + } + + List servicePolicies = svcStore.getServicePolicies(serviceName, filter); + + if (filter != null) { + filter.setStartIndex(savedStartIndex); + filter.setMaxRows(savedMaxRows); + } + + servicePolicies = applyAdminAccessFilter(servicePolicies); + + return toRangerPolicyList(servicePolicies, filter); + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("getServicePolicies({}) failed", serviceName, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + } + + private void createPolicyDownloadAudit(String serviceName, Long lastKnownVersion, String pluginId, int httpRespCode, String clusterName, String zoneName, HttpServletRequest request) { + try { + String ipAddress = request.getHeader("X-FORWARDED-FOR"); + + if (ipAddress == null) { + ipAddress = request.getRemoteAddr(); + } + + XXPolicyExportAudit policyExportAudit = new XXPolicyExportAudit(); + + policyExportAudit.setRepositoryName(serviceName); + policyExportAudit.setAgentId(pluginId); + policyExportAudit.setClientIP(ipAddress); + policyExportAudit.setRequestedEpoch(lastKnownVersion); + policyExportAudit.setHttpRetCode(httpRespCode); + policyExportAudit.setClusterName(clusterName); + policyExportAudit.setZoneName(zoneName); + + assetMgr.createPolicyAudit(policyExportAudit); + } catch (Exception excp) { + LOG.error("error while creating policy download audit", excp); + } + } + + private RangerPolicy getExactMatchPolicyForResource(String serviceName, RangerAccessResource resource, String zoneName, String user) throws Exception { + LOG.debug("==> ServiceREST.getExactMatchPolicyForResource({}, {}, {})", resource, zoneName, user); + + RangerPolicy ret = null; + RangerPolicyAdmin policyAdmin = getPolicyAdmin(serviceName); + List policies = policyAdmin != null ? policyAdmin.getExactMatchPolicies(resource, zoneName, null) : null; + + if (CollectionUtils.isNotEmpty(policies)) { + // at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store + ret = svcStore.getPolicy(policies.get(0).getId()); + } + + LOG.debug("<== ServiceREST.getExactMatchPolicyForResource({}, {}, {}): {}", resource, zoneName, user, ret); + + return ret; + } + + private RangerPolicy getExactMatchPolicyForResource(RangerPolicy policy, String user) throws Exception { + LOG.debug("==> ServiceREST.getExactMatchPolicyForResource({}, {})", policy, user); + + RangerPolicy ret = null; + RangerPolicyAdmin policyAdmin = getPolicyAdmin(policy.getService()); + List policies = policyAdmin != null ? policyAdmin.getExactMatchPolicies(policy, null) : null; + + if (CollectionUtils.isNotEmpty(policies)) { + // at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store + if (policies.size() == 1) { + ret = svcStore.getPolicy(policies.get(0).getId()); + } else { + if (StringUtils.isNotEmpty(policy.getZoneName())) { + for (RangerPolicy existingPolicy : policies) { + if (StringUtils.equals(policy.getZoneName(), existingPolicy.getZoneName())) { + ret = svcStore.getPolicy(existingPolicy.getId()); + break; + } + } + } + } + } + + LOG.debug("<== ServiceREST.getExactMatchPolicyForResource({}, {}): {}", policy, user, ret); + + return ret; + } + + private List applyAdminAccessFilter(List policies) { + List ret = new ArrayList<>(); + RangerPerfTracer perf = null; + + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.applyAdminAccessFilter(policyCount=" + (policies == null ? 0 : policies.size()) + ")"); + } + + if (CollectionUtils.isNotEmpty(policies)) { + boolean isAdmin = bizUtil.isAdmin(); + boolean isKeyAdmin = bizUtil.isKeyAdmin(); + String userName = bizUtil.getCurrentUserLoginId(); + boolean isAuditAdmin = bizUtil.isAuditAdmin(); + boolean isAuditKeyAdmin = bizUtil.isAuditKeyAdmin(); + Set userGroups = null; + + Map> servicePoliciesMap = new HashMap<>(); + Map evalContext = new HashMap<>(); + + RangerAccessRequestUtil.setCurrentUserInContext(evalContext, userName); + + for (RangerPolicy policy : policies) { + String serviceName = policy.getService(); + List policyList = servicePoliciesMap.computeIfAbsent(serviceName, k -> new ArrayList<>()); + + policyList.add(policy); + } + + for (Entry> entry : servicePoliciesMap.entrySet()) { + String serviceName = entry.getKey(); + List listToFilter = entry.getValue(); + + if (CollectionUtils.isNotEmpty(listToFilter)) { + boolean isServiceAdminUser = svcStore.isServiceAdminUser(serviceName, userName); + + if (isServiceAdminUser) { + ret.addAll(listToFilter); + continue; + } else if (isAdmin || isKeyAdmin || isAuditAdmin || isAuditKeyAdmin) { + XXService xService = daoManager.getXXService().findByName(serviceName); + Long serviceDefId = xService.getType(); + boolean isKmsService = serviceDefId.equals(EmbeddedServiceDefsUtil.instance().getKmsServiceDefId()); + + if (isAdmin) { + if (!isKmsService) { + ret.addAll(listToFilter); + } + } else if (isAuditAdmin) { + if (!isKmsService) { + ret.addAll(listToFilter); + } + } else if (isAuditKeyAdmin) { + if (isKmsService) { + ret.addAll(listToFilter); + } + } else if (isKeyAdmin) { + if (isKmsService) { + ret.addAll(listToFilter); + } + } + + continue; + } + + RangerPolicyAdmin policyAdmin = getPolicyAdminForDelegatedAdmin(serviceName); + + if (policyAdmin != null) { + if (userGroups == null) { + userGroups = daoManager.getXXGroupUser().findGroupNamesByUserName(userName); + } + + Set roles = policyAdmin.getRolesFromUserAndGroups(userName, userGroups); + + for (RangerPolicy policy : listToFilter) { + if ((policyAdmin.isDelegatedAdminAccessAllowedForRead(policy, userName, userGroups, roles, evalContext)) || (!StringUtils.isEmpty(policy.getZoneName()) && (serviceMgr.isZoneAdmin(policy.getZoneName()) || serviceMgr.isZoneAuditor(policy.getZoneName())))) { + ret.add(policy); + } + } + } + } + } + } + + RangerPerfTracer.log(perf); + + return ret; + } + + private RangerPolicyEngineOptions getDelegatedAdminPolicyEngineOptions() { + RangerPolicyEngineOptions opts = new RangerPolicyEngineOptions(); + + final String propertyPrefix = "ranger.admin"; + + opts.configureDelegateAdmin(config, propertyPrefix); + + return opts; + } + + private RangerPolicyEngineOptions getPolicySearchRangerAdminPolicyEngineOptions() { + RangerPolicyEngineOptions opts = new RangerPolicyEngineOptions(); + + final String propertyPrefix = "ranger.admin"; + + opts.configureRangerAdminForPolicySearch(config, propertyPrefix); + + return opts; + } + + private RangerPolicyEngineOptions getDefaultRangerAdminPolicyEngineOptions() { + RangerPolicyEngineOptions opts = new RangerPolicyEngineOptions(); + + final String propertyPrefix = "ranger.admin"; + + opts.configureDefaultRangerAdmin(config, propertyPrefix); + + return opts; + } + + private boolean hasAdminAccess(RangerPolicy policy, String userName, Set userGroups) { + boolean isAllowed = false; + RangerPolicyAdmin policyAdmin = getPolicyAdminForDelegatedAdmin(policy.getService()); + + if (policyAdmin != null) { + Map evalContext = new HashMap<>(); + + RangerAccessRequestUtil.setCurrentUserInContext(evalContext, userName); + + Set roles = policyAdmin.getRolesFromUserAndGroups(userName, userGroups); + + isAllowed = policyAdmin.isDelegatedAdminAccessAllowedForModify(policy, userName, userGroups, roles, evalContext); + } + + return isAllowed; + } + + private boolean hasAdminAccess(String serviceName, String zoneName, String userName, Set userGroups, RangerAccessResource resource, Set accessTypes) { + boolean isAllowed = false; + + RangerPolicyAdmin policyAdmin = getPolicyAdminForDelegatedAdmin(serviceName); + + if (policyAdmin != null) { + isAllowed = CollectionUtils.isNotEmpty(accessTypes) && policyAdmin.isDelegatedAdminAccessAllowed(resource, zoneName, userName, userGroups, accessTypes); + } + + return isAllowed; + } + + private RangerPolicyAdmin getPolicyAdminForSearch(String serviceName) { + return RangerPolicyAdminCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName, svcStore, zoneStore, roleDBStore, policySearchAdminOptions); + } + + private RangerPolicyAdmin getPolicyAdmin(String serviceName) { + return RangerPolicyAdminCacheForEngineOptions.getInstance().getServicePoliciesAdmin(serviceName, svcStore, zoneStore, roleDBStore, defaultAdminOptions); + } + + private HashMap getCSRFPropertiesMap(HttpServletRequest request) { + HashMap map = new HashMap<>(); + + map.put(isCSRF_ENABLED, PropertiesUtil.getBooleanProperty(isCSRF_ENABLED, true)); + map.put(CUSTOM_HEADER_PARAM, PropertiesUtil.getProperty(CUSTOM_HEADER_PARAM, RangerCSRFPreventionFilter.HEADER_DEFAULT)); + map.put(BROWSER_USER_AGENT_PARAM, PropertiesUtil.getProperty(BROWSER_USER_AGENT_PARAM, RangerCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT)); + map.put(CUSTOM_METHODS_TO_IGNORE_PARAM, PropertiesUtil.getProperty(CUSTOM_METHODS_TO_IGNORE_PARAM, RangerCSRFPreventionFilter.METHODS_TO_IGNORE_DEFAULT)); + map.put(RangerCSRFPreventionFilter.CSRF_TOKEN, getCSRFToken(request)); + + return map; + } + + private static String getCSRFToken(HttpServletRequest request) { + String salt = (String) request.getSession().getAttribute(RangerCSRFPreventionFilter.CSRF_TOKEN); + + if (StringUtils.isEmpty(salt)) { + final int tokenLength = PropertiesUtil.getIntProperty(CSRF_TOKEN_LENGTH, 20); + + salt = RandomStringUtils.random(tokenLength, 0, 0, true, true, null, new SecureRandom()); + + request.getSession().setAttribute(RangerCSRFPreventionFilter.CSRF_TOKEN, salt); + } + + return salt; + } + + private RangerPolicyList toRangerPolicyList(List policyList, SearchFilter filter) { + RangerPolicyList ret = new RangerPolicyList(); + + if (CollectionUtils.isNotEmpty(policyList)) { + int totalCount = policyList.size(); + int startIndex = filter.getStartIndex(); + int pageSize = filter.getMaxRows(); + int toIndex = Math.min(startIndex + pageSize, totalCount); + String sortType = filter.getSortType(); + String sortBy = filter.getSortBy(); + + if (StringUtils.isNotEmpty(sortBy) && StringUtils.isNotEmpty(sortType)) { + // By default policyList is sorted by policyId in asc order, So handling only desc case. + if (SearchFilter.POLICY_ID.equalsIgnoreCase(sortBy)) { + if (SORT_ORDER.DESC.name().equalsIgnoreCase(sortType)) { + policyList.sort(this.getPolicyComparator(sortBy, sortType)); + } + } else if (SearchFilter.POLICY_NAME.equalsIgnoreCase(sortBy)) { + if (SORT_ORDER.ASC.name().equalsIgnoreCase(sortType)) { + policyList.sort(this.getPolicyComparator(sortBy, sortType)); + } else if (SORT_ORDER.DESC.name().equalsIgnoreCase(sortType)) { + policyList.sort(this.getPolicyComparator(sortBy, sortType)); + } else { + LOG.info("Invalid or Unsupported sortType : {}", sortType); + } + } else { + LOG.info("Invalid or Unsupported sortBy property : {}", sortBy); + } + } + + List retList = new ArrayList<>(); + + for (int i = startIndex; i < toIndex; i++) { + retList.add(policyList.get(i)); + } + + ret.setPolicies(retList); + ret.setPageSize(pageSize); + ret.setResultSize(retList.size()); + ret.setStartIndex(startIndex); + ret.setTotalCount(totalCount); + ret.setSortBy(sortBy); + ret.setSortType(sortType); + } + + return ret; + } + + private Comparator getPolicyComparator(String sortBy, String sortType) { + return (RangerPolicy me, RangerPolicy other) -> { + int ret = 0; + + if (SearchFilter.POLICY_ID.equalsIgnoreCase(sortBy)) { + ret = Long.compare(other.getId(), me.getId()); + } else if (SearchFilter.POLICY_NAME.equalsIgnoreCase(sortBy)) { + if (SORT_ORDER.ASC.name().equalsIgnoreCase(sortType)) { + ret = me.getName().compareTo(other.getName()); + } else if (SORT_ORDER.DESC.name().equalsIgnoreCase(sortType)) { + ret = other.getName().compareTo(me.getName()); + } + } + + return ret; + }; + } + + private void validateGrantRevokeRequest(GrantRevokeRequest request, final boolean hasAdminPrivilege, final String loggedInUser) { + if (request != null) { + validateUsersGroupsAndRoles(request.getUsers(), request.getGroups(), request.getRoles()); + validateGrantor(request.getGrantor()); + validateGrantees(request.getUsers()); + validateGroups(request.getGroups()); + validateRoles(request.getRoles()); + + if (!hasAdminPrivilege) { + if (!StringUtils.equals(request.getGrantor(), loggedInUser) || StringUtils.isNotBlank(request.getOwnerUser())) { + throw restErrorUtil.createGrantRevokeRESTException("Invalid grant/revoke request - contains grantor or userOwner specification"); + } + + request.setGrantorGroups(userMgr.getGroupsForUser(request.getGrantor())); + } + } + } + + private void validateUsersGroupsAndRoles(Set users, Set groups, Set roles) { + if (CollectionUtils.isEmpty(users) && CollectionUtils.isEmpty(groups) && CollectionUtils.isEmpty(roles)) { + throw restErrorUtil.createGrantRevokeRESTException("Grantee users/groups/roles list is empty"); + } + } + + private void validateGrantor(String grantor) { + if (grantor != null) { + try { + VXUser vxUser = xUserService.getXUserByUserName(grantor); + + if (vxUser == null) { + throw restErrorUtil.createGrantRevokeRESTException("Grantor user " + grantor + " doesn't exist"); + } + } catch (Exception e) { + throw restErrorUtil.createGrantRevokeRESTException("Grantor user " + grantor + " doesn't exist"); + } + } + } + + private void validateGrantees(Set grantees) { + for (String userName : grantees) { + try { + VXUser vxUser = xUserService.getXUserByUserName(userName); + + if (vxUser == null) { + throw restErrorUtil.createGrantRevokeRESTException("Grantee user " + userName + " doesn't exist"); + } + } catch (Exception e) { + throw restErrorUtil.createGrantRevokeRESTException("Grantee user " + userName + " doesn't exist"); + } + } + } + + private void validateGroups(Set groups) { + for (String groupName : groups) { + try { + VXGroup vxGroup = userMgr.getGroupByGroupName(groupName); + + if (vxGroup == null) { + throw restErrorUtil.createGrantRevokeRESTException("Grantee group " + groupName + " doesn't exist"); + } + } catch (Exception e) { + throw restErrorUtil.createGrantRevokeRESTException("Grantee group " + groupName + " doesn't exist"); + } + } + } + + private void validateRoles(Set roles) { + XXRoleDao roleDao = daoManager.getXXRole(); + + for (String role : roles) { + try { + XXRole xxRole = roleDao.findByRoleName(role); + + if (xxRole == null) { + throw restErrorUtil.createGrantRevokeRESTException("Grantee role " + role + " doesn't exist"); + } + } catch (Exception e) { + throw restErrorUtil.createGrantRevokeRESTException("Grantee role " + role + " doesn't exist"); + } + } + } + + private Map getOptions(HttpServletRequest request) { + Map ret = null; + + if (request != null) { + String isForceRenameOption = request.getParameter(ServiceStore.OPTION_FORCE_RENAME); + + if (StringUtils.isNotBlank(isForceRenameOption)) { + ret = new HashMap<>(); + + ret.put(ServiceStore.OPTION_FORCE_RENAME, Boolean.valueOf(isForceRenameOption)); + } + } + + return ret; + } + + private RangerService hideCriticalServiceDetailsForRoleUser(RangerService rangerService) { + rangerService.setConfigs(null); + rangerService.setDescription(null); + rangerService.setCreatedBy(null); + rangerService.setUpdatedBy(null); + rangerService.setCreateTime(null); + rangerService.setUpdateTime(null); + rangerService.setPolicyVersion(null); + rangerService.setPolicyUpdateTime(null); + rangerService.setTagVersion(null); + rangerService.setTagUpdateTime(null); + rangerService.setVersion(null); + + return rangerService; + } + + private void createOrGetLinkedServices(RangerService resourceService) { + LOG.debug("==> createOrGetLinkedServices(resourceService={})", resourceService.getName()); + + Runnable createAndLinkTagServiceTask = () -> { + final LinkedServiceCreator creator = new LinkedServiceCreator(resourceService.getName(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME); + + creator.doCreateAndLinkService(); + }; + + rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(createAndLinkTagServiceTask); + + LOG.debug("<== createOrGetLinkedServices(resourceService={})", resourceService.getName()); + } + + private void deleteExactMatchPolicyForResource(List policies, String user, String zoneName) throws Exception { + if (CollectionUtils.isNotEmpty(policies)) { + long totalDeletedPolicies = 0; + + for (RangerPolicy rangerPolicy : policies) { + RangerPolicy existingPolicy; + + try { + if (zoneName != null) { + rangerPolicy.setZoneName(zoneName); + } + + existingPolicy = getExactMatchPolicyForResource(rangerPolicy, StringUtils.isNotBlank(user) ? user : "admin"); + } catch (Exception e) { + existingPolicy = null; + } + + if (existingPolicy != null) { + svcStore.deletePolicy(existingPolicy, null); + + totalDeletedPolicies = totalDeletedPolicies + 1; + + if (totalDeletedPolicies % RangerBizUtil.POLICY_BATCH_SIZE == 0) { + bizUtil.bulkModeOnlyFlushAndClear(); + } + + LOG.debug("Policy {} deleted successfully.", rangerPolicy.getName()); + } + } + + bizUtil.bulkModeOnlyFlushAndClear(); + } + } + + private String getRangerAdminZoneName(String serviceName, GrantRevokeRequest grantRevokeRequest) { + String ret = grantRevokeRequest.getZoneName(); + + if (StringUtils.isEmpty(ret)) { + RangerPolicyAdmin policyAdmin = getPolicyAdmin(serviceName); + + if (policyAdmin != null) { + ret = policyAdmin.getUniquelyMatchedZoneName(grantRevokeRequest); + } + } + + return ret; + } + + private RangerPolicy createPolicyUnconditionally(RangerPolicy policy) throws Exception { + LOG.debug("==> ServiceREST.createPolicyUnconditionally({})", policy); + + RangerPolicy ret; + + if (StringUtils.isBlank(policy.getName())) { + String guid = policy.getGuid(); + + if (StringUtils.isBlank(guid)) { + guid = guidUtil.genGUID(); + + policy.setGuid(guid); + + LOG.debug("No GUID supplied on the policy! Ok, setting GUID to [{}].", guid); + } + + String name = policy.getService() + "-" + guid; + + policy.setName(name); + + LOG.debug("Policy did not have its name set! Ok, setting name to [{}]", name); + } else if (isPolicyNameLengthValidationEnabled) { + if (policy.getName().length() > maxPolicyNameLength) { + throw restErrorUtil.createRESTException("Policy name should not be longer than " + maxPolicyNameLength + " characters", MessageEnums.INPUT_DATA_OUT_OF_BOUND, null, "policy name", policy.getName()); + } + } + + RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); + + validator.validate(policy, Action.CREATE, bizUtil.isAdmin() || isServiceAdmin(policy.getService()) || isZoneAdmin(policy.getZoneName())); + + ensureAdminAccess(policy); + + bizUtil.blockAuditorRoleUser(); + + ret = svcStore.createPolicy(policy); + + LOG.debug("<== ServiceREST.createPolicyUnconditionally({})", ret); + + return ret; + } + + private RangerPolicy getPolicyMatchByName(RangerPolicy policy, HttpServletRequest request) { + LOG.debug("==> ServiceREST.getPolicyMatchByName({})", policy); + + RangerPolicy existingPolicy = null; + String serviceName = request.getParameter(PARAM_SERVICE_NAME); + + if (serviceName == null) { + serviceName = (String) request.getAttribute(PARAM_SERVICE_NAME); + } + + if (StringUtils.isNotEmpty(serviceName)) { + policy.setService(serviceName); + } + + String policyName = request.getParameter(PARAM_POLICY_NAME); + + if (policyName == null) { + policyName = (String) request.getAttribute(PARAM_POLICY_NAME); + } + + if (StringUtils.isNotEmpty(policyName)) { + policy.setName(StringUtils.trim(policyName)); + } + + if (StringUtils.isNotEmpty(serviceName) && StringUtils.isNotEmpty(policyName)) { + String zoneName = request.getParameter(PARAM_ZONE_NAME); + + if (StringUtils.isBlank(zoneName)) { + zoneName = (String) request.getAttribute(PARAM_ZONE_NAME); + } + + if (StringUtils.isNotBlank(zoneName)) { + policy.setZoneName(StringUtils.trim(zoneName)); + } + + existingPolicy = getPolicyByName(policy.getService(), policy.getName(), policy.getZoneName()); + } + + LOG.debug("<== ServiceREST.getPolicyMatchByName({})", existingPolicy); + + return existingPolicy; + } + + private String deleteServiceById(Long id) { + LOG.debug("==> ServiceREST.deleteServiceById({})", id); + + RangerContextHolder.getOrCreateOpContext().setBulkModeContext(true); + + RangerPerfTracer perf = null; + String deletedServiceName; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.deleteService(serviceId=" + id + ")"); + } + + RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore); + + validator.validate(id, Action.DELETE); + + UserSessionBase session = ContextUtil.getCurrentUserSession(); + + if (session != null) { + XXService service = daoManager.getXXService().getById(id); + + if (service != null) { + //if logged-in user is not the service creator then check admin priv. + if (!session.getUserId().equals(service.getAddedByUserId())) { + bizUtil.hasAdminPermissions("Services"); + } + + EmbeddedServiceDefsUtil embeddedServiceDefsUtil = EmbeddedServiceDefsUtil.instance(); + + if (service.getType().equals(embeddedServiceDefsUtil.getTagServiceDefId())) { + List referringServices = daoManager.getXXService().findByTagServiceId(id); + + if (!CollectionUtils.isEmpty(referringServices)) { + Set referringServiceNames = new HashSet<>(); + + for (XXService xXService : referringServices) { + referringServiceNames.add(xXService.getName()); + + if (referringServiceNames.size() >= 10) { + break; + } + } + + if (referringServices.size() <= 10) { + throw restErrorUtil.createRESTException("Tag service '" + service.getName() + "' is being referenced by " + referringServices.size() + " services: " + referringServiceNames, MessageEnums.OPER_NOT_ALLOWED_FOR_STATE); + } else { + throw restErrorUtil.createRESTException("Tag service '" + service.getName() + "' is being referenced by " + referringServices.size() + " services: " + referringServiceNames + " and more..", MessageEnums.OPER_NOT_ALLOWED_FOR_STATE); + } + } + } + + XXServiceDef xxServiceDef = daoManager.getXXServiceDef().getById(service.getType()); + + if (!session.getUserId().equals(service.getAddedByUserId())) { + bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname()); + bizUtil.blockAuditorRoleUser(); + } + + tagStore.deleteAllTagObjectsForService(service.getName()); + + deletedServiceName = service.getName(); + + svcStore.deleteService(id); + } else { + LOG.error("Cannot retrieve service:[{}] for deletion", id); + + throw restErrorUtil.createRESTException("Data Not Found for given Id", MessageEnums.DATA_NOT_FOUND, id, null, "readResource : No Object found with given id."); + } + } else { + LOG.error("Cannot retrieve user session."); + + throw new Exception("deleteService(" + id + ") failed"); + } + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("deleteService({}) failed", id, excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + LOG.debug("<== ServiceREST.deleteServiceById() - deletedServiceName={}", deletedServiceName); + + return deletedServiceName; + } + + private boolean isZoneAdmin(String zoneName) { + boolean ret = bizUtil.isAdmin(); + + if (!ret && StringUtils.isNotEmpty(zoneName)) { + ret = serviceMgr.isZoneAdmin(zoneName); + } + + return ret; + } + + private final class LinkedServiceCreator { + static final char SEP = '_'; + + final String resourceServiceName; + final String linkedServiceType; + final String linkedServiceName; + final boolean isAutoCreate; + final boolean isAutoLink; + + LinkedServiceCreator(@Nonnull String resourceServiceName, @Nonnull String linkedServiceType) { + this.resourceServiceName = resourceServiceName; + this.linkedServiceType = linkedServiceType; + this.linkedServiceName = computeLinkedServiceName(); + this.isAutoCreate = config.getBoolean("ranger." + linkedServiceType + "service.auto.create", true); + this.isAutoLink = config.getBoolean("ranger." + linkedServiceType + "service.auto.link", true); + } + + @Override + public String toString() { + return "{resourceServiceName=" + resourceServiceName + ", linkedServiceType=" + linkedServiceType + ", isAutoCreate=" + isAutoCreate + ", isAutoLink=" + isAutoLink + "}"; + } + + void doCreateAndLinkService() { + LOG.debug("==> doCreateAndLinkService()"); + + RangerService resourceService = null; + + try { + resourceService = svcStore.getServiceByName(resourceServiceName); + + LOG.info("Successfully retrieved resource-service:[{}]", resourceService.getName()); + } catch (Exception e) { + LOG.error("Resource-service:[{}] cannot be retrieved", resourceServiceName); + } + + if (resourceService != null) { + try { + RangerService linkedService = svcStore.getServiceByName(linkedServiceName); + + if (linkedService == null && isAutoCreate) { + linkedService = new RangerService(); + + linkedService.setName(linkedServiceName); + linkedService.setDisplayName(linkedServiceName); //set DEFAULT display name + linkedService.setType(linkedServiceType); + + LOG.info("creating service [{}]", linkedServiceName); + + svcStore.createService(linkedService); + } + } catch (Exception e) { + throw new RuntimeException(e); + } + + if (isAutoLink) { + doLinkService(); + } + } else { + LOG.info("Resource service :[{}] not found! Returning without linking {} service!!", resourceServiceName, linkedServiceType); + } + + LOG.debug("<== doCreateAndLinkService()"); + } + + private String computeLinkedServiceName() { + String ret = config.get("ranger." + linkedServiceType + "service.auto.name"); + + if (StringUtils.isBlank(ret)) { + final int lastIndexOfSep = StringUtils.lastIndexOf(resourceServiceName, SEP); + + ret = (lastIndexOfSep != -1) ? resourceServiceName.substring(0, lastIndexOfSep) + SEP + linkedServiceType : linkedServiceType; + } + + return ret; + } + + private void doLinkService() { + LOG.debug("==> doLinkTagService()"); + + try { + RangerService resourceService = svcStore.getServiceByName(resourceServiceName); + + LOG.info("Successfully retrieved resource-service:[{}]", resourceService.getName()); + + RangerService linkedService = svcStore.getServiceByName(linkedServiceName); + + if (linkedService == null) { + LOG.error("Failed to link service[{}] with service [{}]: {} not found", resourceServiceName, linkedServiceName, linkedServiceName); + } else if (EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME.equals(linkedServiceType)) { + LOG.info("Successfully retrieved service:[{}]", linkedService.getName()); + + if (!StringUtils.equals(linkedService.getName(), resourceService.getTagService())) { + resourceService.setTagService(linkedService.getName()); + + LOG.info("Linking resource-service[{}] with tag-service [{}]", resourceService.getName(), linkedService.getName()); + + RangerService service = svcStore.updateService(resourceService, null); + + LOG.info("Updated resource-service:[{}]", service.getName()); + } + } + } catch (Exception e) { + LOG.error("Failed to link service[{}] with service [{}]", resourceServiceName, linkedServiceName); + } + LOG.debug("<== doLinkTagService()"); + } + } +} diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java index d7fb1e1c8c..81ed00ec0b 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java @@ -22,6 +22,8 @@ import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -35,1128 +37,1078 @@ import java.util.TreeSet; public class ServiceRESTUtil { - private static final Logger LOG = LoggerFactory.getLogger(ServiceRESTUtil.class); + private static final Logger LOG = LoggerFactory.getLogger(ServiceRESTUtil.class); - private enum POLICYITEM_TYPE { - ALLOW, DENY, ALLOW_EXCEPTIONS, DENY_EXCEPTIONS - } + private ServiceRESTUtil() { + //To block instantiation + } - static public boolean processGrantRequest(RangerPolicy policy, GrantRevokeRequest grantRequest) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceRESTUtil.processGrantRequest()"); - } + public static boolean processGrantRequest(RangerPolicy policy, GrantRevokeRequest grantRequest) { + LOG.debug("==> ServiceRESTUtil.processGrantRequest()"); - boolean policyUpdated = false; + // replace all existing privileges for users, groups, and roles + if (grantRequest.getReplaceExistingPermissions()) { + removeUsersGroupsAndRolesFromPolicy(policy, grantRequest.getUsers(), grantRequest.getGroups(), grantRequest.getRoles()); + } - // replace all existing privileges for users, groups, and roles - if (grantRequest.getReplaceExistingPermissions()) { - policyUpdated = removeUsersGroupsAndRolesFromPolicy(policy, grantRequest.getUsers(), grantRequest.getGroups(), grantRequest.getRoles()); - } + //Build a policy and set up policyItem in it to mimic grant request + RangerPolicy appliedPolicy = new RangerPolicy(); + RangerPolicyItem policyItem = new RangerPolicyItem(); - //Build a policy and set up policyItem in it to mimic grant request - RangerPolicy appliedPolicy = new RangerPolicy(); - - RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem(); - - policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin()); - policyItem.addUsers(grantRequest.getUsers()); - policyItem.addGroups(grantRequest.getGroups()); - policyItem.addRoles(grantRequest.getRoles()); - - List accesses = new ArrayList(); - - Set accessTypes = grantRequest.getAccessTypes(); - for (String accessType : accessTypes) { - accesses.add(new RangerPolicy.RangerPolicyItemAccess(accessType, true)); - } - - policyItem.setAccesses(accesses); - - appliedPolicy.addPolicyItem(policyItem); - - processApplyPolicy(policy, appliedPolicy); - - policyUpdated = true; - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceRESTUtil.processGrantRequest() : " + policyUpdated); - } - - return policyUpdated; - } - - static public boolean processRevokeRequest(RangerPolicy existingRangerPolicy, GrantRevokeRequest revokeRequest) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceRESTUtil.processRevokeRequest()"); - } - - boolean policyUpdated = false; - - // remove all existing privileges for users and groups - if (revokeRequest.getReplaceExistingPermissions()) { - policyUpdated = removeUsersGroupsAndRolesFromPolicy(existingRangerPolicy, revokeRequest.getUsers(), revokeRequest.getGroups(), revokeRequest.getRoles()); - } else { - //Build a policy and set up policyItem in it to mimic revoke request - RangerPolicy appliedRangerPolicy = new RangerPolicy(); - - RangerPolicy.RangerPolicyItem appliedRangerPolicyItem = new RangerPolicy.RangerPolicyItem(); - - appliedRangerPolicyItem.setDelegateAdmin(revokeRequest.getDelegateAdmin()); - appliedRangerPolicyItem.addUsers(revokeRequest.getUsers()); - appliedRangerPolicyItem.addGroups(revokeRequest.getGroups()); - appliedRangerPolicyItem.addRoles(revokeRequest.getRoles()); - - List appliedRangerPolicyItemAccess = new ArrayList(); - - Set appliedPolicyItemAccessType = revokeRequest.getAccessTypes(); - for (String accessType : appliedPolicyItemAccessType) { - appliedRangerPolicyItemAccess.add(new RangerPolicy.RangerPolicyItemAccess(accessType, false)); - } - - appliedRangerPolicyItem.setAccesses(appliedRangerPolicyItemAccess); - - appliedRangerPolicy.addPolicyItem(appliedRangerPolicyItem); - - List appliedRangerPolicyItems = appliedRangerPolicy.getPolicyItems(); - //processApplyPolicyForItemType(existingRangerPolicy, appliedRangerPolicy, POLICYITEM_TYPE.ALLOW); - if (CollectionUtils.isNotEmpty(appliedRangerPolicyItems)) { - Set users = new HashSet(); - Set groups = new HashSet(); - Set roles = new HashSet<>(); - - Map userPolicyItems = new HashMap(); - Map groupPolicyItems = new HashMap(); - Map rolePolicyItems = new HashMap(); - - // Extract users, groups, and roles specified in appliedPolicy items - extractUsersGroupsAndRoles(appliedRangerPolicyItems, users, groups, roles); - - // Split existing policyItems for users, groups, and roles extracted from appliedPolicyItem into userPolicyItems, groupPolicyItems and rolePolicyItems - splitExistingPolicyItems(existingRangerPolicy, users, userPolicyItems, groups, groupPolicyItems, roles, rolePolicyItems); - - for (RangerPolicy.RangerPolicyItem tempPolicyItem : appliedRangerPolicyItems) { - List appliedPolicyItemsUser = tempPolicyItem.getUsers(); - for (String user : appliedPolicyItemsUser) { - RangerPolicy.RangerPolicyItem[] rangerPolicyItems = userPolicyItems.get(user); - if(rangerPolicyItems!=null && rangerPolicyItems.length>0){ - if(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()]!=null){ - removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], tempPolicyItem.getAccesses()); - if(!CollectionUtils.isEmpty(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].getAccesses())){ - rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(revokeRequest.getDelegateAdmin()); - }else{ - rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(Boolean.FALSE); - } - } - if(rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()]!=null){ - removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()], tempPolicyItem.getAccesses()); - rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()].setDelegateAdmin(Boolean.FALSE); - } - } - } - } - for (RangerPolicy.RangerPolicyItem tempPolicyItem : appliedRangerPolicyItems) { - List appliedPolicyItemsGroup = tempPolicyItem.getGroups(); - for (String group : appliedPolicyItemsGroup) { - RangerPolicy.RangerPolicyItem[] rangerPolicyItems = groupPolicyItems.get(group); - if(rangerPolicyItems!=null && rangerPolicyItems.length>0){ - if(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()]!=null){ - removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], tempPolicyItem.getAccesses()); - if(!CollectionUtils.isEmpty(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].getAccesses())){ - rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(revokeRequest.getDelegateAdmin()); - }else{ - rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(Boolean.FALSE); - } - } - if(rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()]!=null){ - removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()], tempPolicyItem.getAccesses()); - rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()].setDelegateAdmin(Boolean.FALSE); - } - } - } - } - - for (RangerPolicy.RangerPolicyItem tempPolicyItem : appliedRangerPolicyItems) { - List appliedPolicyItemsRole = tempPolicyItem.getRoles(); - for (String role : appliedPolicyItemsRole) { - RangerPolicy.RangerPolicyItem[] rangerPolicyItems = rolePolicyItems.get(role); - if(rangerPolicyItems!=null && rangerPolicyItems.length>0){ - if(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()]!=null){ - removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], tempPolicyItem.getAccesses()); - if(!CollectionUtils.isEmpty(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].getAccesses())){ - rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(revokeRequest.getDelegateAdmin()); - }else{ - rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(Boolean.FALSE); - } - } - if(rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()]!=null){ - removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()], tempPolicyItem.getAccesses()); - rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()].setDelegateAdmin(Boolean.FALSE); - } - } - } - } - // Add modified/new policyItems back to existing policy - mergeProcessedPolicyItems(existingRangerPolicy, userPolicyItems, groupPolicyItems, rolePolicyItems); - compactPolicy(existingRangerPolicy); - } - - policyUpdated = true; - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceRESTUtil.processRevokeRequest() : " + policyUpdated); - } - - return policyUpdated; - } - - static public void processApplyPolicy(RangerPolicy existingPolicy, RangerPolicy appliedPolicy) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceRESTUtil.processApplyPolicy()"); - } - - // Check if applied policy or existing policy contains any conditions - if (ServiceRESTUtil.containsRangerCondition(existingPolicy) || ServiceRESTUtil.containsRangerCondition(appliedPolicy)) { - LOG.info("Applied policy [" + appliedPolicy + "] or existing policy [" + existingPolicy + "] contains condition(s). Combining two policies."); - combinePolicy(existingPolicy, appliedPolicy); - } else { - processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW); - processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY); - processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS); - processApplyPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY_EXCEPTIONS); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceRESTUtil.processApplyPolicy()"); - } - } - - static private void combinePolicy(RangerPolicy existingPolicy, RangerPolicy appliedPolicy) { - combinePolicyItems(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW); - combinePolicyItems(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY); - combinePolicyItems(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS); - combinePolicyItems(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY_EXCEPTIONS); - } - - static private void combinePolicyItems(RangerPolicy existingPolicy, RangerPolicy appliedPolicy, POLICYITEM_TYPE polityItemType) { - List existingPolicyItems; - List appliedPolicyItems; - - switch (polityItemType) { - case ALLOW: - existingPolicyItems = existingPolicy.getPolicyItems(); - appliedPolicyItems = appliedPolicy.getPolicyItems(); - break; - case DENY: - existingPolicyItems = existingPolicy.getDenyPolicyItems(); - appliedPolicyItems = appliedPolicy.getDenyPolicyItems(); - break; - case ALLOW_EXCEPTIONS: - existingPolicyItems = existingPolicy.getAllowExceptions(); - appliedPolicyItems = appliedPolicy.getAllowExceptions(); - break; - case DENY_EXCEPTIONS: - existingPolicyItems = existingPolicy.getDenyExceptions(); - appliedPolicyItems = appliedPolicy.getDenyExceptions(); - break; - default: - existingPolicyItems = null; - appliedPolicyItems = null; - break; - } - - if (CollectionUtils.isNotEmpty(appliedPolicyItems)) { - if (CollectionUtils.isNotEmpty(existingPolicyItems)) { - List itemsToAdd = new ArrayList<>(); - for (RangerPolicy.RangerPolicyItem appliedPolicyItem : appliedPolicyItems) { - if (!existingPolicyItems.contains(appliedPolicyItem)) { - itemsToAdd.add(appliedPolicyItem); - } - } - existingPolicyItems.addAll(itemsToAdd); - } else { - switch (polityItemType) { - case ALLOW: - existingPolicy.setPolicyItems(appliedPolicyItems); - break; - case DENY: - existingPolicy.setDenyPolicyItems(appliedPolicyItems); - break; - case ALLOW_EXCEPTIONS: - existingPolicy.setAllowExceptions(appliedPolicyItems); - break; - case DENY_EXCEPTIONS: - existingPolicy.setDenyExceptions(appliedPolicyItems); - break; - } - } - } - } - - static private void processApplyPolicyForItemType(RangerPolicy existingPolicy, RangerPolicy appliedPolicy, POLICYITEM_TYPE policyItemType) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceRESTUtil.processApplyPolicyForItemType()"); - } - - List appliedPolicyItems = null; - - switch (policyItemType) { - case ALLOW: - appliedPolicyItems = appliedPolicy.getPolicyItems(); - break; - case DENY: - appliedPolicyItems = appliedPolicy.getDenyPolicyItems(); - break; - case ALLOW_EXCEPTIONS: - appliedPolicyItems = appliedPolicy.getAllowExceptions(); - break; - case DENY_EXCEPTIONS: - appliedPolicyItems = appliedPolicy.getDenyExceptions(); - break; - default: - LOG.warn("processApplyPolicyForItemType(): invalid policyItemType=" + policyItemType); - } - - if (CollectionUtils.isNotEmpty(appliedPolicyItems)) { - - Set users = new HashSet(); - Set groups = new HashSet(); - Set roles = new HashSet(); - - Map userPolicyItems = new HashMap(); - Map groupPolicyItems = new HashMap(); - Map rolePolicyItems = new HashMap(); - - // Extract users, groups, and roles specified in appliedPolicy items - extractUsersGroupsAndRoles(appliedPolicyItems, users, groups, roles); - - // Split existing policyItems for users, groups, and roles extracted from appliedPolicyItem into userPolicyItems, groupPolicyItems, and rolePolicyItems - splitExistingPolicyItems(existingPolicy, users, userPolicyItems, groups, groupPolicyItems, roles, rolePolicyItems); - - // Apply policyItems of given type in appliedPolicy to policyItems extracted from existingPolicy - applyPolicyItems(appliedPolicyItems, policyItemType, userPolicyItems, groupPolicyItems, rolePolicyItems); - - // Add modified/new policyItems back to existing policy - mergeProcessedPolicyItems(existingPolicy, userPolicyItems, groupPolicyItems, rolePolicyItems); - - compactPolicy(existingPolicy); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceRESTUtil.processApplyPolicyForItemType()"); - } - } - - static public void mergeExactMatchPolicyForResource(RangerPolicy existingPolicy, RangerPolicy appliedPolicy) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceRESTUtil.mergeExactMatchPolicyForResource()"); - } - mergeExactMatchPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW); - mergeExactMatchPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY); - mergeExactMatchPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.ALLOW_EXCEPTIONS); - mergeExactMatchPolicyForItemType(existingPolicy, appliedPolicy, POLICYITEM_TYPE.DENY_EXCEPTIONS); - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceRESTUtil.mergeExactMatchPolicyForResource()"); - } - } - - static private void mergeExactMatchPolicyForItemType(RangerPolicy existingPolicy, RangerPolicy appliedPolicy, POLICYITEM_TYPE policyItemType) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceRESTUtil.mergeExactMatchPolicyForItemType()"); - } - List appliedPolicyItems = null; - switch (policyItemType) { - case ALLOW: - appliedPolicyItems = appliedPolicy.getPolicyItems(); - break; - case DENY: - appliedPolicyItems = appliedPolicy.getDenyPolicyItems(); - break; - case ALLOW_EXCEPTIONS: - appliedPolicyItems = appliedPolicy.getAllowExceptions(); - break; - case DENY_EXCEPTIONS: - appliedPolicyItems = appliedPolicy.getDenyExceptions(); - break; - default: - LOG.warn("mergeExactMatchPolicyForItemType(): invalid policyItemType=" + policyItemType); - } - - if (CollectionUtils.isNotEmpty(appliedPolicyItems)) { - - Set users = new HashSet(); - Set groups = new HashSet(); - Set roles = new HashSet(); - - Map userPolicyItems = new HashMap(); - Map groupPolicyItems = new HashMap(); - Map rolePolicyItems = new HashMap(); - - // Extract users and groups specified in appliedPolicy items - extractUsersGroupsAndRoles(appliedPolicyItems, users, groups, roles); - - // Split existing policyItems for users and groups extracted from appliedPolicyItem into userPolicyItems and groupPolicyItems - splitExistingPolicyItems(existingPolicy, users, userPolicyItems, groups, groupPolicyItems, roles, rolePolicyItems); - // Apply policyItems of given type in appliedPlicy to policyItems extracted from existingPolicy - mergePolicyItems(appliedPolicyItems, policyItemType, userPolicyItems, groupPolicyItems, rolePolicyItems); - // Add modified/new policyItems back to existing policy - mergeProcessedPolicyItems(existingPolicy, userPolicyItems, groupPolicyItems, rolePolicyItems); - compactPolicy(existingPolicy); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceRESTUtil.mergeExactMatchPolicyForItemType()"); - } - } - - static private void extractUsersGroupsAndRoles(List policyItems, Set users, Set groups, Set roles) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceRESTUtil.extractUsersGroupsAndRoles()"); - } - if (CollectionUtils.isNotEmpty(policyItems)) { - for (RangerPolicy.RangerPolicyItem policyItem : policyItems) { - if (CollectionUtils.isNotEmpty(policyItem.getUsers())) { - users.addAll(policyItem.getUsers()); - } - if (CollectionUtils.isNotEmpty(policyItem.getGroups())) { - groups.addAll(policyItem.getGroups()); - } - - if (CollectionUtils.isNotEmpty(policyItem.getRoles())) { - roles.addAll(policyItem.getRoles()); - } - } - } - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceRESTUtil.extractUsersGroupsAndRoles()"); - } - } - - static private void splitExistingPolicyItems(RangerPolicy existingPolicy, - Set users, Map userPolicyItems, Set groups, - Map groupPolicyItems, Set roles, - Map rolePolicyItems) { - - if (existingPolicy == null - || users == null || userPolicyItems == null - || groups == null || groupPolicyItems == null - || roles == null || rolePolicyItems == null) { - return; - } - - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceRESTUtil.splitExistingPolicyItems()"); - } - - List allowItems = existingPolicy.getPolicyItems(); - List denyItems = existingPolicy.getDenyPolicyItems(); - List allowExceptionItems = existingPolicy.getAllowExceptions(); - List denyExceptionItems = existingPolicy.getDenyExceptions(); - - for (String user : users) { - RangerPolicy.RangerPolicyItem value[] = userPolicyItems.get(user); - if (value == null) { - value = new RangerPolicy.RangerPolicyItem[4]; - userPolicyItems.put(user, value); - } - - RangerPolicy.RangerPolicyItem policyItem = null; - - policyItem = splitAndGetConsolidatedPolicyItemForUser(allowItems, user); - value[POLICYITEM_TYPE.ALLOW.ordinal()] = policyItem; - policyItem = splitAndGetConsolidatedPolicyItemForUser(denyItems, user); - value[POLICYITEM_TYPE.DENY.ordinal()] = policyItem; - policyItem = splitAndGetConsolidatedPolicyItemForUser(allowExceptionItems, user); - value[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()] = policyItem; - policyItem = splitAndGetConsolidatedPolicyItemForUser(denyExceptionItems, user); - value[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()] = policyItem; - } - - for (String group : groups) { - RangerPolicy.RangerPolicyItem value[] = groupPolicyItems.get(group); - if (value == null) { - value = new RangerPolicy.RangerPolicyItem[4]; - groupPolicyItems.put(group, value); - } - - RangerPolicy.RangerPolicyItem policyItem = null; - - policyItem = splitAndGetConsolidatedPolicyItemForGroup(allowItems, group); - value[POLICYITEM_TYPE.ALLOW.ordinal()] = policyItem; - policyItem = splitAndGetConsolidatedPolicyItemForGroup(denyItems, group); - value[POLICYITEM_TYPE.DENY.ordinal()] = policyItem; - policyItem = splitAndGetConsolidatedPolicyItemForGroup(allowExceptionItems, group); - value[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()] = policyItem; - policyItem = splitAndGetConsolidatedPolicyItemForGroup(denyExceptionItems, group); - value[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()] = policyItem; - } - for (String role : roles) { - RangerPolicy.RangerPolicyItem value[] = rolePolicyItems.get(role); - if (value == null) { - value = new RangerPolicy.RangerPolicyItem[4]; - rolePolicyItems.put(role, value); - } - - RangerPolicy.RangerPolicyItem policyItem = null; - - policyItem = splitAndGetConsolidatedPolicyItemForRole(allowItems, role); - value[POLICYITEM_TYPE.ALLOW.ordinal()] = policyItem; - policyItem = splitAndGetConsolidatedPolicyItemForRole(denyItems, role); - value[POLICYITEM_TYPE.DENY.ordinal()] = policyItem; - policyItem = splitAndGetConsolidatedPolicyItemForRole(allowExceptionItems, role); - value[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()] = policyItem; - policyItem = splitAndGetConsolidatedPolicyItemForRole(denyExceptionItems, role); - value[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()] = policyItem; - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceRESTUtil.splitExistingPolicyItems()"); - } - } - - static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForUser(List policyItems, String user) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForUser()"); - } - - RangerPolicy.RangerPolicyItem ret = null; - - if (CollectionUtils.isNotEmpty(policyItems)) { - for (RangerPolicy.RangerPolicyItem policyItem : policyItems) { - List users = policyItem.getUsers(); - if (users.contains(user)) { - if (ret == null) { - ret = new RangerPolicy.RangerPolicyItem(); - } - ret.addUser(user); - if (policyItem.getDelegateAdmin()) { - ret.setDelegateAdmin(Boolean.TRUE); - } - addAccesses(ret, policyItem.getAccesses()); - - // Remove this user from existingPolicyItem - users.remove(user); - } - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForUser()"); - } - - return ret; - } - - static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForGroup(List policyItems, String group) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForGroup()"); - } - - RangerPolicy.RangerPolicyItem ret = null; - - if (CollectionUtils.isNotEmpty(policyItems)) { - for (RangerPolicy.RangerPolicyItem policyItem : policyItems) { - List groups = policyItem.getGroups(); - if (groups.contains(group)) { - if (ret == null) { - ret = new RangerPolicy.RangerPolicyItem(); - } - ret.addGroup(group); - if (policyItem.getDelegateAdmin()) { - ret.setDelegateAdmin(Boolean.TRUE); - } - addAccesses(ret, policyItem.getAccesses()); - - // Remove this group from existingPolicyItem - groups.remove(group); - } - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForGroup()"); - } - - return ret; - } - - static private RangerPolicy.RangerPolicyItem splitAndGetConsolidatedPolicyItemForRole(List policyItems, String role) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForGroup()"); - } - - RangerPolicy.RangerPolicyItem ret = null; - - if (CollectionUtils.isNotEmpty(policyItems)) { - for (RangerPolicy.RangerPolicyItem policyItem : policyItems) { - List roles = policyItem.getRoles(); - if (roles.contains(role)) { - if (ret == null) { - ret = new RangerPolicy.RangerPolicyItem(); - } - ret.addRole(role); - if (policyItem.getDelegateAdmin()) { - ret.setDelegateAdmin(Boolean.TRUE); - } - addAccesses(ret, policyItem.getAccesses()); - - // Remove this role from existingPolicyItem - roles.remove(role); - } - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForGroup()"); - } - - return ret; - } - - static private void applyPolicyItems(List appliedPolicyItems, POLICYITEM_TYPE policyItemType, Map existingUserPolicyItems, - Map existingGroupPolicyItems, Map existingRolePolicyItems) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceRESTUtil.applyPolicyItems()"); - } - - for (RangerPolicy.RangerPolicyItem policyItem : appliedPolicyItems) { - List users = policyItem.getUsers(); - for (String user : users) { - RangerPolicy.RangerPolicyItem[] existingPolicyItems = existingUserPolicyItems.get(user); - - if (existingPolicyItems == null) { - // Should not get here - LOG.warn("Should not have come here.."); - existingPolicyItems = new RangerPolicy.RangerPolicyItem[4]; - existingUserPolicyItems.put(user, existingPolicyItems); - } - - addPolicyItemForUser(existingPolicyItems, policyItemType.ordinal(), user, policyItem); - - switch (policyItemType) { - case ALLOW: - RangerPolicy.RangerPolicyItem denyPolicyItem = existingPolicyItems[POLICYITEM_TYPE.DENY.ordinal()]; - if (denyPolicyItem != null) { - removeAccesses(existingPolicyItems[POLICYITEM_TYPE.DENY.ordinal()], policyItem.getAccesses()); - addPolicyItemForUser(existingPolicyItems, POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal(), user, policyItem); - } - removeAccesses(existingPolicyItems[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()], policyItem.getAccesses()); - break; - case DENY: - RangerPolicy.RangerPolicyItem allowPolicyItem = existingPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()]; - if (allowPolicyItem != null) { - removeAccesses(existingPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], policyItem.getAccesses()); - addPolicyItemForUser(existingPolicyItems, POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal(), user, policyItem); - } - removeAccesses(existingPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()], policyItem.getAccesses()); - break; - case ALLOW_EXCEPTIONS: - removeAccesses(existingPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], policyItem.getAccesses()); - break; - case DENY_EXCEPTIONS: - removeAccesses(existingPolicyItems[POLICYITEM_TYPE.DENY.ordinal()], policyItem.getAccesses()); - break; - default: - LOG.warn("Should not have come here.."); - break; - } - } - } - - for (RangerPolicy.RangerPolicyItem policyItem : appliedPolicyItems) { - List groups = policyItem.getGroups(); - for (String group : groups) { - RangerPolicy.RangerPolicyItem[] existingPolicyItems = existingGroupPolicyItems.get(group); - - if (existingPolicyItems == null) { - // Should not get here - existingPolicyItems = new RangerPolicy.RangerPolicyItem[4]; - existingGroupPolicyItems.put(group, existingPolicyItems); - } - - addPolicyItemForGroup(existingPolicyItems, policyItemType.ordinal(), group, policyItem); - - switch (policyItemType) { - case ALLOW: - RangerPolicy.RangerPolicyItem denyPolicyItem = existingPolicyItems[POLICYITEM_TYPE.DENY.ordinal()]; - if (denyPolicyItem != null) { - removeAccesses(existingPolicyItems[POLICYITEM_TYPE.DENY.ordinal()], policyItem.getAccesses()); - addPolicyItemForGroup(existingPolicyItems, POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal(), group, policyItem); - } - removeAccesses(existingPolicyItems[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()], policyItem.getAccesses()); - break; - case DENY: - RangerPolicy.RangerPolicyItem allowPolicyItem = existingPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()]; - if (allowPolicyItem != null) { - removeAccesses(existingPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], policyItem.getAccesses()); - addPolicyItemForGroup(existingPolicyItems, POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal(), group, policyItem); - } - removeAccesses(existingPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()], policyItem.getAccesses()); - break; - case ALLOW_EXCEPTIONS: - removeAccesses(existingPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], policyItem.getAccesses()); - break; - case DENY_EXCEPTIONS: - removeAccesses(existingPolicyItems[POLICYITEM_TYPE.DENY.ordinal()], policyItem.getAccesses()); - break; - default: - break; - } - } - } - - for (RangerPolicy.RangerPolicyItem policyItem : appliedPolicyItems) { - List roles = policyItem.getRoles(); - for (String role : roles) { - RangerPolicy.RangerPolicyItem[] existingPolicyItems = existingRolePolicyItems.get(role); - - if (existingPolicyItems == null) { - // Should not get here - existingPolicyItems = new RangerPolicy.RangerPolicyItem[4]; - existingRolePolicyItems.put(role, existingPolicyItems); - } - - addPolicyItemForRole(existingPolicyItems, policyItemType.ordinal(), role, policyItem); - - switch (policyItemType) { - case ALLOW: - RangerPolicy.RangerPolicyItem denyPolicyItem = existingPolicyItems[POLICYITEM_TYPE.DENY.ordinal()]; - if (denyPolicyItem != null) { - removeAccesses(existingPolicyItems[POLICYITEM_TYPE.DENY.ordinal()], policyItem.getAccesses()); - addPolicyItemForRole(existingPolicyItems, POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal(), role, policyItem); - } - removeAccesses(existingPolicyItems[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()], policyItem.getAccesses()); - break; - case DENY: - RangerPolicy.RangerPolicyItem allowPolicyItem = existingPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()]; - if (allowPolicyItem != null) { - removeAccesses(existingPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], policyItem.getAccesses()); - addPolicyItemForRole(existingPolicyItems, POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal(), role, policyItem); - } - removeAccesses(existingPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()], policyItem.getAccesses()); - break; - case ALLOW_EXCEPTIONS: - removeAccesses(existingPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], policyItem.getAccesses()); - break; - case DENY_EXCEPTIONS: - removeAccesses(existingPolicyItems[POLICYITEM_TYPE.DENY.ordinal()], policyItem.getAccesses()); - break; - default: - break; - } - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceRESTUtil.applyPolicyItems()"); - } - } - - static private void mergePolicyItems(List appliedPolicyItems, - POLICYITEM_TYPE policyItemType, Map existingUserPolicyItems, - Map existingGroupPolicyItems, - Map existingRolePolicyItems ) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceRESTUtil.mergePolicyItems()"); - } - for (RangerPolicy.RangerPolicyItem policyItem : appliedPolicyItems) { - List users = policyItem.getUsers(); - for (String user : users) { - RangerPolicy.RangerPolicyItem[] items = existingUserPolicyItems.get(user); - if (items == null) { - // Should not get here - LOG.warn("Should not have come here.."); - items = new RangerPolicy.RangerPolicyItem[4]; - existingUserPolicyItems.put(user, items); - } - addPolicyItemForUser(items, policyItemType.ordinal(), user, policyItem); - } - } - - for (RangerPolicy.RangerPolicyItem policyItem : appliedPolicyItems) { - List groups = policyItem.getGroups(); - for (String group : groups) { - RangerPolicy.RangerPolicyItem[] items = existingGroupPolicyItems.get(group); - if (items == null) { - // Should not get here - items = new RangerPolicy.RangerPolicyItem[4]; - existingGroupPolicyItems.put(group, items); - } - addPolicyItemForGroup(items, policyItemType.ordinal(), group, policyItem); - } - } - - for (RangerPolicy.RangerPolicyItem policyItem : appliedPolicyItems) { - List roles = policyItem.getRoles(); - for (String role : roles) { - RangerPolicy.RangerPolicyItem[] items = existingRolePolicyItems.get(role); - if (items == null) { - // Should not get here - items = new RangerPolicy.RangerPolicyItem[4]; - existingRolePolicyItems.put(role, items); - } - addPolicyItemForRole(items, policyItemType.ordinal(), role, policyItem); - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceRESTUtil.mergePolicyItems()"); - } - } - - static private void mergeProcessedPolicyItems(RangerPolicy existingPolicy, Map userPolicyItems, - Map groupPolicyItems, - Map rolePolicyItems) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceRESTUtil.mergeProcessedPolicyItems()"); - } - - for (Map.Entry entry : userPolicyItems.entrySet()) { - RangerPolicy.RangerPolicyItem[] items = entry.getValue(); - - RangerPolicy.RangerPolicyItem item = null; - - item = items[POLICYITEM_TYPE.ALLOW.ordinal()]; - if (item != null) { - existingPolicy.addPolicyItem(item); - } - - item = items[POLICYITEM_TYPE.DENY.ordinal()]; - if (item != null) { - existingPolicy.addDenyPolicyItem(item); - } - - item = items[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()]; - if (item != null) { - existingPolicy.addAllowException(item); - } - - item = items[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()]; - if (item != null) { - existingPolicy.addDenyException(item); - } - } - - for (Map.Entry entry : groupPolicyItems.entrySet()) { - RangerPolicy.RangerPolicyItem[] items = entry.getValue(); - - RangerPolicy.RangerPolicyItem item = null; - - item = items[POLICYITEM_TYPE.ALLOW.ordinal()]; - if (item != null) { - existingPolicy.addPolicyItem(item); - } - - item = items[POLICYITEM_TYPE.DENY.ordinal()]; - if (item != null) { - existingPolicy.addDenyPolicyItem(item); - } - - item = items[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()]; - if (item != null) { - existingPolicy.addAllowException(item); - } - - item = items[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()]; - if (item != null) { - existingPolicy.addDenyException(item); - } - } - - for (Map.Entry entry : rolePolicyItems.entrySet()) { - RangerPolicy.RangerPolicyItem[] items = entry.getValue(); - - RangerPolicy.RangerPolicyItem item = null; - - item = items[POLICYITEM_TYPE.ALLOW.ordinal()]; - if (item != null) { - existingPolicy.addPolicyItem(item); - } - - item = items[POLICYITEM_TYPE.DENY.ordinal()]; - if (item != null) { - existingPolicy.addDenyPolicyItem(item); - } - - item = items[POLICYITEM_TYPE.ALLOW_EXCEPTIONS.ordinal()]; - if (item != null) { - existingPolicy.addAllowException(item); - } - - item = items[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()]; - if (item != null) { - existingPolicy.addDenyException(item); - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceRESTUtil.mergeProcessedPolicyItems()"); - } - } - - static private boolean addAccesses(RangerPolicy.RangerPolicyItem policyItem, List accesses) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceRESTUtil.addAccesses()"); - } - - boolean ret = false; - - for (RangerPolicy.RangerPolicyItemAccess access : accesses) { - RangerPolicy.RangerPolicyItemAccess policyItemAccess = null; - String accessType = access.getType(); - - for (RangerPolicy.RangerPolicyItemAccess itemAccess : policyItem.getAccesses()) { - if (StringUtils.equals(itemAccess.getType(), accessType)) { - policyItemAccess = itemAccess; - break; - } - } - - if (policyItemAccess != null) { - if (!policyItemAccess.getIsAllowed()) { - policyItemAccess.setIsAllowed(Boolean.TRUE); - ret = true; - } - } else { - policyItem.addAccess(new RangerPolicy.RangerPolicyItemAccess(accessType, Boolean.TRUE)); - ret = true; - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceRESTUtil.addAccesses() " + ret); - } - return ret; - } - - static private boolean removeAccesses(RangerPolicy.RangerPolicyItem policyItem, List accesses) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceRESTUtil.removeAccesses()"); - } - - boolean ret = false; - - if (policyItem != null) { - for (RangerPolicy.RangerPolicyItemAccess access : accesses) { - String accessType = access.getType(); - - int numOfAccesses = policyItem.getAccesses().size(); - - for (int i = 0; i < numOfAccesses; i++) { - RangerPolicy.RangerPolicyItemAccess itemAccess = policyItem.getAccesses().get(i); - - if (StringUtils.equals(itemAccess.getType(), accessType)) { - policyItem.getAccesses().remove(i); - numOfAccesses--; - i--; - - ret = true; - } - } - } - } - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceRESTUtil.removeAccesses() " + ret); - } - return ret; - } - - static private void compactPolicy(RangerPolicy policy) { - policy.setPolicyItems(mergePolicyItems(policy.getPolicyItems())); - policy.setDenyPolicyItems(mergePolicyItems(policy.getDenyPolicyItems())); - policy.setAllowExceptions(mergePolicyItems(policy.getAllowExceptions())); - policy.setDenyExceptions(mergePolicyItems(policy.getDenyExceptions())); - } - - static private List mergePolicyItems(List policyItems) { - List ret = new ArrayList(); - - if (CollectionUtils.isNotEmpty(policyItems)) { - Map matchedPolicyItems = new HashMap(); - - for (RangerPolicy.RangerPolicyItem policyItem : policyItems) { - if((CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups()) && CollectionUtils.isEmpty(policyItem.getRoles())) || - (CollectionUtils.isEmpty(policyItem.getAccesses()) && !policyItem.getDelegateAdmin())) { - continue; - } - - if (policyItem.getConditions().size() > 1) { - ret.add(policyItem); - continue; - } - TreeSet accesses = new TreeSet(); - - for (RangerPolicy.RangerPolicyItemAccess access : policyItem.getAccesses()) { - accesses.add(access.getType()); - } - if (policyItem.getDelegateAdmin()) { - accesses.add("delegateAdmin"); - } - - String allAccessesString = accesses.toString(); - - RangerPolicy.RangerPolicyItem matchingPolicyItem = matchedPolicyItems.get(allAccessesString); - - if (matchingPolicyItem != null) { - addDistinctUsers(policyItem.getUsers(), matchingPolicyItem); - addDistinctGroups(policyItem.getGroups(), matchingPolicyItem); - addDistinctRoles(policyItem.getRoles(), matchingPolicyItem); - } else { - matchedPolicyItems.put(allAccessesString, policyItem); - } - } - - for (Map.Entry entry : matchedPolicyItems.entrySet()) { - ret.add(entry.getValue()); - } - } - - return ret; - } - - static void addPolicyItemForUser(RangerPolicy.RangerPolicyItem[] items, int typeOfItems, String user, RangerPolicy.RangerPolicyItem policyItem) { - - if (items[typeOfItems] == null) { - RangerPolicy.RangerPolicyItem newItem = new RangerPolicy.RangerPolicyItem(); - newItem.addUser(user); - - items[typeOfItems] = newItem; - } + policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin()); + policyItem.addUsers(grantRequest.getUsers()); + policyItem.addGroups(grantRequest.getGroups()); + policyItem.addRoles(grantRequest.getRoles()); - addAccesses(items[typeOfItems], policyItem.getAccesses()); - - if (policyItem.getDelegateAdmin()) { - items[typeOfItems].setDelegateAdmin(Boolean.TRUE); - } - } + List accesses = new ArrayList<>(); - static void addPolicyItemForGroup(RangerPolicy.RangerPolicyItem[] items, int typeOfItems, String group, RangerPolicy.RangerPolicyItem policyItem) { + for (String accessType : grantRequest.getAccessTypes()) { + accesses.add(new RangerPolicyItemAccess(accessType, true)); + } - if (items[typeOfItems] == null) { - RangerPolicy.RangerPolicyItem newItem = new RangerPolicy.RangerPolicyItem(); - newItem.addGroup(group); + policyItem.setAccesses(accesses); - items[typeOfItems] = newItem; - } + appliedPolicy.addPolicyItem(policyItem); - addAccesses(items[typeOfItems], policyItem.getAccesses()); - - if (policyItem.getDelegateAdmin()) { - items[typeOfItems].setDelegateAdmin(Boolean.TRUE); - } - } - - static void addPolicyItemForRole(RangerPolicy.RangerPolicyItem[] items, int typeOfItems, String role, RangerPolicy.RangerPolicyItem policyItem) { - - if (items[typeOfItems] == null) { - RangerPolicy.RangerPolicyItem newItem = new RangerPolicy.RangerPolicyItem(); - newItem.addRole(role); - - items[typeOfItems] = newItem; - } - - addAccesses(items[typeOfItems], policyItem.getAccesses()); - - if (policyItem.getDelegateAdmin()) { - items[typeOfItems].setDelegateAdmin(Boolean.TRUE); - } - } - - static private void addDistinctUsers(List users, RangerPolicy.RangerPolicyItem policyItem) { - for (String user : users) { - if (! policyItem.getUsers().contains(user)) { - policyItem.addUser(user); - } - } - } + processApplyPolicy(policy, appliedPolicy); - static private void addDistinctGroups(List groups, RangerPolicy.RangerPolicyItem policyItem) { - for (String group : groups) { - if (! policyItem.getGroups().contains(group)) { - policyItem.addGroup(group); - } - } - } + boolean policyUpdated = true; - static private void addDistinctRoles(List roles, RangerPolicy.RangerPolicyItem policyItem) { - for (String role : roles) { - if (! policyItem.getRoles().contains(role)) { - policyItem.addRole(role); - } - } - } + LOG.debug("<== ServiceRESTUtil.processGrantRequest() : {}", policyUpdated); - static private boolean removeUsersGroupsAndRolesFromPolicy(RangerPolicy policy, Set users, Set groups, Set roles) { - boolean policyUpdated = false; + return policyUpdated; + } - List policyItems = policy.getPolicyItems(); + public static boolean processRevokeRequest(RangerPolicy existingRangerPolicy, GrantRevokeRequest revokeRequest) { + LOG.debug("==> ServiceRESTUtil.processRevokeRequest()"); - int numOfItems = policyItems.size(); + boolean policyUpdated; - for(int i = 0; i < numOfItems; i++) { - RangerPolicy.RangerPolicyItem policyItem = policyItems.get(i); + // remove all existing privileges for users and groups + if (revokeRequest.getReplaceExistingPermissions()) { + policyUpdated = removeUsersGroupsAndRolesFromPolicy(existingRangerPolicy, revokeRequest.getUsers(), revokeRequest.getGroups(), revokeRequest.getRoles()); + } else { + //Build a policy and set up policyItem in it to mimic revoke request + RangerPolicy appliedRangerPolicy = new RangerPolicy(); + RangerPolicyItem appliedRangerPolicyItem = new RangerPolicyItem(); - if(CollectionUtils.containsAny(policyItem.getUsers(), users)) { - policyItem.getUsers().removeAll(users); + appliedRangerPolicyItem.setDelegateAdmin(revokeRequest.getDelegateAdmin()); + appliedRangerPolicyItem.addUsers(revokeRequest.getUsers()); + appliedRangerPolicyItem.addGroups(revokeRequest.getGroups()); + appliedRangerPolicyItem.addRoles(revokeRequest.getRoles()); - policyUpdated = true; - } + List appliedRangerPolicyItemAccess = new ArrayList<>(); - if(CollectionUtils.containsAny(policyItem.getGroups(), groups)) { - policyItem.getGroups().removeAll(groups); + for (String accessType : revokeRequest.getAccessTypes()) { + appliedRangerPolicyItemAccess.add(new RangerPolicyItemAccess(accessType, false)); + } - policyUpdated = true; - } + appliedRangerPolicyItem.setAccesses(appliedRangerPolicyItemAccess); - if(CollectionUtils.containsAny(policyItem.getRoles(), roles)) { - policyItem.getRoles().removeAll(roles); + appliedRangerPolicy.addPolicyItem(appliedRangerPolicyItem); - policyUpdated = true; - } + List appliedRangerPolicyItems = appliedRangerPolicy.getPolicyItems(); - if(CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups()) && CollectionUtils.isEmpty(policyItem.getRoles())) { - policyItems.remove(i); - numOfItems--; - i--; + //processApplyPolicyForItemType(existingRangerPolicy, appliedRangerPolicy, PolicyTermType.ALLOW); + if (CollectionUtils.isNotEmpty(appliedRangerPolicyItems)) { + Set users = new HashSet<>(); + Set groups = new HashSet<>(); + Set roles = new HashSet<>(); - policyUpdated = true; - } - } + Map userPolicyItems = new HashMap<>(); + Map groupPolicyItems = new HashMap<>(); + Map rolePolicyItems = new HashMap<>(); - return policyUpdated; - } + // Extract users, groups, and roles specified in appliedPolicy items + extractUsersGroupsAndRoles(appliedRangerPolicyItems, users, groups, roles); - static boolean containsRangerCondition(RangerPolicy policy) { - boolean ret = false; + // Split existing policyItems for users, groups, and roles extracted from appliedPolicyItem into userPolicyItems, groupPolicyItems and rolePolicyItems + splitExistingPolicyItems(existingRangerPolicy, users, userPolicyItems, groups, groupPolicyItems, roles, rolePolicyItems); - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceRESTUtil.containsRangerCondition(" + policy +")"); - } + for (RangerPolicyItem tempPolicyItem : appliedRangerPolicyItems) { + List appliedPolicyItemsUser = tempPolicyItem.getUsers(); - if (policy != null) { - if (CollectionUtils.isNotEmpty(policy.getConditions())) { - ret = true; - } else { - List allItems = new ArrayList(); + for (String user : appliedPolicyItemsUser) { + RangerPolicyItem[] rangerPolicyItems = userPolicyItems.get(user); - allItems.addAll(policy.getPolicyItems()); - allItems.addAll(policy.getDenyPolicyItems()); - allItems.addAll(policy.getAllowExceptions()); - allItems.addAll(policy.getDenyExceptions()); - - for (RangerPolicy.RangerPolicyItem policyItem : allItems) { - if (!policyItem.getConditions().isEmpty()) { - ret = true; - break; - } - } - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceRESTUtil.containsRangerCondition(" + policy +"): " + ret); - } - - return ret; - } + if (rangerPolicyItems != null && rangerPolicyItems.length > 0) { + if (rangerPolicyItems[PolicyTermType.ALLOW.ordinal()] != null) { + removeAccesses(rangerPolicyItems[PolicyTermType.ALLOW.ordinal()], tempPolicyItem.getAccesses()); + + if (!CollectionUtils.isEmpty(rangerPolicyItems[PolicyTermType.ALLOW.ordinal()].getAccesses())) { + rangerPolicyItems[PolicyTermType.ALLOW.ordinal()].setDelegateAdmin(revokeRequest.getDelegateAdmin()); + } else { + rangerPolicyItems[PolicyTermType.ALLOW.ordinal()].setDelegateAdmin(Boolean.FALSE); + } + } + + if (rangerPolicyItems[PolicyTermType.DENY_EXCEPTIONS.ordinal()] != null) { + removeAccesses(rangerPolicyItems[PolicyTermType.DENY_EXCEPTIONS.ordinal()], tempPolicyItem.getAccesses()); + rangerPolicyItems[PolicyTermType.DENY_EXCEPTIONS.ordinal()].setDelegateAdmin(Boolean.FALSE); + } + } + } + } + + for (RangerPolicyItem tempPolicyItem : appliedRangerPolicyItems) { + List appliedPolicyItemsGroup = tempPolicyItem.getGroups(); + + for (String group : appliedPolicyItemsGroup) { + RangerPolicyItem[] rangerPolicyItems = groupPolicyItems.get(group); + + if (rangerPolicyItems != null && rangerPolicyItems.length > 0) { + if (rangerPolicyItems[PolicyTermType.ALLOW.ordinal()] != null) { + removeAccesses(rangerPolicyItems[PolicyTermType.ALLOW.ordinal()], tempPolicyItem.getAccesses()); + + if (!CollectionUtils.isEmpty(rangerPolicyItems[PolicyTermType.ALLOW.ordinal()].getAccesses())) { + rangerPolicyItems[PolicyTermType.ALLOW.ordinal()].setDelegateAdmin(revokeRequest.getDelegateAdmin()); + } else { + rangerPolicyItems[PolicyTermType.ALLOW.ordinal()].setDelegateAdmin(Boolean.FALSE); + } + } + + if (rangerPolicyItems[PolicyTermType.DENY_EXCEPTIONS.ordinal()] != null) { + removeAccesses(rangerPolicyItems[PolicyTermType.DENY_EXCEPTIONS.ordinal()], tempPolicyItem.getAccesses()); + rangerPolicyItems[PolicyTermType.DENY_EXCEPTIONS.ordinal()].setDelegateAdmin(Boolean.FALSE); + } + } + } + } + + for (RangerPolicyItem tempPolicyItem : appliedRangerPolicyItems) { + List appliedPolicyItemsRole = tempPolicyItem.getRoles(); + + for (String role : appliedPolicyItemsRole) { + RangerPolicyItem[] rangerPolicyItems = rolePolicyItems.get(role); + + if (rangerPolicyItems != null && rangerPolicyItems.length > 0) { + if (rangerPolicyItems[PolicyTermType.ALLOW.ordinal()] != null) { + removeAccesses(rangerPolicyItems[PolicyTermType.ALLOW.ordinal()], tempPolicyItem.getAccesses()); + + if (!CollectionUtils.isEmpty(rangerPolicyItems[PolicyTermType.ALLOW.ordinal()].getAccesses())) { + rangerPolicyItems[PolicyTermType.ALLOW.ordinal()].setDelegateAdmin(revokeRequest.getDelegateAdmin()); + } else { + rangerPolicyItems[PolicyTermType.ALLOW.ordinal()].setDelegateAdmin(Boolean.FALSE); + } + } + + if (rangerPolicyItems[PolicyTermType.DENY_EXCEPTIONS.ordinal()] != null) { + removeAccesses(rangerPolicyItems[PolicyTermType.DENY_EXCEPTIONS.ordinal()], tempPolicyItem.getAccesses()); + rangerPolicyItems[PolicyTermType.DENY_EXCEPTIONS.ordinal()].setDelegateAdmin(Boolean.FALSE); + } + } + } + } + + // Add modified/new policyItems back to existing policy + mergeProcessedPolicyItems(existingRangerPolicy, userPolicyItems, groupPolicyItems, rolePolicyItems); + compactPolicy(existingRangerPolicy); + } + + policyUpdated = true; + } + + LOG.debug("<== ServiceRESTUtil.processRevokeRequest() : {}", policyUpdated); + + return policyUpdated; + } + + public static void processApplyPolicy(RangerPolicy existingPolicy, RangerPolicy appliedPolicy) { + LOG.debug("==> ServiceRESTUtil.processApplyPolicy()"); + + // Check if applied policy or existing policy contains any conditions + if (ServiceRESTUtil.containsRangerCondition(existingPolicy) || ServiceRESTUtil.containsRangerCondition(appliedPolicy)) { + LOG.info("Applied policy [{}] or existing policy [{}] contains condition(s). Combining two policies.", appliedPolicy, existingPolicy); + + combinePolicy(existingPolicy, appliedPolicy); + } else { + processApplyPolicyForItemType(existingPolicy, appliedPolicy, PolicyTermType.ALLOW); + processApplyPolicyForItemType(existingPolicy, appliedPolicy, PolicyTermType.DENY); + processApplyPolicyForItemType(existingPolicy, appliedPolicy, PolicyTermType.ALLOW_EXCEPTIONS); + processApplyPolicyForItemType(existingPolicy, appliedPolicy, PolicyTermType.DENY_EXCEPTIONS); + } + + LOG.debug("<== ServiceRESTUtil.processApplyPolicy()"); + } + + public static void mergeExactMatchPolicyForResource(RangerPolicy existingPolicy, RangerPolicy appliedPolicy) { + LOG.debug("==> ServiceRESTUtil.mergeExactMatchPolicyForResource()"); + + mergeExactMatchPolicyForItemType(existingPolicy, appliedPolicy, PolicyTermType.ALLOW); + mergeExactMatchPolicyForItemType(existingPolicy, appliedPolicy, PolicyTermType.DENY); + mergeExactMatchPolicyForItemType(existingPolicy, appliedPolicy, PolicyTermType.ALLOW_EXCEPTIONS); + mergeExactMatchPolicyForItemType(existingPolicy, appliedPolicy, PolicyTermType.DENY_EXCEPTIONS); + + LOG.debug("<== ServiceRESTUtil.mergeExactMatchPolicyForResource()"); + } + + static void addPolicyItemForUser(RangerPolicyItem[] items, int typeOfItems, String user, RangerPolicyItem policyItem) { + if (items[typeOfItems] == null) { + RangerPolicyItem newItem = new RangerPolicyItem(); + + newItem.addUser(user); + + items[typeOfItems] = newItem; + } + + addAccesses(items[typeOfItems], policyItem.getAccesses()); + + if (policyItem.getDelegateAdmin()) { + items[typeOfItems].setDelegateAdmin(Boolean.TRUE); + } + } + + static void addPolicyItemForGroup(RangerPolicyItem[] items, int typeOfItems, String group, RangerPolicyItem policyItem) { + if (items[typeOfItems] == null) { + RangerPolicyItem newItem = new RangerPolicyItem(); + + newItem.addGroup(group); + + items[typeOfItems] = newItem; + } + + addAccesses(items[typeOfItems], policyItem.getAccesses()); + + if (policyItem.getDelegateAdmin()) { + items[typeOfItems].setDelegateAdmin(Boolean.TRUE); + } + } + + static void addPolicyItemForRole(RangerPolicyItem[] items, int typeOfItems, String role, RangerPolicyItem policyItem) { + if (items[typeOfItems] == null) { + RangerPolicyItem newItem = new RangerPolicyItem(); + + newItem.addRole(role); + + items[typeOfItems] = newItem; + } + + addAccesses(items[typeOfItems], policyItem.getAccesses()); + + if (policyItem.getDelegateAdmin()) { + items[typeOfItems].setDelegateAdmin(Boolean.TRUE); + } + } + + static boolean containsRangerCondition(RangerPolicy policy) { + boolean ret = false; + + LOG.debug("==> ServiceRESTUtil.containsRangerCondition({})", policy); + + if (policy != null) { + if (CollectionUtils.isNotEmpty(policy.getConditions())) { + ret = true; + } else { + List allItems = new ArrayList<>(); + + allItems.addAll(policy.getPolicyItems()); + allItems.addAll(policy.getDenyPolicyItems()); + allItems.addAll(policy.getAllowExceptions()); + allItems.addAll(policy.getDenyExceptions()); + + for (RangerPolicyItem policyItem : allItems) { + if (!policyItem.getConditions().isEmpty()) { + ret = true; + break; + } + } + } + } + + LOG.debug("<== ServiceRESTUtil.containsRangerCondition({}):{}", policy, ret); + + return ret; + } + + private static void combinePolicy(RangerPolicy existingPolicy, RangerPolicy appliedPolicy) { + combinePolicyItems(existingPolicy, appliedPolicy, PolicyTermType.ALLOW); + combinePolicyItems(existingPolicy, appliedPolicy, PolicyTermType.DENY); + combinePolicyItems(existingPolicy, appliedPolicy, PolicyTermType.ALLOW_EXCEPTIONS); + combinePolicyItems(existingPolicy, appliedPolicy, PolicyTermType.DENY_EXCEPTIONS); + } + + private static void combinePolicyItems(RangerPolicy existingPolicy, RangerPolicy appliedPolicy, PolicyTermType polityItemType) { + List existingPolicyItems; + List appliedPolicyItems; + + switch (polityItemType) { + case ALLOW: + existingPolicyItems = existingPolicy.getPolicyItems(); + appliedPolicyItems = appliedPolicy.getPolicyItems(); + break; + case DENY: + existingPolicyItems = existingPolicy.getDenyPolicyItems(); + appliedPolicyItems = appliedPolicy.getDenyPolicyItems(); + break; + case ALLOW_EXCEPTIONS: + existingPolicyItems = existingPolicy.getAllowExceptions(); + appliedPolicyItems = appliedPolicy.getAllowExceptions(); + break; + case DENY_EXCEPTIONS: + existingPolicyItems = existingPolicy.getDenyExceptions(); + appliedPolicyItems = appliedPolicy.getDenyExceptions(); + break; + default: + existingPolicyItems = null; + appliedPolicyItems = null; + break; + } + + if (CollectionUtils.isNotEmpty(appliedPolicyItems)) { + if (CollectionUtils.isNotEmpty(existingPolicyItems)) { + List itemsToAdd = new ArrayList<>(); + + for (RangerPolicyItem appliedPolicyItem : appliedPolicyItems) { + if (!existingPolicyItems.contains(appliedPolicyItem)) { + itemsToAdd.add(appliedPolicyItem); + } + } + + existingPolicyItems.addAll(itemsToAdd); + } else { + switch (polityItemType) { + case ALLOW: + existingPolicy.setPolicyItems(appliedPolicyItems); + break; + case DENY: + existingPolicy.setDenyPolicyItems(appliedPolicyItems); + break; + case ALLOW_EXCEPTIONS: + existingPolicy.setAllowExceptions(appliedPolicyItems); + break; + case DENY_EXCEPTIONS: + existingPolicy.setDenyExceptions(appliedPolicyItems); + break; + } + } + } + } + + private static void processApplyPolicyForItemType(RangerPolicy existingPolicy, RangerPolicy appliedPolicy, PolicyTermType policyItemType) { + LOG.debug("==> ServiceRESTUtil.processApplyPolicyForItemType()"); + + List appliedPolicyItems = null; + + switch (policyItemType) { + case ALLOW: + appliedPolicyItems = appliedPolicy.getPolicyItems(); + break; + case DENY: + appliedPolicyItems = appliedPolicy.getDenyPolicyItems(); + break; + case ALLOW_EXCEPTIONS: + appliedPolicyItems = appliedPolicy.getAllowExceptions(); + break; + case DENY_EXCEPTIONS: + appliedPolicyItems = appliedPolicy.getDenyExceptions(); + break; + default: + LOG.warn("processApplyPolicyForItemType(): invalid policyItemType={}", policyItemType); + } + + if (CollectionUtils.isNotEmpty(appliedPolicyItems)) { + Set users = new HashSet<>(); + Set groups = new HashSet<>(); + Set roles = new HashSet<>(); + + Map userPolicyItems = new HashMap<>(); + Map groupPolicyItems = new HashMap<>(); + Map rolePolicyItems = new HashMap<>(); + + // Extract users, groups, and roles specified in appliedPolicy items + extractUsersGroupsAndRoles(appliedPolicyItems, users, groups, roles); + + // Split existing policyItems for users, groups, and roles extracted from appliedPolicyItem into userPolicyItems, groupPolicyItems, and rolePolicyItems + splitExistingPolicyItems(existingPolicy, users, userPolicyItems, groups, groupPolicyItems, roles, rolePolicyItems); + + // Apply policyItems of given type in appliedPolicy to policyItems extracted from existingPolicy + applyPolicyItems(appliedPolicyItems, policyItemType, userPolicyItems, groupPolicyItems, rolePolicyItems); + + // Add modified/new policyItems back to existing policy + mergeProcessedPolicyItems(existingPolicy, userPolicyItems, groupPolicyItems, rolePolicyItems); + + compactPolicy(existingPolicy); + } + + LOG.debug("<== ServiceRESTUtil.processApplyPolicyForItemType()"); + } + + private static void mergeExactMatchPolicyForItemType(RangerPolicy existingPolicy, RangerPolicy appliedPolicy, PolicyTermType policyItemType) { + LOG.debug("==> ServiceRESTUtil.mergeExactMatchPolicyForItemType()"); + List appliedPolicyItems = null; + + switch (policyItemType) { + case ALLOW: + appliedPolicyItems = appliedPolicy.getPolicyItems(); + break; + case DENY: + appliedPolicyItems = appliedPolicy.getDenyPolicyItems(); + break; + case ALLOW_EXCEPTIONS: + appliedPolicyItems = appliedPolicy.getAllowExceptions(); + break; + case DENY_EXCEPTIONS: + appliedPolicyItems = appliedPolicy.getDenyExceptions(); + break; + default: + LOG.warn("mergeExactMatchPolicyForItemType(): invalid policyItemType={}", policyItemType); + } + + if (CollectionUtils.isNotEmpty(appliedPolicyItems)) { + Set users = new HashSet<>(); + Set groups = new HashSet<>(); + Set roles = new HashSet<>(); + + Map userPolicyItems = new HashMap<>(); + Map groupPolicyItems = new HashMap<>(); + Map rolePolicyItems = new HashMap<>(); + + // Extract users and groups specified in appliedPolicy items + extractUsersGroupsAndRoles(appliedPolicyItems, users, groups, roles); + + // Split existing policyItems for users and groups extracted from appliedPolicyItem into userPolicyItems and groupPolicyItems + splitExistingPolicyItems(existingPolicy, users, userPolicyItems, groups, groupPolicyItems, roles, rolePolicyItems); + + // Apply policyItems of given type in appliedPlicy to policyItems extracted from existingPolicy + mergePolicyItems(appliedPolicyItems, policyItemType, userPolicyItems, groupPolicyItems, rolePolicyItems); + + // Add modified/new policyItems back to existing policy + mergeProcessedPolicyItems(existingPolicy, userPolicyItems, groupPolicyItems, rolePolicyItems); + + compactPolicy(existingPolicy); + } + + LOG.debug("<== ServiceRESTUtil.mergeExactMatchPolicyForItemType()"); + } + + private static void extractUsersGroupsAndRoles(List policyItems, Set users, Set groups, Set roles) { + LOG.debug("==> ServiceRESTUtil.extractUsersGroupsAndRoles()"); + + if (CollectionUtils.isNotEmpty(policyItems)) { + for (RangerPolicyItem policyItem : policyItems) { + if (CollectionUtils.isNotEmpty(policyItem.getUsers())) { + users.addAll(policyItem.getUsers()); + } + + if (CollectionUtils.isNotEmpty(policyItem.getGroups())) { + groups.addAll(policyItem.getGroups()); + } + + if (CollectionUtils.isNotEmpty(policyItem.getRoles())) { + roles.addAll(policyItem.getRoles()); + } + } + } + + LOG.debug("<== ServiceRESTUtil.extractUsersGroupsAndRoles()"); + } + + private static void splitExistingPolicyItems(RangerPolicy existingPolicy, Set users, Map userPolicyItems, Set groups, Map groupPolicyItems, Set roles, Map rolePolicyItems) { + if (existingPolicy == null || users == null || userPolicyItems == null || groups == null || groupPolicyItems == null || roles == null || rolePolicyItems == null) { + return; + } + + LOG.debug("==> ServiceRESTUtil.splitExistingPolicyItems()"); + + List allowItems = existingPolicy.getPolicyItems(); + List denyItems = existingPolicy.getDenyPolicyItems(); + List allowExceptionItems = existingPolicy.getAllowExceptions(); + List denyExceptionItems = existingPolicy.getDenyExceptions(); + + for (String user : users) { + RangerPolicyItem[] value = userPolicyItems.computeIfAbsent(user, k -> new RangerPolicyItem[4]); + RangerPolicyItem policyItem; + + policyItem = splitAndGetConsolidatedPolicyItemForUser(allowItems, user); + value[PolicyTermType.ALLOW.ordinal()] = policyItem; + policyItem = splitAndGetConsolidatedPolicyItemForUser(denyItems, user); + value[PolicyTermType.DENY.ordinal()] = policyItem; + policyItem = splitAndGetConsolidatedPolicyItemForUser(allowExceptionItems, user); + value[PolicyTermType.ALLOW_EXCEPTIONS.ordinal()] = policyItem; + policyItem = splitAndGetConsolidatedPolicyItemForUser(denyExceptionItems, user); + value[PolicyTermType.DENY_EXCEPTIONS.ordinal()] = policyItem; + } + + for (String group : groups) { + RangerPolicyItem[] value = groupPolicyItems.computeIfAbsent(group, k -> new RangerPolicyItem[4]); + RangerPolicyItem policyItem; + + policyItem = splitAndGetConsolidatedPolicyItemForGroup(allowItems, group); + value[PolicyTermType.ALLOW.ordinal()] = policyItem; + policyItem = splitAndGetConsolidatedPolicyItemForGroup(denyItems, group); + value[PolicyTermType.DENY.ordinal()] = policyItem; + policyItem = splitAndGetConsolidatedPolicyItemForGroup(allowExceptionItems, group); + value[PolicyTermType.ALLOW_EXCEPTIONS.ordinal()] = policyItem; + policyItem = splitAndGetConsolidatedPolicyItemForGroup(denyExceptionItems, group); + value[PolicyTermType.DENY_EXCEPTIONS.ordinal()] = policyItem; + } + for (String role : roles) { + RangerPolicyItem[] value = rolePolicyItems.computeIfAbsent(role, k -> new RangerPolicyItem[4]); + RangerPolicyItem policyItem; + + policyItem = splitAndGetConsolidatedPolicyItemForRole(allowItems, role); + value[PolicyTermType.ALLOW.ordinal()] = policyItem; + policyItem = splitAndGetConsolidatedPolicyItemForRole(denyItems, role); + value[PolicyTermType.DENY.ordinal()] = policyItem; + policyItem = splitAndGetConsolidatedPolicyItemForRole(allowExceptionItems, role); + value[PolicyTermType.ALLOW_EXCEPTIONS.ordinal()] = policyItem; + policyItem = splitAndGetConsolidatedPolicyItemForRole(denyExceptionItems, role); + value[PolicyTermType.DENY_EXCEPTIONS.ordinal()] = policyItem; + } + + LOG.debug("<== ServiceRESTUtil.splitExistingPolicyItems()"); + } + + private static RangerPolicyItem splitAndGetConsolidatedPolicyItemForUser(List policyItems, String user) { + LOG.debug("==> ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForUser()"); + + RangerPolicyItem ret = null; + + if (CollectionUtils.isNotEmpty(policyItems)) { + for (RangerPolicyItem policyItem : policyItems) { + List users = policyItem.getUsers(); + + if (users.contains(user)) { + if (ret == null) { + ret = new RangerPolicyItem(); + } + + ret.addUser(user); + + if (policyItem.getDelegateAdmin()) { + ret.setDelegateAdmin(Boolean.TRUE); + } + + addAccesses(ret, policyItem.getAccesses()); + + // Remove this user from existingPolicyItem + users.remove(user); + } + } + } + + LOG.debug("<== ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForUser()"); + + return ret; + } + + private static RangerPolicyItem splitAndGetConsolidatedPolicyItemForGroup(List policyItems, String group) { + LOG.debug("==> ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForGroup()"); + + RangerPolicyItem ret = null; + + if (CollectionUtils.isNotEmpty(policyItems)) { + for (RangerPolicyItem policyItem : policyItems) { + List groups = policyItem.getGroups(); + + if (groups.contains(group)) { + if (ret == null) { + ret = new RangerPolicyItem(); + } + + ret.addGroup(group); + + if (policyItem.getDelegateAdmin()) { + ret.setDelegateAdmin(Boolean.TRUE); + } + + addAccesses(ret, policyItem.getAccesses()); + + // Remove this group from existingPolicyItem + groups.remove(group); + } + } + } + + LOG.debug("<== ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForGroup()"); + + return ret; + } + + private static RangerPolicyItem splitAndGetConsolidatedPolicyItemForRole(List policyItems, String role) { + LOG.debug("==> ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForGroup()"); + + RangerPolicyItem ret = null; + + if (CollectionUtils.isNotEmpty(policyItems)) { + for (RangerPolicyItem policyItem : policyItems) { + List roles = policyItem.getRoles(); + + if (roles.contains(role)) { + if (ret == null) { + ret = new RangerPolicyItem(); + } + + ret.addRole(role); + + if (policyItem.getDelegateAdmin()) { + ret.setDelegateAdmin(Boolean.TRUE); + } + + addAccesses(ret, policyItem.getAccesses()); + + // Remove this role from existingPolicyItem + roles.remove(role); + } + } + } + + LOG.debug("<== ServiceRESTUtil.splitAndGetConsolidatedPolicyItemForGroup()"); + + return ret; + } + + private static void applyPolicyItems(List appliedPolicyItems, PolicyTermType policyItemType, Map existingUserPolicyItems, Map existingGroupPolicyItems, Map existingRolePolicyItems) { + LOG.debug("==> ServiceRESTUtil.applyPolicyItems()"); + + for (RangerPolicyItem policyItem : appliedPolicyItems) { + List users = policyItem.getUsers(); + + for (String user : users) { + RangerPolicyItem[] existingPolicyItems = existingUserPolicyItems.get(user); + + if (existingPolicyItems == null) { + // Should not get here + LOG.warn("Should not have come here.."); + + existingPolicyItems = new RangerPolicyItem[4]; + + existingUserPolicyItems.put(user, existingPolicyItems); + } + + addPolicyItemForUser(existingPolicyItems, policyItemType.ordinal(), user, policyItem); + + switch (policyItemType) { + case ALLOW: + RangerPolicyItem denyPolicyItem = existingPolicyItems[PolicyTermType.DENY.ordinal()]; + + if (denyPolicyItem != null) { + removeAccesses(existingPolicyItems[PolicyTermType.DENY.ordinal()], policyItem.getAccesses()); + addPolicyItemForUser(existingPolicyItems, PolicyTermType.DENY_EXCEPTIONS.ordinal(), user, policyItem); + } + + removeAccesses(existingPolicyItems[PolicyTermType.ALLOW_EXCEPTIONS.ordinal()], policyItem.getAccesses()); + break; + case DENY: + RangerPolicyItem allowPolicyItem = existingPolicyItems[PolicyTermType.ALLOW.ordinal()]; + + if (allowPolicyItem != null) { + removeAccesses(existingPolicyItems[PolicyTermType.ALLOW.ordinal()], policyItem.getAccesses()); + addPolicyItemForUser(existingPolicyItems, PolicyTermType.ALLOW_EXCEPTIONS.ordinal(), user, policyItem); + } + + removeAccesses(existingPolicyItems[PolicyTermType.DENY_EXCEPTIONS.ordinal()], policyItem.getAccesses()); + break; + case ALLOW_EXCEPTIONS: + removeAccesses(existingPolicyItems[PolicyTermType.ALLOW.ordinal()], policyItem.getAccesses()); + break; + case DENY_EXCEPTIONS: + removeAccesses(existingPolicyItems[PolicyTermType.DENY.ordinal()], policyItem.getAccesses()); + break; + default: + LOG.warn("Should not have come here.."); + break; + } + } + } + + for (RangerPolicyItem policyItem : appliedPolicyItems) { + List groups = policyItem.getGroups(); + + for (String group : groups) { + RangerPolicyItem[] existingPolicyItems = existingGroupPolicyItems.computeIfAbsent(group, k -> new RangerPolicyItem[4]); + + // Should not get here + + addPolicyItemForGroup(existingPolicyItems, policyItemType.ordinal(), group, policyItem); + + switch (policyItemType) { + case ALLOW: + RangerPolicyItem denyPolicyItem = existingPolicyItems[PolicyTermType.DENY.ordinal()]; + + if (denyPolicyItem != null) { + removeAccesses(existingPolicyItems[PolicyTermType.DENY.ordinal()], policyItem.getAccesses()); + addPolicyItemForGroup(existingPolicyItems, PolicyTermType.DENY_EXCEPTIONS.ordinal(), group, policyItem); + } + + removeAccesses(existingPolicyItems[PolicyTermType.ALLOW_EXCEPTIONS.ordinal()], policyItem.getAccesses()); + break; + case DENY: + RangerPolicyItem allowPolicyItem = existingPolicyItems[PolicyTermType.ALLOW.ordinal()]; + + if (allowPolicyItem != null) { + removeAccesses(existingPolicyItems[PolicyTermType.ALLOW.ordinal()], policyItem.getAccesses()); + addPolicyItemForGroup(existingPolicyItems, PolicyTermType.ALLOW_EXCEPTIONS.ordinal(), group, policyItem); + } + + removeAccesses(existingPolicyItems[PolicyTermType.DENY_EXCEPTIONS.ordinal()], policyItem.getAccesses()); + break; + case ALLOW_EXCEPTIONS: + removeAccesses(existingPolicyItems[PolicyTermType.ALLOW.ordinal()], policyItem.getAccesses()); + break; + case DENY_EXCEPTIONS: + removeAccesses(existingPolicyItems[PolicyTermType.DENY.ordinal()], policyItem.getAccesses()); + break; + default: + break; + } + } + } + + for (RangerPolicyItem policyItem : appliedPolicyItems) { + List roles = policyItem.getRoles(); + + for (String role : roles) { + RangerPolicyItem[] existingPolicyItems = existingRolePolicyItems.computeIfAbsent(role, k -> new RangerPolicyItem[4]); + + // Should not get here + + addPolicyItemForRole(existingPolicyItems, policyItemType.ordinal(), role, policyItem); + + switch (policyItemType) { + case ALLOW: + RangerPolicyItem denyPolicyItem = existingPolicyItems[PolicyTermType.DENY.ordinal()]; + + if (denyPolicyItem != null) { + removeAccesses(existingPolicyItems[PolicyTermType.DENY.ordinal()], policyItem.getAccesses()); + addPolicyItemForRole(existingPolicyItems, PolicyTermType.DENY_EXCEPTIONS.ordinal(), role, policyItem); + } + + removeAccesses(existingPolicyItems[PolicyTermType.ALLOW_EXCEPTIONS.ordinal()], policyItem.getAccesses()); + break; + case DENY: + RangerPolicyItem allowPolicyItem = existingPolicyItems[PolicyTermType.ALLOW.ordinal()]; + + if (allowPolicyItem != null) { + removeAccesses(existingPolicyItems[PolicyTermType.ALLOW.ordinal()], policyItem.getAccesses()); + addPolicyItemForRole(existingPolicyItems, PolicyTermType.ALLOW_EXCEPTIONS.ordinal(), role, policyItem); + } + + removeAccesses(existingPolicyItems[PolicyTermType.DENY_EXCEPTIONS.ordinal()], policyItem.getAccesses()); + break; + case ALLOW_EXCEPTIONS: + removeAccesses(existingPolicyItems[PolicyTermType.ALLOW.ordinal()], policyItem.getAccesses()); + break; + case DENY_EXCEPTIONS: + removeAccesses(existingPolicyItems[PolicyTermType.DENY.ordinal()], policyItem.getAccesses()); + break; + default: + break; + } + } + } + + LOG.debug("<== ServiceRESTUtil.applyPolicyItems()"); + } + + private static void mergePolicyItems(List appliedPolicyItems, PolicyTermType policyItemType, Map existingUserPolicyItems, Map existingGroupPolicyItems, Map existingRolePolicyItems) { + LOG.debug("==> ServiceRESTUtil.mergePolicyItems()"); + + for (RangerPolicyItem policyItem : appliedPolicyItems) { + List users = policyItem.getUsers(); + + for (String user : users) { + RangerPolicyItem[] items = existingUserPolicyItems.get(user); + + if (items == null) { + // Should not get here + LOG.warn("Should not have come here.."); + + items = new RangerPolicyItem[4]; + + existingUserPolicyItems.put(user, items); + } + + addPolicyItemForUser(items, policyItemType.ordinal(), user, policyItem); + } + } + + for (RangerPolicyItem policyItem : appliedPolicyItems) { + List groups = policyItem.getGroups(); + + for (String group : groups) { + RangerPolicyItem[] items = existingGroupPolicyItems.computeIfAbsent(group, k -> new RangerPolicyItem[4]); + + // Should not get here + addPolicyItemForGroup(items, policyItemType.ordinal(), group, policyItem); + } + } + + for (RangerPolicyItem policyItem : appliedPolicyItems) { + List roles = policyItem.getRoles(); + + for (String role : roles) { + RangerPolicyItem[] items = existingRolePolicyItems.computeIfAbsent(role, k -> new RangerPolicyItem[4]); + + // Should not get here + addPolicyItemForRole(items, policyItemType.ordinal(), role, policyItem); + } + } + + LOG.debug("<== ServiceRESTUtil.mergePolicyItems()"); + } + + private static void mergeProcessedPolicyItems(RangerPolicy existingPolicy, Map userPolicyItems, Map groupPolicyItems, Map rolePolicyItems) { + LOG.debug("==> ServiceRESTUtil.mergeProcessedPolicyItems()"); + + for (Map.Entry entry : userPolicyItems.entrySet()) { + RangerPolicyItem[] items = entry.getValue(); + RangerPolicyItem item; + + item = items[PolicyTermType.ALLOW.ordinal()]; + if (item != null) { + existingPolicy.addPolicyItem(item); + } + + item = items[PolicyTermType.DENY.ordinal()]; + if (item != null) { + existingPolicy.addDenyPolicyItem(item); + } + + item = items[PolicyTermType.ALLOW_EXCEPTIONS.ordinal()]; + if (item != null) { + existingPolicy.addAllowException(item); + } + + item = items[PolicyTermType.DENY_EXCEPTIONS.ordinal()]; + if (item != null) { + existingPolicy.addDenyException(item); + } + } + + for (Map.Entry entry : groupPolicyItems.entrySet()) { + RangerPolicyItem[] items = entry.getValue(); + RangerPolicyItem item; + + item = items[PolicyTermType.ALLOW.ordinal()]; + if (item != null) { + existingPolicy.addPolicyItem(item); + } + + item = items[PolicyTermType.DENY.ordinal()]; + if (item != null) { + existingPolicy.addDenyPolicyItem(item); + } + + item = items[PolicyTermType.ALLOW_EXCEPTIONS.ordinal()]; + if (item != null) { + existingPolicy.addAllowException(item); + } + + item = items[PolicyTermType.DENY_EXCEPTIONS.ordinal()]; + if (item != null) { + existingPolicy.addDenyException(item); + } + } + + for (Map.Entry entry : rolePolicyItems.entrySet()) { + RangerPolicyItem[] items = entry.getValue(); + RangerPolicyItem item; + + item = items[PolicyTermType.ALLOW.ordinal()]; + if (item != null) { + existingPolicy.addPolicyItem(item); + } + + item = items[PolicyTermType.DENY.ordinal()]; + if (item != null) { + existingPolicy.addDenyPolicyItem(item); + } + + item = items[PolicyTermType.ALLOW_EXCEPTIONS.ordinal()]; + if (item != null) { + existingPolicy.addAllowException(item); + } + + item = items[PolicyTermType.DENY_EXCEPTIONS.ordinal()]; + if (item != null) { + existingPolicy.addDenyException(item); + } + } + + LOG.debug("<== ServiceRESTUtil.mergeProcessedPolicyItems()"); + } + + private static boolean addAccesses(RangerPolicyItem policyItem, List accesses) { + LOG.debug("==> ServiceRESTUtil.addAccesses()"); + + boolean ret = false; + + for (RangerPolicyItemAccess access : accesses) { + RangerPolicyItemAccess policyItemAccess = null; + String accessType = access.getType(); + + for (RangerPolicyItemAccess itemAccess : policyItem.getAccesses()) { + if (StringUtils.equals(itemAccess.getType(), accessType)) { + policyItemAccess = itemAccess; + break; + } + } + + if (policyItemAccess != null) { + if (!policyItemAccess.getIsAllowed()) { + policyItemAccess.setIsAllowed(Boolean.TRUE); + ret = true; + } + } else { + policyItem.addAccess(new RangerPolicyItemAccess(accessType, Boolean.TRUE)); + ret = true; + } + } + + LOG.debug("<== ServiceRESTUtil.addAccesses() {}", ret); + + return ret; + } + + private static boolean removeAccesses(RangerPolicyItem policyItem, List accesses) { + LOG.debug("==> ServiceRESTUtil.removeAccesses()"); + + boolean ret = false; + + if (policyItem != null) { + for (RangerPolicyItemAccess access : accesses) { + String accessType = access.getType(); + int numOfAccesses = policyItem.getAccesses().size(); + + for (int i = 0; i < numOfAccesses; i++) { + RangerPolicyItemAccess itemAccess = policyItem.getAccesses().get(i); + + if (StringUtils.equals(itemAccess.getType(), accessType)) { + policyItem.getAccesses().remove(i); + + numOfAccesses--; + i--; + + ret = true; + } + } + } + } + + LOG.debug("<== ServiceRESTUtil.removeAccesses() {}", ret); + + return ret; + } + + private static void compactPolicy(RangerPolicy policy) { + policy.setPolicyItems(mergePolicyItems(policy.getPolicyItems())); + policy.setDenyPolicyItems(mergePolicyItems(policy.getDenyPolicyItems())); + policy.setAllowExceptions(mergePolicyItems(policy.getAllowExceptions())); + policy.setDenyExceptions(mergePolicyItems(policy.getDenyExceptions())); + } + + private static List mergePolicyItems(List policyItems) { + List ret = new ArrayList<>(); + + if (CollectionUtils.isNotEmpty(policyItems)) { + Map matchedPolicyItems = new HashMap<>(); + + for (RangerPolicyItem policyItem : policyItems) { + if ((CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups()) && CollectionUtils.isEmpty(policyItem.getRoles())) || + (CollectionUtils.isEmpty(policyItem.getAccesses()) && !policyItem.getDelegateAdmin())) { + continue; + } + + if (policyItem.getConditions().size() > 1) { + ret.add(policyItem); + continue; + } + + TreeSet accesses = new TreeSet<>(); + + for (RangerPolicyItemAccess access : policyItem.getAccesses()) { + accesses.add(access.getType()); + } + + if (policyItem.getDelegateAdmin()) { + accesses.add("delegateAdmin"); + } + + String allAccessesString = accesses.toString(); + RangerPolicyItem matchingPolicyItem = matchedPolicyItems.get(allAccessesString); + + if (matchingPolicyItem != null) { + addDistinctUsers(policyItem.getUsers(), matchingPolicyItem); + addDistinctGroups(policyItem.getGroups(), matchingPolicyItem); + addDistinctRoles(policyItem.getRoles(), matchingPolicyItem); + } else { + matchedPolicyItems.put(allAccessesString, policyItem); + } + } + + for (Map.Entry entry : matchedPolicyItems.entrySet()) { + ret.add(entry.getValue()); + } + } + + return ret; + } + + private static void addDistinctUsers(List users, RangerPolicyItem policyItem) { + for (String user : users) { + if (!policyItem.getUsers().contains(user)) { + policyItem.addUser(user); + } + } + } + + private static void addDistinctGroups(List groups, RangerPolicyItem policyItem) { + for (String group : groups) { + if (!policyItem.getGroups().contains(group)) { + policyItem.addGroup(group); + } + } + } + + private static void addDistinctRoles(List roles, RangerPolicyItem policyItem) { + for (String role : roles) { + if (!policyItem.getRoles().contains(role)) { + policyItem.addRole(role); + } + } + } + + private static boolean removeUsersGroupsAndRolesFromPolicy(RangerPolicy policy, Set users, Set groups, Set roles) { + boolean policyUpdated = false; + List policyItems = policy.getPolicyItems(); + int numOfItems = policyItems.size(); + + for (int i = 0; i < numOfItems; i++) { + RangerPolicyItem policyItem = policyItems.get(i); + + if (CollectionUtils.containsAny(policyItem.getUsers(), users)) { + policyItem.getUsers().removeAll(users); + + policyUpdated = true; + } + + if (CollectionUtils.containsAny(policyItem.getGroups(), groups)) { + policyItem.getGroups().removeAll(groups); + + policyUpdated = true; + } + + if (CollectionUtils.containsAny(policyItem.getRoles(), roles)) { + policyItem.getRoles().removeAll(roles); + + policyUpdated = true; + } + + if (CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups()) && CollectionUtils.isEmpty(policyItem.getRoles())) { + policyItems.remove(i); + + numOfItems--; + i--; + + policyUpdated = true; + } + } + + return policyUpdated; + } + + private enum PolicyTermType { + ALLOW, DENY, ALLOW_EXCEPTIONS, DENY_EXCEPTIONS + } } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java index ecdf504e3a..f2fbb620c3 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java @@ -40,619 +40,592 @@ import java.util.Map; public class ServiceTagsProcessor { - private static final Logger LOG = LoggerFactory.getLogger(ServiceTagsProcessor.class); - private static final Logger PERF_LOG_ADD_OR_UPDATE = RangerPerfTracer.getPerfLogger("tags.addOrUpdate"); - - private final TagStore tagStore; - - public ServiceTagsProcessor(TagStore tagStore) { - this.tagStore = tagStore; - } - - public void process(ServiceTags serviceTags) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceTagsProcessor.process()"); - } - - if (tagStore != null && serviceTags != null) { - if (LOG.isDebugEnabled()) { - LOG.debug("serviceTags: op=" + serviceTags.getOp()); - } - String op = serviceTags.getOp(); - - if (StringUtils.equalsIgnoreCase(op, ServiceTags.OP_ADD_OR_UPDATE)) { - addOrUpdate(serviceTags); - } else if (StringUtils.equalsIgnoreCase(op, ServiceTags.OP_DELETE)) { - delete(serviceTags); - } else if (StringUtils.equalsIgnoreCase(op, ServiceTags.OP_REPLACE)) { - replace(serviceTags); - } else { - LOG.error("Unknown op, op=" + op); - } - } else { - if(tagStore == null) { - LOG.error("tagStore is null!!"); - } - - if (serviceTags == null) { - LOG.error("No ServiceTags to import!!"); - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceTagsProcessor.process()"); - } - } - - // Map tagdef, tag, serviceResource ids to created ids and use them in tag-resource-mapping - private void addOrUpdate(ServiceTags serviceTags) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceTagsProcessor.createOrUpdate()"); - } - - RangerPerfTracer perfTotal = null; - RangerPerfTracer perf = null; - - Map tagDefsInStore = new HashMap(); - Map resourcesInStore = new HashMap(); - - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG_ADD_OR_UPDATE)) { - perfTotal = RangerPerfTracer.getPerfTracer(PERF_LOG_ADD_OR_UPDATE, "tags.addOrUpdate()"); - } - - if (MapUtils.isNotEmpty(serviceTags.getTagDefinitions())) { - RangerTagDef tagDef = null; - - try { - for (Map.Entry entry : serviceTags.getTagDefinitions().entrySet()) { - tagDef = entry.getValue(); - - RangerTagDef existing = null; - - if(StringUtils.isNotEmpty(tagDef.getGuid())) { - existing = tagStore.getTagDefByGuid(tagDef.getGuid()); - } - - if(existing == null && StringUtils.isNotEmpty(tagDef.getName())) { - existing = tagStore.getTagDefByName(tagDef.getName()); - } - - RangerTagDef tagDefInStore = null; - - if(existing == null) { - tagDefInStore = tagStore.createTagDef(tagDef); - } else { - if (LOG.isDebugEnabled()) { - LOG.debug("tagDef for name:" + tagDef.getName() + " exists, will not update it"); - } - tagDefInStore = existing; - } - - tagDefsInStore.put(entry.getKey(), tagDefInStore); - } - } catch (Exception exception) { - LOG.error("createTagDef failed, tagDef=" + tagDef, exception); - throw exception; - } - } - - List resources = serviceTags.getServiceResources(); - if (CollectionUtils.isNotEmpty(resources)) { - RangerServiceResource resource = null; - - try { - for (int i = 0; i < resources.size(); i++) { - resource = resources.get(i); - - if (StringUtils.isBlank(resource.getServiceName())) { - resource.setServiceName(serviceTags.getServiceName()); - } - - RangerServiceResource existing = null; - String resourceSignature = null; - Long resourceId = resource.getId(); - - if(StringUtils.isNotEmpty(resource.getGuid())) { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG_ADD_OR_UPDATE)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG_ADD_OR_UPDATE, "tags.search_service_resource_by_guid(" + resourceId + ")"); - } - existing = tagStore.getServiceResourceByGuid(resource.getGuid()); - RangerPerfTracer.logAlways(perf); - } - - if (existing == null) { - if(MapUtils.isNotEmpty(resource.getResourceElements())) { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG_ADD_OR_UPDATE)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG_ADD_OR_UPDATE, "tags.search_service_resource_by_signature(" + resourceId + ")"); - } - RangerServiceResourceSignature serializer = new RangerServiceResourceSignature(resource); - - resourceSignature = serializer.getSignature(); - resource.setResourceSignature(resourceSignature); - - existing = tagStore.getServiceResourceByServiceAndResourceSignature(resource.getServiceName(), resourceSignature); - - RangerPerfTracer.logAlways(perf); - } - } - - RangerServiceResource resourceInStore = null; - - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG_ADD_OR_UPDATE)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG_ADD_OR_UPDATE, "tags.createOrUpdate_service_resource(" + resourceId + ")"); - } - if (existing == null) { - resourceInStore = tagStore.createServiceResource(resource); - - } else if (StringUtils.isEmpty(resource.getServiceName()) || MapUtils.isEmpty(resource.getResourceElements())) { - resourceInStore = existing; - } else { - resource.setId(existing.getId()); - resource.setGuid(existing.getGuid()); - - resourceInStore = tagStore.updateServiceResource(resource); - } - - resourcesInStore.put(resourceId, resourceInStore); - RangerPerfTracer.logAlways(perf); - } - } catch (Exception exception) { - LOG.error("createServiceResource failed, resource=" + resource, exception); - throw exception; - } - } - - if (MapUtils.isNotEmpty(serviceTags.getResourceToTagIds())) { - for (Map.Entry> entry : serviceTags.getResourceToTagIds().entrySet()) { - Long resourceId = entry.getKey(); - - RangerServiceResource resourceInStore = resourcesInStore.get(resourceId); - - if (resourceInStore == null) { - LOG.error("Resource (id=" + resourceId + ") not found. Skipping tags update"); - continue; - } - - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG_ADD_OR_UPDATE)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG_ADD_OR_UPDATE, "tags.get_tags_for_service_resource(" + resourceInStore.getId() + ")"); - } - - // Get all tags associated with this resourceId - List associatedTags = null; - - try { - associatedTags = tagStore.getTagsForResourceId(resourceInStore.getId()); - } catch (Exception exception) { - LOG.error("RangerTags cannot be retrieved for resource with guid=" + resourceInStore.getGuid()); - throw exception; - } finally { - RangerPerfTracer.logAlways(perf); - } - - List tagsToRetain = new ArrayList(); - boolean isAnyTagUpdated = false; - - List tagIds = entry.getValue(); - try { - for (Long tagId : tagIds) { - RangerTag incomingTag = MapUtils.isNotEmpty(serviceTags.getTags()) ? serviceTags.getTags().get(tagId) : null; - - if (incomingTag == null) { - LOG.error("Tag (id=" + tagId + ") not found. Skipping addition of this tag for resource (id=" + resourceId + ")"); - continue; - } - - RangerTag matchingTag = findMatchingTag(incomingTag, associatedTags); - if (matchingTag == null) { - if (LOG.isDebugEnabled()) { - LOG.debug("Did not find matching tag for tagId=" + tagId); - } - // create new tag from incoming tag and associate it with service-resource - if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG_ADD_OR_UPDATE)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG_ADD_OR_UPDATE, "tags.create_tag(" + tagId + ")"); - } - RangerTag newTag = tagStore.createTag(incomingTag); - RangerPerfTracer.logAlways(perf); - - RangerTagResourceMap tagResourceMap = new RangerTagResourceMap(); - - tagResourceMap.setTagId(newTag.getId()); - tagResourceMap.setResourceId(resourceInStore.getId()); - if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG_ADD_OR_UPDATE)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG_ADD_OR_UPDATE, "tags.create_tagResourceMap(" + tagId + ")"); - } - tagResourceMap = tagStore.createTagResourceMap(tagResourceMap); - RangerPerfTracer.logAlways(perf); - - associatedTags.add(newTag); - tagsToRetain.add(newTag); - - } else { - - if (LOG.isDebugEnabled()) { - LOG.debug("Found matching tag for tagId=" + tagId + ", matchingTag=" + matchingTag); - } - - if (isResourcePrivateTag(incomingTag)) { - if (!isResourcePrivateTag(matchingTag)) { - // create new tag from incoming tag and associate it with service-resource - RangerTag newTag = tagStore.createTag(incomingTag); - - RangerTagResourceMap tagResourceMap = new RangerTagResourceMap(); - - tagResourceMap.setTagId(newTag.getId()); - tagResourceMap.setResourceId(resourceInStore.getId()); - - tagResourceMap = tagStore.createTagResourceMap(tagResourceMap); - - associatedTags.add(newTag); - tagsToRetain.add(newTag); - - } else { - tagsToRetain.add(matchingTag); - - boolean isTagUpdateNeeded = false; - - // Note that as there is no easy way to check validityPeriods for equality, an easy way to rule out the possibility of validityPeriods - // not matching is to check if both old and new tags have empty validityPeriods - if (matchingTag.getGuid() != null && matchingTag.getGuid().equals(incomingTag.getGuid())) { - if (isMatch(incomingTag, matchingTag) && CollectionUtils.isEmpty(incomingTag.getValidityPeriods()) && CollectionUtils.isEmpty(matchingTag.getValidityPeriods())) { - if (LOG.isDebugEnabled()) { - LOG.debug("No need to update existing-tag:[" + matchingTag + "] with incoming-tag:[" + incomingTag + "]"); - } - } else { - isTagUpdateNeeded = true; - } - } else { - if (CollectionUtils.isEmpty(incomingTag.getValidityPeriods()) && CollectionUtils.isEmpty(matchingTag.getValidityPeriods())) { - // Completely matched tags. No need to update - if (LOG.isDebugEnabled()) { - LOG.debug("No need to update existing-tag:[" + matchingTag + "] with incoming-tag:[" + incomingTag + "]"); - } - } else { - isTagUpdateNeeded = true; - } - } - if (isTagUpdateNeeded) { - // Keep this tag, and update it with attribute-values and validity schedules from incoming tag - if (LOG.isDebugEnabled()) { - LOG.debug("Updating existing private tag with id=" + matchingTag.getId()); - } - incomingTag.setId(matchingTag.getId()); - tagStore.updateTag(incomingTag); - isAnyTagUpdated = true; - } - } - } else { // shared model - if (isResourcePrivateTag(matchingTag)) { - // create new tag from incoming tag and associate it with service-resource - RangerTag newTag = tagStore.createTag(incomingTag); - - RangerTagResourceMap tagResourceMap = new RangerTagResourceMap(); - - tagResourceMap.setTagId(newTag.getId()); - tagResourceMap.setResourceId(resourceInStore.getId()); - - tagResourceMap = tagStore.createTagResourceMap(tagResourceMap); - - associatedTags.add(newTag); - tagsToRetain.add(newTag); - - } else { - // Keep this tag, but update it with attribute-values from incoming tag - tagsToRetain.add(matchingTag); - - // Update shared tag with new values - incomingTag.setId(matchingTag.getId()); - tagStore.updateTag(incomingTag); - - // associate with service-resource if not already associated - if (findTagInList(matchingTag, associatedTags) == null) { - RangerTagResourceMap tagResourceMap = new RangerTagResourceMap(); - - tagResourceMap.setTagId(matchingTag.getId()); - tagResourceMap.setResourceId(resourceInStore.getId()); - - tagResourceMap = tagStore.createTagResourceMap(tagResourceMap); - } else { - isAnyTagUpdated = true; - } - - } - } - - } - } - - } catch (Exception exception) { - LOG.error("createRangerTagResourceMap failed", exception); - throw exception; - } - - if (CollectionUtils.isNotEmpty(associatedTags)) { - Long tagId = null; - - try { - for (RangerTag associatedTag : associatedTags) { - if (findTagInList(associatedTag, tagsToRetain) == null) { - - tagId = associatedTag.getId(); - - RangerTagResourceMap tagResourceMap = tagStore.getTagResourceMapForTagAndResourceId(tagId, resourceInStore.getId()); - - if (tagResourceMap != null) { - tagStore.deleteTagResourceMap(tagResourceMap.getId()); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("Deleted tagResourceMap(tagId=" + tagId + ", resourceId=" + resourceInStore.getId()); - } - } - } - } catch(Exception exception) { - LOG.error("deleteTagResourceMap failed, tagId=" + tagId + ", resourceId=" + resourceInStore.getId()); - throw exception; - } - } - if (isAnyTagUpdated) { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG_ADD_OR_UPDATE)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG_ADD_OR_UPDATE, "tags.refreshServiceResource(" + resourceInStore.getId() + ")"); - } - tagStore.refreshServiceResource(resourceInStore.getId()); - RangerPerfTracer.logAlways(perf); - } else { - if (CollectionUtils.isEmpty(tagIds)) { - // No tags associated with the resource - delete the resource too - tagStore.deleteServiceResource(resourceInStore.getId()); - } - } - } - } - - RangerPerfTracer.logAlways(perfTotal); - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceTagsProcessor.createOrUpdate()"); - } - } - - private RangerTag findTagInList(RangerTag object, List list) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceTagsProcessor.findTagInList(): object=" + (object == null ? null : object.getId())); - } - RangerTag ret = null; - if (object != null) { - for (RangerTag tag : list) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceTagsProcessor.findTagInList(): tag=" + tag.getId()); - } - if (tag.getId().equals(object.getId())) { - ret = tag; - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceTagsProcessor.findTagInList(): found tag=" + tag.getId()); - } - break; - } - } - } - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceTagsProcessor.findTagInList(): ret=" + (ret == null ? null : ret.getId())); - } - return ret; - } - private boolean isResourcePrivateTag(RangerTag tag) { - return tag.getOwner() == null || tag.getOwner() == RangerTag.OWNER_SERVICERESOURCE; - } - - private RangerTag findMatchingTag(RangerTag incomingTag, List existingTags) throws Exception { - - RangerTag ret = null; - - if(StringUtils.isNotEmpty(incomingTag.getGuid())) { - ret = tagStore.getTagByGuid(incomingTag.getGuid()); - } - - if (ret == null) { - - if (isResourcePrivateTag(incomingTag)) { - - for (RangerTag existingTag : existingTags) { - if (isMatch(incomingTag, existingTag)) { - ret = existingTag; - break; - } - } - } - - } - - return ret; - } - - private boolean isMatch(final RangerTag incomingTag, final RangerTag existingTag) { - boolean ret = false; - - if (incomingTag != null && existingTag != null) { - - if (StringUtils.equals(incomingTag.getType(), existingTag.getType())) { - - // Check attribute values - Map incomingTagAttributes = incomingTag.getAttributes() != null ? incomingTag.getAttributes() : Collections.emptyMap(); - Map existingTagAttributes = existingTag.getAttributes() != null ? existingTag.getAttributes() : Collections.emptyMap(); - - if (CollectionUtils.isEqualCollection(incomingTagAttributes.keySet(), existingTagAttributes.keySet())) { - - boolean matched = true; - - for (Map.Entry entry : incomingTagAttributes.entrySet()) { - - String key = entry.getKey(); - String value = entry.getValue(); - - if (!StringUtils.equals(value, existingTagAttributes.get(key))) { - matched = false; - break; - } - - } - if (matched) { - ret = true; - } - } - - } - } - return ret; - } - - private void delete(ServiceTags serviceTags) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceTagsProcessor.delete()"); - } - - // We dont expect any resourceId->tagId mappings in delete operation, so ignoring them if specified - - List serviceResources = serviceTags.getServiceResources(); - if (CollectionUtils.isNotEmpty(serviceResources)) { - - for (RangerServiceResource serviceResource : serviceResources) { - if (StringUtils.isBlank(serviceResource.getServiceName())) { - serviceResource.setServiceName(serviceTags.getServiceName()); - } - - RangerServiceResource objToDelete = null; - - try { - if (StringUtils.isNotBlank(serviceResource.getGuid())) { - objToDelete = tagStore.getServiceResourceByGuid(serviceResource.getGuid()); - } - - if (objToDelete == null) { - if (MapUtils.isNotEmpty(serviceResource.getResourceElements())) { - RangerServiceResourceSignature serializer = new RangerServiceResourceSignature(serviceResource); + private static final Logger LOG = LoggerFactory.getLogger(ServiceTagsProcessor.class); + private static final Logger PERF_LOG_ADD_OR_UPDATE = RangerPerfTracer.getPerfLogger("tags.addOrUpdate"); - String serviceResourceSignature = serializer.getSignature(); + private final TagStore tagStore; - objToDelete = tagStore.getServiceResourceByServiceAndResourceSignature(serviceResource.getServiceName(), serviceResourceSignature); - } - } + public ServiceTagsProcessor(TagStore tagStore) { + this.tagStore = tagStore; + } - if (objToDelete != null) { + public void process(ServiceTags serviceTags) throws Exception { + LOG.debug("==> ServiceTagsProcessor.process()"); - List tagResourceMaps = tagStore.getTagResourceMapsForResourceGuid(objToDelete.getGuid()); + if (tagStore != null && serviceTags != null) { + LOG.debug("serviceTags: op={}", serviceTags.getOp()); - if (CollectionUtils.isNotEmpty(tagResourceMaps)) { - for (RangerTagResourceMap tagResourceMap : tagResourceMaps) { - tagStore.deleteTagResourceMap(tagResourceMap.getId()); - } - } + String op = serviceTags.getOp(); - tagStore.deleteServiceResource(objToDelete.getId()); - } - } catch (Exception exception) { - LOG.error("deleteServiceResourceByGuid failed, guid=" + serviceResource.getGuid(), exception); - throw exception; - } - } - } + if (StringUtils.equalsIgnoreCase(op, ServiceTags.OP_ADD_OR_UPDATE)) { + addOrUpdate(serviceTags); + } else if (StringUtils.equalsIgnoreCase(op, ServiceTags.OP_DELETE)) { + delete(serviceTags); + } else if (StringUtils.equalsIgnoreCase(op, ServiceTags.OP_REPLACE)) { + replace(serviceTags); + } else { + LOG.error("Unknown op, op={}", op); + } + } else { + if (tagStore == null) { + LOG.error("tagStore is null!!"); + } - Map tagsMap = serviceTags.getTags(); - if (MapUtils.isNotEmpty(tagsMap)) { - for (Map.Entry entry : tagsMap.entrySet()) { - RangerTag tag = entry.getValue(); - try { - RangerTag objToDelete = tagStore.getTagByGuid(tag.getGuid()); + if (serviceTags == null) { + LOG.error("No ServiceTags to import!!"); + } + } - if (objToDelete != null) { - tagStore.deleteTag(objToDelete.getId()); - } - } catch (Exception exception) { - LOG.error("deleteTag failed, guid=" + tag.getGuid(), exception); - throw exception; - } - } - } + LOG.debug("<== ServiceTagsProcessor.process()"); + } - Map tagDefsMap = serviceTags.getTagDefinitions(); - if (MapUtils.isNotEmpty(tagDefsMap)) { - for (Map.Entry entry : tagDefsMap.entrySet()) { - RangerTagDef tagDef = entry.getValue(); - try { - RangerTagDef objToDelete = tagStore.getTagDefByGuid(tagDef.getGuid()); + // Map tagdef, tag, serviceResource ids to created ids and use them in tag-resource-mapping + private void addOrUpdate(ServiceTags serviceTags) throws Exception { + LOG.debug("==> ServiceTagsProcessor.createOrUpdate()"); - if(objToDelete != null) { - tagStore.deleteTagDef(objToDelete.getId()); - } - } catch (Exception exception) { - LOG.error("deleteTagDef failed, guid=" + tagDef.getGuid(), exception); - throw exception; - } - } - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceTagsProcessor.delete()"); - } - } - - private void replace(ServiceTags serviceTags) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceTagsProcessor.replace()"); - } + RangerPerfTracer perfTotal = null; + RangerPerfTracer perf = null; - // Delete those service-resources which are in ranger database but not in provided service-tags + Map tagDefsInStore = new HashMap<>(); + Map resourcesInStore = new HashMap<>(); - Map serviceResourcesInServiceTagsMap = new HashMap(); + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG_ADD_OR_UPDATE)) { + perfTotal = RangerPerfTracer.getPerfTracer(PERF_LOG_ADD_OR_UPDATE, "tags.addOrUpdate()"); + } - List serviceResourcesInServiceTags = serviceTags.getServiceResources(); + if (MapUtils.isNotEmpty(serviceTags.getTagDefinitions())) { + RangerTagDef tagDef = null; - for (RangerServiceResource rangerServiceResource : serviceResourcesInServiceTags) { - String guid = rangerServiceResource.getGuid(); + try { + for (Map.Entry entry : serviceTags.getTagDefinitions().entrySet()) { + tagDef = entry.getValue(); - if(serviceResourcesInServiceTagsMap.containsKey(guid)) { - LOG.warn("duplicate service-resource found: guid=" + guid); - } + RangerTagDef existing = null; - serviceResourcesInServiceTagsMap.put(guid, rangerServiceResource); - } - - List serviceResourcesInDb = tagStore.getServiceResourceGuidsByService(serviceTags.getServiceName()); + if (StringUtils.isNotEmpty(tagDef.getGuid())) { + existing = tagStore.getTagDefByGuid(tagDef.getGuid()); + } - if (CollectionUtils.isNotEmpty(serviceResourcesInDb)) { - for (String dbServiceResourceGuid : serviceResourcesInDb) { + if (existing == null && StringUtils.isNotEmpty(tagDef.getName())) { + existing = tagStore.getTagDefByName(tagDef.getName()); + } - if (!serviceResourcesInServiceTagsMap.containsKey(dbServiceResourceGuid)) { - - if (LOG.isDebugEnabled()) { - LOG.debug("Deleting serviceResource(guid=" + dbServiceResourceGuid + ") and its tag-associations..."); - } + RangerTagDef tagDefInStore; - List tagResourceMaps = tagStore.getTagResourceMapsForResourceGuid(dbServiceResourceGuid); + if (existing == null) { + tagDefInStore = tagStore.createTagDef(tagDef); + } else { + LOG.debug("tagDef for name: {} exists, will not update it", tagDef.getName()); - if (CollectionUtils.isNotEmpty(tagResourceMaps)) { - for (RangerTagResourceMap tagResourceMap : tagResourceMaps) { - tagStore.deleteTagResourceMap(tagResourceMap.getId()); - } - } - - tagStore.deleteServiceResourceByGuid(dbServiceResourceGuid); - } - - } - } - - // Add/update resources and other tag-model objects provided in service-tags - - addOrUpdate(serviceTags); - - // All private tags at this point are associated with some service-resource and shared - // tags cannot be deleted as they belong to some other service. In any case, any tags that - // are not associated with service-resource will not be downloaded to plugin. - - // Tag-defs cannot be deleted as there may be a shared tag that it refers to it. - - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceTagsProcessor.replace()"); - } - } + tagDefInStore = existing; + } + + tagDefsInStore.put(entry.getKey(), tagDefInStore); + } + } catch (Exception exception) { + LOG.error("createTagDef failed, tagDef={}", tagDef, exception); + + throw exception; + } + } + + List resources = serviceTags.getServiceResources(); + + if (CollectionUtils.isNotEmpty(resources)) { + RangerServiceResource resource = null; + + try { + for (RangerServiceResource rangerServiceResource : resources) { + resource = rangerServiceResource; + + if (StringUtils.isBlank(resource.getServiceName())) { + resource.setServiceName(serviceTags.getServiceName()); + } + + RangerServiceResource existing = null; + Long resourceId = resource.getId(); + + if (StringUtils.isNotEmpty(resource.getGuid())) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG_ADD_OR_UPDATE)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG_ADD_OR_UPDATE, "tags.search_service_resource_by_guid(" + resourceId + ")"); + } + + existing = tagStore.getServiceResourceByGuid(resource.getGuid()); + + RangerPerfTracer.logAlways(perf); + } + + if (existing == null) { + if (MapUtils.isNotEmpty(resource.getResourceElements())) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG_ADD_OR_UPDATE)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG_ADD_OR_UPDATE, "tags.search_service_resource_by_signature(" + resourceId + ")"); + } + + RangerServiceResourceSignature serializer = new RangerServiceResourceSignature(resource); + String resourceSignature = serializer.getSignature(); + + resource.setResourceSignature(resourceSignature); + + existing = tagStore.getServiceResourceByServiceAndResourceSignature(resource.getServiceName(), resourceSignature); + + RangerPerfTracer.logAlways(perf); + } + } + + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG_ADD_OR_UPDATE)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG_ADD_OR_UPDATE, "tags.createOrUpdate_service_resource(" + resourceId + ")"); + } + + RangerServiceResource resourceInStore; + + if (existing == null) { + resourceInStore = tagStore.createServiceResource(resource); + } else if (StringUtils.isEmpty(resource.getServiceName()) || MapUtils.isEmpty(resource.getResourceElements())) { + resourceInStore = existing; + } else { + resource.setId(existing.getId()); + resource.setGuid(existing.getGuid()); + + resourceInStore = tagStore.updateServiceResource(resource); + } + + resourcesInStore.put(resourceId, resourceInStore); + + RangerPerfTracer.logAlways(perf); + } + } catch (Exception exception) { + LOG.error("createServiceResource failed, resource={}", resource, exception); + + throw exception; + } + } + + if (MapUtils.isNotEmpty(serviceTags.getResourceToTagIds())) { + for (Map.Entry> entry : serviceTags.getResourceToTagIds().entrySet()) { + Long resourceId = entry.getKey(); + RangerServiceResource resourceInStore = resourcesInStore.get(resourceId); + + if (resourceInStore == null) { + LOG.error("Resource (id={}) not found. Skipping tags update", resourceId); + continue; + } + + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG_ADD_OR_UPDATE)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG_ADD_OR_UPDATE, "tags.get_tags_for_service_resource(" + resourceInStore.getId() + ")"); + } + + // Get all tags associated with this resourceId + List associatedTags; + + try { + associatedTags = tagStore.getTagsForResourceId(resourceInStore.getId()); + } catch (Exception exception) { + LOG.error("RangerTags cannot be retrieved for resource with guid={}", resourceInStore.getGuid()); + + throw exception; + } finally { + RangerPerfTracer.logAlways(perf); + } + + List tagsToRetain = new ArrayList<>(); + boolean isAnyTagUpdated = false; + List tagIds = entry.getValue(); + + try { + for (Long tagId : tagIds) { + RangerTag incomingTag = MapUtils.isNotEmpty(serviceTags.getTags()) ? serviceTags.getTags().get(tagId) : null; + + if (incomingTag == null) { + LOG.error("Tag (id={}) not found. Skipping addition of this tag for resource (id={})", tagId, resourceId); + continue; + } + + RangerTag matchingTag = findMatchingTag(incomingTag, associatedTags); + + if (matchingTag == null) { + LOG.debug("Did not find matching tag for tagId={}", tagId); + + // create new tag from incoming tag and associate it with service-resource + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG_ADD_OR_UPDATE)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG_ADD_OR_UPDATE, "tags.create_tag(" + tagId + ")"); + } + + RangerTag newTag = tagStore.createTag(incomingTag); + + RangerPerfTracer.logAlways(perf); + + RangerTagResourceMap tagResourceMap = new RangerTagResourceMap(); + + tagResourceMap.setTagId(newTag.getId()); + tagResourceMap.setResourceId(resourceInStore.getId()); + + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG_ADD_OR_UPDATE)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG_ADD_OR_UPDATE, "tags.create_tagResourceMap(" + tagId + ")"); + } + + tagResourceMap = tagStore.createTagResourceMap(tagResourceMap); + + RangerPerfTracer.logAlways(perf); + + associatedTags.add(newTag); + tagsToRetain.add(newTag); + } else { + LOG.debug("Found matching tag for tagId={}, matchingTag={}", tagId, matchingTag); + + if (isResourcePrivateTag(incomingTag)) { + if (!isResourcePrivateTag(matchingTag)) { + // create new tag from incoming tag and associate it with service-resource + RangerTag newTag = tagStore.createTag(incomingTag); + + RangerTagResourceMap tagResourceMap = new RangerTagResourceMap(); + + tagResourceMap.setTagId(newTag.getId()); + tagResourceMap.setResourceId(resourceInStore.getId()); + + tagResourceMap = tagStore.createTagResourceMap(tagResourceMap); + + associatedTags.add(newTag); + tagsToRetain.add(newTag); + } else { + tagsToRetain.add(matchingTag); + + boolean isTagUpdateNeeded = false; + + // Note that as there is no easy way to check validityPeriods for equality, an easy way to rule out the possibility of validityPeriods + // not matching is to check if both old and new tags have empty validityPeriods + if (matchingTag.getGuid() != null && matchingTag.getGuid().equals(incomingTag.getGuid())) { + if (isMatch(incomingTag, matchingTag) && CollectionUtils.isEmpty(incomingTag.getValidityPeriods()) && CollectionUtils.isEmpty(matchingTag.getValidityPeriods())) { + LOG.debug("No need to update existing-tag:[{}] with incoming-tag:[{}]", matchingTag, incomingTag); + } else { + isTagUpdateNeeded = true; + } + } else { + if (CollectionUtils.isEmpty(incomingTag.getValidityPeriods()) && CollectionUtils.isEmpty(matchingTag.getValidityPeriods())) { + // Completely matched tags. No need to update + LOG.debug("No need to update existing-tag:[{}] with incoming-tag:[{}]", matchingTag, incomingTag); + } else { + isTagUpdateNeeded = true; + } + } + if (isTagUpdateNeeded) { + // Keep this tag, and update it with attribute-values and validity schedules from incoming tag + LOG.debug("Updating existing private tag with id={}", matchingTag.getId()); + + incomingTag.setId(matchingTag.getId()); + + tagStore.updateTag(incomingTag); + + isAnyTagUpdated = true; + } + } + } else { // shared model + if (isResourcePrivateTag(matchingTag)) { + // create new tag from incoming tag and associate it with service-resource + RangerTag newTag = tagStore.createTag(incomingTag); + + RangerTagResourceMap tagResourceMap = new RangerTagResourceMap(); + + tagResourceMap.setTagId(newTag.getId()); + tagResourceMap.setResourceId(resourceInStore.getId()); + + tagResourceMap = tagStore.createTagResourceMap(tagResourceMap); + + associatedTags.add(newTag); + tagsToRetain.add(newTag); + } else { + // Keep this tag, but update it with attribute-values from incoming tag + tagsToRetain.add(matchingTag); + + // Update shared tag with new values + incomingTag.setId(matchingTag.getId()); + + tagStore.updateTag(incomingTag); + + // associate with service-resource if not already associated + if (findTagInList(matchingTag, associatedTags) == null) { + RangerTagResourceMap tagResourceMap = new RangerTagResourceMap(); + + tagResourceMap.setTagId(matchingTag.getId()); + tagResourceMap.setResourceId(resourceInStore.getId()); + + tagResourceMap = tagStore.createTagResourceMap(tagResourceMap); + } else { + isAnyTagUpdated = true; + } + } + } + } + } + } catch (Exception exception) { + LOG.error("createRangerTagResourceMap failed", exception); + + throw exception; + } + + if (CollectionUtils.isNotEmpty(associatedTags)) { + Long tagId = null; + + try { + for (RangerTag associatedTag : associatedTags) { + if (findTagInList(associatedTag, tagsToRetain) == null) { + tagId = associatedTag.getId(); + + RangerTagResourceMap tagResourceMap = tagStore.getTagResourceMapForTagAndResourceId(tagId, resourceInStore.getId()); + + if (tagResourceMap != null) { + tagStore.deleteTagResourceMap(tagResourceMap.getId()); + } + + LOG.debug("Deleted tagResourceMap(tagId={}, resourceId={}", tagId, resourceInStore.getId()); + } + } + } catch (Exception exception) { + LOG.error("deleteTagResourceMap failed, tagId={}, resourceId={}", tagId, resourceInStore.getId()); + + throw exception; + } + } + + if (isAnyTagUpdated) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG_ADD_OR_UPDATE)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG_ADD_OR_UPDATE, "tags.refreshServiceResource(" + resourceInStore.getId() + ")"); + } + + tagStore.refreshServiceResource(resourceInStore.getId()); + + RangerPerfTracer.logAlways(perf); + } else { + if (CollectionUtils.isEmpty(tagIds)) { + // No tags associated with the resource - delete the resource too + tagStore.deleteServiceResource(resourceInStore.getId()); + } + } + } + } + + RangerPerfTracer.logAlways(perfTotal); + + LOG.debug("<== ServiceTagsProcessor.createOrUpdate()"); + } + + private RangerTag findTagInList(RangerTag object, List list) { + LOG.debug("==> ServiceTagsProcessor.findTagInList(): object={}", (object == null ? null : object.getId())); + RangerTag ret = null; + + if (object != null) { + for (RangerTag tag : list) { + LOG.debug("==> ServiceTagsProcessor.findTagInList(): tag={}", tag.getId()); + + if (tag.getId().equals(object.getId())) { + ret = tag; + + LOG.debug("==> ServiceTagsProcessor.findTagInList(): found tag={}", tag.getId()); + + break; + } + } + } + + LOG.debug("<== ServiceTagsProcessor.findTagInList(): ret={}", (ret == null ? null : ret.getId())); + + return ret; + } + + private boolean isResourcePrivateTag(RangerTag tag) { + return tag.getOwner() == null || tag.getOwner() == RangerTag.OWNER_SERVICERESOURCE; + } + + private RangerTag findMatchingTag(RangerTag incomingTag, List existingTags) throws Exception { + RangerTag ret = null; + + if (StringUtils.isNotEmpty(incomingTag.getGuid())) { + ret = tagStore.getTagByGuid(incomingTag.getGuid()); + } + + if (ret == null) { + if (isResourcePrivateTag(incomingTag)) { + for (RangerTag existingTag : existingTags) { + if (isMatch(incomingTag, existingTag)) { + ret = existingTag; + break; + } + } + } + } + + return ret; + } + + private boolean isMatch(final RangerTag incomingTag, final RangerTag existingTag) { + boolean ret = false; + + if (incomingTag != null && existingTag != null) { + if (StringUtils.equals(incomingTag.getType(), existingTag.getType())) { + // Check attribute values + Map incomingTagAttributes = incomingTag.getAttributes() != null ? incomingTag.getAttributes() : Collections.emptyMap(); + Map existingTagAttributes = existingTag.getAttributes() != null ? existingTag.getAttributes() : Collections.emptyMap(); + + if (CollectionUtils.isEqualCollection(incomingTagAttributes.keySet(), existingTagAttributes.keySet())) { + boolean matched = true; + + for (Map.Entry entry : incomingTagAttributes.entrySet()) { + String key = entry.getKey(); + String value = entry.getValue(); + + if (!StringUtils.equals(value, existingTagAttributes.get(key))) { + matched = false; + break; + } + } + + if (matched) { + ret = true; + } + } + } + } + + return ret; + } + + private void delete(ServiceTags serviceTags) throws Exception { + LOG.debug("==> ServiceTagsProcessor.delete()"); + + // We dont expect any resourceId->tagId mappings in delete operation, so ignoring them if specified + + List serviceResources = serviceTags.getServiceResources(); + + if (CollectionUtils.isNotEmpty(serviceResources)) { + for (RangerServiceResource serviceResource : serviceResources) { + if (StringUtils.isBlank(serviceResource.getServiceName())) { + serviceResource.setServiceName(serviceTags.getServiceName()); + } + + RangerServiceResource objToDelete = null; + + try { + if (StringUtils.isNotBlank(serviceResource.getGuid())) { + objToDelete = tagStore.getServiceResourceByGuid(serviceResource.getGuid()); + } + + if (objToDelete == null) { + if (MapUtils.isNotEmpty(serviceResource.getResourceElements())) { + RangerServiceResourceSignature serializer = new RangerServiceResourceSignature(serviceResource); + String serviceResourceSignature = serializer.getSignature(); + + objToDelete = tagStore.getServiceResourceByServiceAndResourceSignature(serviceResource.getServiceName(), serviceResourceSignature); + } + } + + if (objToDelete != null) { + List tagResourceMaps = tagStore.getTagResourceMapsForResourceGuid(objToDelete.getGuid()); + + if (CollectionUtils.isNotEmpty(tagResourceMaps)) { + for (RangerTagResourceMap tagResourceMap : tagResourceMaps) { + tagStore.deleteTagResourceMap(tagResourceMap.getId()); + } + } + + tagStore.deleteServiceResource(objToDelete.getId()); + } + } catch (Exception exception) { + LOG.error("deleteServiceResourceByGuid failed, guid={}", serviceResource.getGuid(), exception); + + throw exception; + } + } + } + + Map tagsMap = serviceTags.getTags(); + + if (MapUtils.isNotEmpty(tagsMap)) { + for (Map.Entry entry : tagsMap.entrySet()) { + RangerTag tag = entry.getValue(); + + try { + RangerTag objToDelete = tagStore.getTagByGuid(tag.getGuid()); + + if (objToDelete != null) { + tagStore.deleteTag(objToDelete.getId()); + } + } catch (Exception exception) { + LOG.error("deleteTag failed, guid={}", tag.getGuid(), exception); + + throw exception; + } + } + } + + Map tagDefsMap = serviceTags.getTagDefinitions(); + + if (MapUtils.isNotEmpty(tagDefsMap)) { + for (Map.Entry entry : tagDefsMap.entrySet()) { + RangerTagDef tagDef = entry.getValue(); + + try { + RangerTagDef objToDelete = tagStore.getTagDefByGuid(tagDef.getGuid()); + + if (objToDelete != null) { + tagStore.deleteTagDef(objToDelete.getId()); + } + } catch (Exception exception) { + LOG.error("deleteTagDef failed, guid={}", tagDef.getGuid(), exception); + throw exception; + } + } + } + + LOG.debug("<== ServiceTagsProcessor.delete()"); + } + + private void replace(ServiceTags serviceTags) throws Exception { + LOG.debug("==> ServiceTagsProcessor.replace()"); + + // Delete those service-resources which are in ranger database but not in provided service-tags + + Map serviceResourcesInServiceTagsMap = new HashMap<>(); + List serviceResourcesInServiceTags = serviceTags.getServiceResources(); + + for (RangerServiceResource rangerServiceResource : serviceResourcesInServiceTags) { + String guid = rangerServiceResource.getGuid(); + + if (serviceResourcesInServiceTagsMap.containsKey(guid)) { + LOG.warn("duplicate service-resource found: guid={}", guid); + } + + serviceResourcesInServiceTagsMap.put(guid, rangerServiceResource); + } + + List serviceResourcesInDb = tagStore.getServiceResourceGuidsByService(serviceTags.getServiceName()); + + if (CollectionUtils.isNotEmpty(serviceResourcesInDb)) { + for (String dbServiceResourceGuid : serviceResourcesInDb) { + if (!serviceResourcesInServiceTagsMap.containsKey(dbServiceResourceGuid)) { + LOG.debug("Deleting serviceResource(guid={}) and its tag-associations...", dbServiceResourceGuid); + + List tagResourceMaps = tagStore.getTagResourceMapsForResourceGuid(dbServiceResourceGuid); + + if (CollectionUtils.isNotEmpty(tagResourceMaps)) { + for (RangerTagResourceMap tagResourceMap : tagResourceMaps) { + tagStore.deleteTagResourceMap(tagResourceMap.getId()); + } + } + + tagStore.deleteServiceResourceByGuid(dbServiceResourceGuid); + } + } + } + + // Add/update resources and other tag-model objects provided in service-tags + + addOrUpdate(serviceTags); + + // All private tags at this point are associated with some service-resource and shared + // tags cannot be deleted as they belong to some other service. In any case, any tags that + // are not associated with service-resource will not be downloaded to plugin. + + // Tag-defs cannot be deleted as there may be a shared tag that it refers to it. + + LOG.debug("<== ServiceTagsProcessor.replace()"); + } } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java index 6675d71a6d..92535a453f 100755 --- a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java @@ -19,7 +19,6 @@ package org.apache.ranger.rest; -import javax.ws.rs.Consumes; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; import org.apache.ranger.biz.AssetMgr; @@ -36,8 +35,8 @@ import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceResource; import org.apache.ranger.plugin.model.RangerTag; -import org.apache.ranger.plugin.model.RangerTagResourceMap; import org.apache.ranger.plugin.model.RangerTagDef; +import org.apache.ranger.plugin.model.RangerTagResourceMap; import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.apache.ranger.plugin.store.PList; import org.apache.ranger.plugin.store.RangerServiceResourceSignature; @@ -65,6 +64,7 @@ import javax.annotation.PostConstruct; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.Consumes; import javax.ws.rs.DELETE; import javax.ws.rs.DefaultValue; import javax.ws.rs.GET; @@ -90,20 +90,20 @@ public class TagREST { public static final String Allowed_User_List_For_Tag_Download = "tag.download.auth.users"; - @Autowired - RESTErrorUtil restErrorUtil; + @Autowired + RESTErrorUtil restErrorUtil; - @Autowired - ServiceDBStore svcStore; + @Autowired + ServiceDBStore svcStore; - @Autowired - TagDBStore tagStore; - - @Autowired - RangerDaoManager daoManager; - - @Autowired - RangerBizUtil bizUtil; + @Autowired + TagDBStore tagStore; + + @Autowired + RangerDaoManager daoManager; + + @Autowired + RangerBizUtil bizUtil; @Autowired AssetMgr assetMgr; @@ -129,34 +129,29 @@ public class TagREST { RangerTagResourceMapService rangerTagResourceMapService; public TagREST() { - } + } - @PostConstruct - public void initStore() { - validator = new TagValidator(); + @PostConstruct + public void initStore() { + validator = new TagValidator(); tagStore.setServiceStore(svcStore); validator.setTagStore(tagStore); - } - - TagStore getTagStore() { - return tagStore; } @POST @Path(TagRESTConstants.TAGDEFS_RESOURCE) - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerTagDef createTagDef(RangerTagDef tagDef, @DefaultValue("true") @QueryParam("updateIfExists") boolean updateIfExists) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.createTagDef(" + tagDef + ", " + updateIfExists + ")"); - } + LOG.debug("==> TagREST.createTagDef({}, {})", tagDef, updateIfExists); RangerTagDef ret; try { RangerTagDef exist = validator.preCreateTagDef(tagDef, updateIfExists); + if (exist == null) { ret = tagStore.createTagDef(tagDef); } else if (updateIfExists) { @@ -164,34 +159,29 @@ public RangerTagDef createTagDef(RangerTagDef tagDef, @DefaultValue("true") @Que } else { throw new Exception("tag-definition with Id " + exist.getId() + " already exists"); } - } catch(Exception excp) { - LOG.error("createTagDef(" + tagDef + ") failed", excp); + } catch (Exception excp) { + LOG.error("createTagDef({}) failed", tagDef, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.createTagDef(" + tagDef + ", " + updateIfExists + "): " + ret); - } + LOG.debug("<== TagREST.createTagDef({}, {}): {}", tagDef, updateIfExists, ret); return ret; } - @PUT @Path(TagRESTConstants.TAGDEF_RESOURCE + "{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerTagDef updateTagDef(@PathParam("id") Long id, RangerTagDef tagDef) { + LOG.debug("==> TagREST.updateTagDef({})", id); - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.updateTagDef(" + id + ")"); - } if (tagDef.getId() == null) { tagDef.setId(id); } else if (!tagDef.getId().equals(id)) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "tag name mismatch", true); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "tag name mismatch", true); } RangerTagDef ret; @@ -199,12 +189,12 @@ public RangerTagDef updateTagDef(@PathParam("id") Long id, RangerTagDef tagDef) try { ret = tagStore.updateTagDef(tagDef); } catch (Exception excp) { - LOG.error("updateTagDef(" + id + ") failed", excp); + LOG.error("updateTagDef({}) failed", id, excp); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.updateTagDef(" + id + ")"); - } + + LOG.debug("<== TagREST.updateTagDef({})", id); return ret; } @@ -213,175 +203,150 @@ public RangerTagDef updateTagDef(@PathParam("id") Long id, RangerTagDef tagDef) @Path(TagRESTConstants.TAGDEF_RESOURCE + "{id}") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public void deleteTagDef(@PathParam("id") Long id) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.deleteTagDef(" + id + ")"); - } + LOG.debug("==> TagREST.deleteTagDef({})", id); try { tagStore.deleteTagDef(id); - } catch(Exception excp) { - LOG.error("deleteTagDef(" + id + ") failed", excp); + } catch (Exception excp) { + LOG.error("deleteTagDef({}) failed", id, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.deleteTagDef(" + id + ")"); - } + LOG.debug("<== TagREST.deleteTagDef({})", id); } @DELETE @Path(TagRESTConstants.TAGDEF_RESOURCE + "guid/{guid}") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public void deleteTagDefByGuid(@PathParam("guid") String guid) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.deleteTagDefByGuid(" + guid + ")"); - } + LOG.debug("==> TagREST.deleteTagDefByGuid({})", guid); try { RangerTagDef exist = tagStore.getTagDefByGuid(guid); - if(exist!=null){ - tagStore.deleteTagDef(exist.getId()); - } - } catch(Exception excp) { - LOG.error("deleteTagDef(" + guid + ") failed", excp); + + if (exist != null) { + tagStore.deleteTagDef(exist.getId()); + } + } catch (Exception excp) { + LOG.error("deleteTagDef({}) failed", guid, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.deleteTagDefByGuid(" + guid + ")"); - } + LOG.debug("<== TagREST.deleteTagDefByGuid({})", guid); } @GET @Path(TagRESTConstants.TAGDEF_RESOURCE + "{id}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerTagDef getTagDef(@PathParam("id") Long id) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getTagDef(" + id + ")"); - } + LOG.debug("==> TagREST.getTagDef({})", id); RangerTagDef ret; try { ret = tagStore.getTagDef(id); - } catch(Exception excp) { - LOG.error("getTagDef(" + id + ") failed", excp); + } catch (Exception excp) { + LOG.error("getTagDef({}) failed", id, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(ret == null) { + if (ret == null) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getTagDef(" + id + "): " + ret); - } + LOG.debug("<== TagREST.getTagDef({}): {}", id, ret); return ret; } @GET @Path(TagRESTConstants.TAGDEF_RESOURCE + "guid/{guid}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerTagDef getTagDefByGuid(@PathParam("guid") String guid) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getTagDefByGuid(" + guid + ")"); - } + LOG.debug("==> TagREST.getTagDefByGuid({})", guid); RangerTagDef ret; try { ret = tagStore.getTagDefByGuid(guid); - } catch(Exception excp) { - LOG.error("getTagDefByGuid(" + guid + ") failed", excp); + } catch (Exception excp) { + LOG.error("getTagDefByGuid({}) failed", guid, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(ret == null) { + if (ret == null) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getTagDefByGuid(" + guid + "): " + ret); - } + LOG.debug("<== TagREST.getTagDefByGuid({}): {}", guid, ret); return ret; } @GET @Path(TagRESTConstants.TAGDEF_RESOURCE + "name/{name}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerTagDef getTagDefByName(@PathParam("name") String name) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getTagDefByName(" + name + ")"); - } + LOG.debug("==> TagREST.getTagDefByName({})", name); RangerTagDef ret; try { ret = tagStore.getTagDefByName(name); - } catch(Exception excp) { - LOG.error("getTagDefByName(" + name + ") failed", excp); + } catch (Exception excp) { + LOG.error("getTagDefByName({}) failed", name, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(ret == null) { + if (ret == null) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getTagDefByName(" + name + "): " + ret); - } + LOG.debug("<== TagREST.getTagDefByName({}): {}", name, ret); return ret; } @GET @Path(TagRESTConstants.TAGDEFS_RESOURCE) - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public List getAllTagDefs() { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getAllTagDefs()"); - } + LOG.debug("==> TagREST.getAllTagDefs()"); List ret; try { ret = tagStore.getTagDefs(new SearchFilter()); - } catch(Exception excp) { + } catch (Exception excp) { LOG.error("getAllTagDefs() failed", excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(ret == null) { + if (ret == null) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getAllTagDefs()"); - } + LOG.debug("<== TagREST.getAllTagDefs()"); return ret; } @GET @Path(TagRESTConstants.TAGDEFS_RESOURCE_PAGINATED) - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public PList getTagDefs(@Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getTagDefs()"); - } + LOG.debug("==> TagREST.getTagDefs()"); final PList ret; @@ -399,58 +364,50 @@ public PList getTagDefs(@Context HttpServletRequest request) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getTagDefs(): count=" + ((ret == null || ret.getList() == null) ? 0 : ret.getList().size())); - } + LOG.debug("<== TagREST.getTagDefs(): count={}", ret.getList() == null ? 0 : ret.getList().size()); return ret; } @GET @Path(TagRESTConstants.TAGTYPES_RESOURCE) - @Produces({ "application/json" }) + @Produces("application/json") public List getTagTypes() { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getTagTypes()"); - } + LOG.debug("==> TagREST.getTagTypes()"); // check for ADMIN access if (!bizUtil.isAdmin()) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User don't have permission to perform this action", true); } - List ret = null; + List ret; try { ret = tagStore.getTagTypes(); - } catch(Exception excp) { + } catch (Exception excp) { LOG.error("getTagTypes() failed", excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getTagTypes(): count=" + (ret != null ? ret.size() : 0)); - } + LOG.debug("<== TagREST.getTagTypes(): count={}", (ret != null ? ret.size() : 0)); return ret; } - @POST @Path(TagRESTConstants.TAGS_RESOURCE) - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerTag createTag(RangerTag tag, @DefaultValue("true") @QueryParam("updateIfExists") boolean updateIfExists) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.createTag(" + tag + ", " + updateIfExists + ")"); - } + LOG.debug("==> TagREST.createTag({}, {})", tag, updateIfExists); RangerTag ret; try { RangerTag exist = validator.preCreateTag(tag); + if (exist == null) { ret = tagStore.createTag(tag); } else if (updateIfExists) { @@ -458,65 +415,61 @@ public RangerTag createTag(RangerTag tag, @DefaultValue("true") @QueryParam("upd } else { throw new Exception("tag with Id " + exist.getId() + " already exists"); } - } catch(Exception excp) { - LOG.error("createTag(" + tag + ") failed", excp); + } catch (Exception excp) { + LOG.error("createTag({}) failed", tag, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.createTag(" + tag + ", " + updateIfExists + "): " + ret); - } + LOG.debug("<== TagREST.createTag({}, {}): {}", tag, updateIfExists, ret); return ret; } @PUT @Path(TagRESTConstants.TAG_RESOURCE + "{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerTag updateTag(@PathParam("id") Long id, RangerTag tag) { - RangerTag ret; try { validator.preUpdateTag(id, tag); + ret = tagStore.updateTag(tag); } catch (Exception excp) { - LOG.error("updateTag(" + id + ") failed", excp); + LOG.error("updateTag({}) failed", id, excp); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.updateTag(" + id + "): " + ret); - } + + LOG.debug("<== TagREST.updateTag({}): {}", id, ret); return ret; } @PUT @Path(TagRESTConstants.TAG_RESOURCE + "guid/{guid}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerTag updateTagByGuid(@PathParam("guid") String guid, RangerTag tag) { - - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.updateTagByGuid(" + guid + ")"); - } + LOG.debug("==> TagREST.updateTagByGuid({})", guid); RangerTag ret; try { validator.preUpdateTagByGuid(guid, tag); + ret = tagStore.updateTag(tag); } catch (Exception excp) { - LOG.error("updateTagByGuid(" + guid + ") failed", excp); + LOG.error("updateTagByGuid({}) failed", guid, excp); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.updateTagByGuid(" + guid + "): " + ret); - } + + LOG.debug("<== TagREST.updateTagByGuid({}): {}", guid, ret); return ret; } @@ -525,127 +478,110 @@ public RangerTag updateTagByGuid(@PathParam("guid") String guid, RangerTag tag) @Path(TagRESTConstants.TAG_RESOURCE + "{id}") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public void deleteTag(@PathParam("id") Long id) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.deleteTag(" + id +")"); - } + LOG.debug("==> TagREST.deleteTag({})", id); try { validator.preDeleteTag(id); tagStore.deleteTag(id); - } catch(Exception excp) { - LOG.error("deleteTag(" + id + ") failed", excp); + } catch (Exception excp) { + LOG.error("deleteTag({}) failed", id, excp); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.deleteTag(" + id + ")"); - } + LOG.debug("<== TagREST.deleteTag({})", id); } @DELETE @Path(TagRESTConstants.TAG_RESOURCE + "guid/{guid}") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public void deleteTagByGuid(@PathParam("guid") String guid) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.deleteTagByGuid(" + guid + ")"); - } + LOG.debug("==> TagREST.deleteTagByGuid({})", guid); try { RangerTag exist = validator.preDeleteTagByGuid(guid); + tagStore.deleteTag(exist.getId()); - } catch(Exception excp) { - LOG.error("deleteTagByGuid(" + guid + ") failed", excp); + } catch (Exception excp) { + LOG.error("deleteTagByGuid({}) failed", guid, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.deleteTagByGuid(" + guid + ")"); - } + LOG.debug("<== TagREST.deleteTagByGuid({})", guid); } @GET @Path(TagRESTConstants.TAG_RESOURCE + "{id}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerTag getTag(@PathParam("id") Long id) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getTag(" + id + ")"); - } + LOG.debug("==> TagREST.getTag({})", id); + RangerTag ret; try { ret = tagStore.getTag(id); - } catch(Exception excp) { - LOG.error("getTag(" + id + ") failed", excp); + } catch (Exception excp) { + LOG.error("getTag({}) failed", id, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getTag(" + id + "): " + ret); - } + LOG.debug("<== TagREST.getTag({}): {}", id, ret); return ret; } @GET @Path(TagRESTConstants.TAG_RESOURCE + "guid/{guid}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerTag getTagByGuid(@PathParam("guid") String guid) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getTagByGuid(" + guid + ")"); - } + LOG.debug("==> TagREST.getTagByGuid({})", guid); + RangerTag ret; try { ret = tagStore.getTagByGuid(guid); - } catch(Exception excp) { - LOG.error("getTagByGuid(" + guid + ") failed", excp); + } catch (Exception excp) { + LOG.error("getTagByGuid({}) failed", guid, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getTagByGuid(" + guid + "): " + ret); - } + LOG.debug("<== TagREST.getTagByGuid({}): {}", guid, ret); return ret; } @GET @Path(TagRESTConstants.TAGS_RESOURCE + "type/{type}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public List getTagsByType(@PathParam("type") String type) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getTagsByType(" + type + ")"); - } + LOG.debug("==> TagREST.getTagsByType({})", type); + List ret; try { ret = tagStore.getTagsByType(type); - } catch(Exception excp) { - LOG.error("getTagsByType(" + type + ") failed", excp); + } catch (Exception excp) { + LOG.error("getTagsByType({}) failed", type, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getTagsByType(" + type + "): " + ret); - } + LOG.debug("<== TagREST.getTagsByType({}): {}", type, ret); return ret; } @GET @Path(TagRESTConstants.TAGS_RESOURCE) - @Produces({ "application/json" }) + @Produces("application/json") public List getAllTags() { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getAllTags()"); - } + LOG.debug("==> TagREST.getAllTags()"); // check for ADMIN access if (!bizUtil.isAdmin()) { @@ -656,32 +592,27 @@ public List getAllTags() { try { ret = tagStore.getTags(new SearchFilter()); - } catch(Exception excp) { + } catch (Exception excp) { LOG.error("getAllTags() failed", excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } if (CollectionUtils.isEmpty(ret)) { - if (LOG.isDebugEnabled()) { - LOG.debug("getAllTags() - No tags found"); - } - } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getAllTags(): " + ret); + LOG.debug("getAllTags() - No tags found"); } + LOG.debug("<== TagREST.getAllTags(): {}", ret); + return ret; } @GET @Path(TagRESTConstants.TAGS_RESOURCE_PAGINATED) - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public PList getTags(@Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getTags()"); - } + LOG.debug("==> TagREST.getTags()"); final PList ret; @@ -698,44 +629,40 @@ public PList getTags(@Context HttpServletRequest request) { } if (CollectionUtils.isEmpty(ret.getList())) { - if (LOG.isDebugEnabled()) { - LOG.debug("getTags() - No tags found"); - } + LOG.debug("getTags() - No tags found"); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getTags(): count=" + ((ret == null || ret.getList() == null) ? 0 : ret.getList().size())); - } + LOG.debug("<== TagREST.getTags(): count={}", ret.getList() == null ? 0 : ret.getList().size()); return ret; } /** * Resets/ removes tag policy cache for given service. + * * @param serviceName non-empty service-name * @return {@code true} if successfully reseted/ removed for given service, {@code false} otherwise. */ @GET @Path(TagRESTConstants.TAGS_RESOURCE + "cache/reset") - @Produces({ "application/json" }) + @Produces("application/json") public boolean resetTagCache(@QueryParam("serviceName") String serviceName) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.resetTagCache({})", serviceName); - } + LOG.debug("==> TagREST.resetTagCache({})", serviceName); if (StringUtils.isEmpty(serviceName)) { throw restErrorUtil.createRESTException("Required parameter [serviceName] is missing.", MessageEnums.INVALID_INPUT_DATA); } RangerService rangerService = null; + try { rangerService = svcStore.getServiceByName(serviceName); } catch (Exception e) { - LOG.error( HttpServletResponse.SC_BAD_REQUEST + "No Service Found for ServiceName:" + serviceName ); + LOG.error("{} No Service Found for ServiceName: {}", HttpServletResponse.SC_BAD_REQUEST, serviceName); } if (rangerService == null) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "Invalid service name", true); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Invalid service name", true); } // check for ADMIN access @@ -746,7 +673,7 @@ public boolean resetTagCache(@QueryParam("serviceName") String serviceName) { try { isServiceAdmin = bizUtil.isUserServiceAdmin(rangerService, loggedInUser); } catch (Exception e) { - LOG.warn("Failed to find if user [" + loggedInUser + "] has service admin privileges on service [" + serviceName + "]", e); + LOG.warn("Failed to find if user [{}] has service admin privileges on service [{}]", loggedInUser, serviceName, e); } if (!isServiceAdmin) { @@ -756,24 +683,21 @@ public boolean resetTagCache(@QueryParam("serviceName") String serviceName) { boolean ret = tagStore.resetTagCache(serviceName); - if (LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.resetTagCache(): ret={}", ret); - } + LOG.debug("<== TagREST.resetTagCache(): ret={}", ret); return ret; } /** * Resets/ removes tag policy cache for all. + * * @return {@code true} if successfully reseted/ removed, {@code false} otherwise. */ @GET @Path(TagRESTConstants.TAGS_RESOURCE + "cache/reset-all") - @Produces({ "application/json" }) + @Produces("application/json") public boolean resetTagCacheAll() { - if (LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.resetTagCacheAll()"); - } + LOG.debug("==> TagREST.resetTagCacheAll()"); // check for ADMIN access if (!bizUtil.isAdmin()) { @@ -782,27 +706,24 @@ public boolean resetTagCacheAll() { boolean ret = tagStore.resetTagCache(null); - if (LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.resetTagCacheAll(): ret={}", ret); - } + LOG.debug("<== TagREST.resetTagCacheAll(): ret={}", ret); return ret; } @POST @Path(TagRESTConstants.RESOURCES_RESOURCE) - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerServiceResource createServiceResource(RangerServiceResource resource, @DefaultValue("true") @QueryParam("updateIfExists") boolean updateIfExists) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.createServiceResource(" + resource + ", " + updateIfExists + ")"); - } + LOG.debug("==> TagREST.createServiceResource({}, {})", resource, updateIfExists); RangerServiceResource ret; try { RangerServiceResource exist = validator.preCreateServiceResource(resource); + if (exist == null) { ret = tagStore.createServiceResource(resource); } else if (updateIfExists) { @@ -810,66 +731,64 @@ public RangerServiceResource createServiceResource(RangerServiceResource resourc } else { throw new Exception("resource with Id " + exist.getId() + " already exists"); } - } catch(Exception excp) { - LOG.error("createServiceResource(" + resource + ") failed", excp); + } catch (Exception excp) { + LOG.error("createServiceResource({}) failed", resource, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.createServiceResource(" + resource + ", " + updateIfExists + "): " + ret); - } + LOG.debug("<== TagREST.createServiceResource({}, {}): {}", resource, updateIfExists, ret); return ret; } @PUT @Path(TagRESTConstants.RESOURCE_RESOURCE + "{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerServiceResource updateServiceResource(@PathParam("id") Long id, RangerServiceResource resource) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.updateServiceResource(" + id + ")"); - } + LOG.debug("==> TagREST.updateServiceResource({})", id); + RangerServiceResource ret; try { validator.preUpdateServiceResource(id, resource); + ret = tagStore.updateServiceResource(resource); - } catch(Exception excp) { - LOG.error("updateServiceResource(" + resource + ") failed", excp); + } catch (Exception excp) { + LOG.error("updateServiceResource({}) failed", resource, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.updateServiceResource(" + id + "): " + ret); - } + LOG.debug("<== TagREST.updateServiceResource({}): {}", id, ret); + return ret; } @PUT @Path(TagRESTConstants.RESOURCE_RESOURCE + "guid/{guid}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerServiceResource updateServiceResourceByGuid(@PathParam("guid") String guid, RangerServiceResource resource) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.updateServiceResourceByGuid(" + guid + ", " + resource + ")"); - } + LOG.debug("==> TagREST.updateServiceResourceByGuid({}, {})", guid, resource); + RangerServiceResource ret; + try { validator.preUpdateServiceResourceByGuid(guid, resource); + ret = tagStore.updateServiceResource(resource); - } catch(Exception excp) { - LOG.error("updateServiceResourceByGuid(" + guid + ", " + resource + ") failed", excp); + } catch (Exception excp) { + LOG.error("updateServiceResourceByGuid({}, {}) failed", guid, resource, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.updateServiceResourceByGuid(" + guid + ", " + resource + "): " + ret); - } + + LOG.debug("<== TagREST.updateServiceResourceByGuid({}, {}): {}", guid, resource, ret); + return ret; } @@ -877,9 +796,8 @@ public RangerServiceResource updateServiceResourceByGuid(@PathParam("guid") Stri @Path(TagRESTConstants.RESOURCE_RESOURCE + "{id}") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public void deleteServiceResource(@PathParam("id") Long id) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.deleteServiceResource(" + id + ")"); - } + LOG.debug("==> TagREST.deleteServiceResource({})", id); + try { validator.preDeleteServiceResource(id); tagStore.deleteServiceResource(id); @@ -889,171 +807,151 @@ public void deleteServiceResource(@PathParam("id") Long id) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.deleteServiceResource(" + id + ")"); - } + LOG.debug("<== TagREST.deleteServiceResource({})", id); } @DELETE @Path(TagRESTConstants.RESOURCE_RESOURCE + "guid/{guid}") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public void deleteServiceResourceByGuid(@PathParam("guid") String guid, @DefaultValue("false") @QueryParam("deleteReferences") boolean deleteReferences) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.deleteServiceResourceByGuid(" + guid + ", " + deleteReferences + ")"); - } + LOG.debug("==> TagREST.deleteServiceResourceByGuid({}, {})", guid, deleteReferences); try { RangerServiceResource exist = validator.preDeleteServiceResourceByGuid(guid, deleteReferences); + if (deleteReferences) { List tagResourceMaps = tagStore.getTagResourceMapsForResourceGuid(exist.getGuid()); + if (CollectionUtils.isNotEmpty(tagResourceMaps)) { for (RangerTagResourceMap tagResourceMap : tagResourceMaps) { deleteTagResourceMap(tagResourceMap.getId()); } } } + tagStore.deleteServiceResource(exist.getId()); - } catch(Exception excp) { - LOG.error("deleteServiceResourceByGuid(" + guid + ", " + deleteReferences + ") failed", excp); + } catch (Exception excp) { + LOG.error("deleteServiceResourceByGuid({}, {}) failed", guid, deleteReferences, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.deleteServiceResourceByGuid(" + guid + ", " + deleteReferences + ")"); - } + LOG.debug("<== TagREST.deleteServiceResourceByGuid({}, {})", guid, deleteReferences); } @GET @Path(TagRESTConstants.RESOURCE_RESOURCE + "{id}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerServiceResource getServiceResource(@PathParam("id") Long id) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getServiceResource(" + id + ")"); - } + LOG.debug("==> TagREST.getServiceResource({})", id); + RangerServiceResource ret; + try { ret = tagStore.getServiceResource(id); - } catch(Exception excp) { - LOG.error("getServiceResource(" + id + ") failed", excp); + } catch (Exception excp) { + LOG.error("getServiceResource({}) failed", id, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getServiceResource(" + id + "): " + ret); - } + + LOG.debug("<== TagREST.getServiceResource({}): {}", id, ret); + return ret; } @GET @Path(TagRESTConstants.RESOURCE_RESOURCE + "guid/{guid}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerServiceResource getServiceResourceByGuid(@PathParam("guid") String guid) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getServiceResourceByGuid(" + guid + ")"); - } + LOG.debug("==> TagREST.getServiceResourceByGuid({})", guid); + RangerServiceResource ret; + try { ret = tagStore.getServiceResourceByGuid(guid); - } catch(Exception excp) { - LOG.error("getServiceResourceByGuid(" + guid + ") failed", excp); + } catch (Exception excp) { + LOG.error("getServiceResourceByGuid({}) failed", guid, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getServiceResourceByGuid(" + guid + "): " + ret); - } + + LOG.debug("<== TagREST.getServiceResourceByGuid({}): {}", guid, ret); + return ret; } @GET @Path(TagRESTConstants.RESOURCES_RESOURCE + "service/{serviceName}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public List getServiceResourcesByService(@PathParam("serviceName") String serviceName) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getServiceResourcesByService(" + serviceName + ")"); - } + LOG.debug("==> TagREST.getServiceResourcesByService({})", serviceName); - List ret = null; + List ret; try { ret = tagStore.getServiceResourcesByService(serviceName); - } catch(Exception excp) { - LOG.error("getServiceResourcesByService(" + serviceName + ") failed", excp); + } catch (Exception excp) { + LOG.error("getServiceResourcesByService({}) failed", serviceName, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } if (CollectionUtils.isEmpty(ret)) { - if (LOG.isDebugEnabled()) { - LOG.debug("getServiceResourcesByService(" + serviceName + ") - No service-resources found"); - } - } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getServiceResourcesByService(" + serviceName + "): count=" + (ret == null ? 0 : ret.size())); + LOG.debug("getServiceResourcesByService({}) - No service-resources found", serviceName); } + LOG.debug("<== TagREST.getServiceResourcesByService({}): count={}", serviceName, (ret == null ? 0 : ret.size())); return ret; } @GET @Path(TagRESTConstants.RESOURCE_RESOURCE + "service/{serviceName}/signature/{resourceSignature}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public RangerServiceResource getServiceResourceByServiceAndResourceSignature(@PathParam("serviceName") String serviceName, - @PathParam("resourceSignature") String resourceSignature) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getServiceResourceByServiceAndResourceSignature(" + serviceName + ", " + resourceSignature + ")"); - } + public RangerServiceResource getServiceResourceByServiceAndResourceSignature(@PathParam("serviceName") String serviceName, @PathParam("resourceSignature") String resourceSignature) { + LOG.debug("==> TagREST.getServiceResourceByServiceAndResourceSignature({}, {})", serviceName, resourceSignature); - RangerServiceResource ret = null; + RangerServiceResource ret; try { ret = tagStore.getServiceResourceByServiceAndResourceSignature(serviceName, resourceSignature); - } catch(Exception excp) { - LOG.error("getServiceResourceByServiceAndResourceSignature(" + serviceName + ", " + resourceSignature + ") failed", excp); + } catch (Exception excp) { + LOG.error("getServiceResourceByServiceAndResourceSignature({}, {})", serviceName, resourceSignature, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getServiceResourceByServiceAndResourceSignature(" + serviceName + ", " + resourceSignature + "): " + ret); - } + LOG.debug("<== TagREST.getServiceResourceByServiceAndResourceSignature({}, {}): {}", serviceName, resourceSignature, ret); return ret; } @GET @Path(TagRESTConstants.RESOURCE_RESOURCE + "service/{serviceName}/resource") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerServiceResource getServiceResourceByResource(@PathParam("serviceName") String serviceName, @Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getServiceResourceByResource(" + serviceName + ")"); - } + LOG.debug("==> TagREST.getServiceResourceByResource({})", serviceName); Map resourceMap = searchUtil.getMultiValueParamsWithPrefix(request, SearchFilter.RESOURCE_PREFIX, true); - RangerServiceResource serviceResource = tagStore.toRangerServiceResource(serviceName, resourceMap); + RangerServiceResource serviceResource = TagDBStore.toRangerServiceResource(serviceName, resourceMap); serviceResource = getServiceResourceByServiceAndResourceSignature(serviceName, new RangerServiceResourceSignature(serviceResource).getSignature()); - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getServiceResourceByResource(serviceName={" + serviceName + "} RangerServiceResource={" + serviceResource + "})"); - } + LOG.debug("<== TagREST.getServiceResourceByResource(serviceName=[{}] RangerServiceResource=[{}])", serviceName, serviceResource); return serviceResource; } @GET @Path(TagRESTConstants.RESOURCES_RESOURCE) - @Produces({ "application/json" }) + @Produces("application/json") public List getAllServiceResources() { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getAllServiceResources()"); - } + LOG.debug("==> TagREST.getAllServiceResources()"); // check for ADMIN access if (!bizUtil.isAdmin()) { @@ -1064,34 +962,32 @@ public List getAllServiceResources() { try { ret = tagStore.getServiceResources(new SearchFilter()); - } catch(Exception excp) { + } catch (Exception excp) { LOG.error("getAllServiceResources() failed", excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getAllServiceResources(): count=" + (ret == null ? 0 : ret.size())); - } + LOG.debug("<== TagREST.getAllServiceResources(): count={}", (ret == null ? 0 : ret.size())); return ret; } @GET @Path(TagRESTConstants.RESOURCES_RESOURCE_PAGINATED) - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerServiceResourceWithTagsList getServiceResourcesWithTags(@Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getServiceResources()"); - } + LOG.debug("==> TagREST.getServiceResources()"); RangerServiceResourceWithTagsList ret; try { SearchFilter filter = searchUtil.getSearchFilter(request, rangerServiceResourceWithTagsService.sortFields); + searchUtil.extractIntList(request, filter, SearchFilter.TAG_RESOURCE_IDS, "Tag resource list"); searchUtil.extractStringList(request, filter, SearchFilter.TAG_NAMES, "Tag type List", "tagTypes", null, null); + ret = tagStore.getPaginatedServiceResourcesWithTags(filter); } catch (Exception excp) { LOG.error("getServiceResources() failed", excp); @@ -1099,28 +995,24 @@ public RangerServiceResourceWithTagsList getServiceResourcesWithTags(@Context Ht throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getServiceResources(): count=" + ((ret == null || ret.getList() == null) ? 0 : ret.getList().size())); - } + LOG.debug("<== TagREST.getServiceResources(): count={}", ((ret == null || ret.getList() == null) ? 0 : ret.getList().size())); return ret; } @POST @Path(TagRESTConstants.TAGRESOURCEMAPS_RESOURCE) - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public RangerTagResourceMap createTagResourceMap(@QueryParam("tag-guid") String tagGuid, @QueryParam("resource-guid") String resourceGuid, - @DefaultValue("false") @QueryParam("lenient") boolean lenient) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.createTagResourceMap(" + tagGuid + ", " + resourceGuid + ", " + lenient + ")"); - } + public RangerTagResourceMap createTagResourceMap(@QueryParam("tag-guid") String tagGuid, @QueryParam("resource-guid") String resourceGuid, @DefaultValue("false") @QueryParam("lenient") boolean lenient) { + LOG.debug("==> TagREST.createTagResourceMap({}, {}, {})", tagGuid, resourceGuid, lenient); RangerTagResourceMap tagResourceMap; try { tagResourceMap = tagStore.getTagResourceMapForTagAndResourceGuid(tagGuid, resourceGuid); + if (tagResourceMap == null) { tagResourceMap = validator.preCreateTagResourceMap(tagGuid, resourceGuid); @@ -1128,15 +1020,13 @@ public RangerTagResourceMap createTagResourceMap(@QueryParam("tag-guid") String } else if (!lenient) { throw new Exception("tagResourceMap with tag-guid=" + tagGuid + " and resource-guid=" + resourceGuid + " already exists"); } - } catch(Exception excp) { - LOG.error("createTagResourceMap(" + tagGuid + ", " + resourceGuid + ", " + lenient + ") failed", excp); + } catch (Exception excp) { + LOG.error("createTagResourceMap({}, {}, {})", tagGuid, resourceGuid, lenient, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.createTagResourceMap(" + tagGuid + ", " + resourceGuid + ", " + lenient + ")"); - } + LOG.debug("==> TagREST.createTagResourceMap({}, {}, {})", tagGuid, resourceGuid, lenient); return tagResourceMap; } @@ -1145,9 +1035,8 @@ public RangerTagResourceMap createTagResourceMap(@QueryParam("tag-guid") String @Path(TagRESTConstants.TAGRESOURCEMAP_RESOURCE + "{id}") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public void deleteTagResourceMap(@PathParam("id") Long id) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.deleteTagResourceMap(" + id + ")"); - } + LOG.debug("==> TagREST.deleteTagResourceMap({})", id); + try { validator.preDeleteTagResourceMap(id); tagStore.deleteTagResourceMap(id); @@ -1157,170 +1046,142 @@ public void deleteTagResourceMap(@PathParam("id") Long id) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.deleteTagResourceMap(" + id + ")"); - } + LOG.debug("<== TagREST.deleteTagResourceMap({})", id); } @DELETE @Path(TagRESTConstants.TAGRESOURCEMAP_RESOURCE + "guid/{guid}") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public void deleteTagResourceMapByGuid(@PathParam("guid") String guid) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.deleteTagResourceMapByGuid(" + guid + ")"); - } + LOG.debug("==> TagREST.deleteTagResourceMapByGuid({})", guid); try { RangerTagResourceMap exist = validator.preDeleteTagResourceMapByGuid(guid); + tagStore.deleteTagResourceMap(exist.getId()); - } catch(Exception excp) { - LOG.error("deleteTagResourceMapByGuid(" + guid + ") failed", excp); + } catch (Exception excp) { + LOG.error("deleteTagResourceMapByGuid({}) failed", guid, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.deleteTagResourceMapByGuid(" + guid + ")"); - } + LOG.debug("<== TagREST.deleteTagResourceMapByGuid({})", guid); } @DELETE @Path(TagRESTConstants.TAGRESOURCEMAPS_RESOURCE) @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public void deleteTagResourceMap(@QueryParam("tag-guid") String tagGuid, @QueryParam("resource-guid") String resourceGuid) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.deleteTagResourceMap(" + tagGuid + ", " + resourceGuid + ")"); - } + LOG.debug("==> TagREST.deleteTagResourceMap({}, {})", tagGuid, resourceGuid); try { RangerTagResourceMap exist = validator.preDeleteTagResourceMap(tagGuid, resourceGuid); + tagStore.deleteTagResourceMap(exist.getId()); - } catch(Exception excp) { - LOG.error("deleteTagResourceMap(" + tagGuid + ", " + resourceGuid + ") failed", excp); + } catch (Exception excp) { + LOG.error("deleteTagResourceMap({}, {}) failed", tagGuid, resourceGuid, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.deleteTagResourceMap(" + tagGuid + ", " + resourceGuid + ")"); - } + LOG.debug("==> TagREST.deleteTagResourceMap({}, {})", tagGuid, resourceGuid); } @GET @Path(TagRESTConstants.TAGRESOURCEMAP_RESOURCE + "{id}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerTagResourceMap getTagResourceMap(@PathParam("id") Long id) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getTagResourceMap(" + id + ")"); - } + LOG.debug("==> TagREST.getTagResourceMap({})", id); RangerTagResourceMap ret; try { ret = tagStore.getTagResourceMap(id); - } catch(Exception excp) { - LOG.error("getTagResourceMap(" + id + ") failed", excp); + } catch (Exception excp) { + LOG.error("getTagResourceMap({}) failed", id, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getTagResourceMap(" + id + "): " + ret); - } + LOG.debug("<== TagREST.getTagResourceMap({}): {}", id, ret); return ret; } @GET @Path(TagRESTConstants.TAGRESOURCEMAP_RESOURCE + "guid/{guid}") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerTagResourceMap getTagResourceMapByGuid(@PathParam("guid") String guid) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getTagResourceMapByGuid(" + guid + ")"); - } + LOG.debug("==> TagREST.getTagResourceMapByGuid({})", guid); RangerTagResourceMap ret; try { ret = tagStore.getTagResourceMapByGuid(guid); - } catch(Exception excp) { - LOG.error("getTagResourceMapByGuid(" + guid + ") failed", excp); + } catch (Exception excp) { + LOG.error("getTagResourceMapByGuid({}) failed", guid, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getTagResourceMapByGuid(" + guid + "): " + ret); - } + LOG.debug("<== TagREST.getTagResourceMapByGuid({}): {}", guid, ret); return ret; } @GET @Path(TagRESTConstants.TAGRESOURCEMAP_RESOURCE + "tag-resource-guid") - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public RangerTagResourceMap getTagResourceMap(@QueryParam("tagGuid") String tagGuid, @QueryParam("resourceGuid") String resourceGuid) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getTagResourceMap(" + tagGuid + ", " + resourceGuid + ")"); - } + LOG.debug("==> TagREST.getTagResourceMap({}, {})", tagGuid, resourceGuid); - RangerTagResourceMap ret = null; + RangerTagResourceMap ret; try { ret = tagStore.getTagResourceMapForTagAndResourceGuid(tagGuid, resourceGuid); - } catch(Exception excp) { - LOG.error("getTagResourceMap(" + tagGuid + ", " + resourceGuid + ") failed", excp); + } catch (Exception excp) { + LOG.error("getTagResourceMap({}, {}) failed", tagGuid, resourceGuid, excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getTagResourceMap(" + tagGuid + ", " + resourceGuid + ")"); - } + LOG.debug("==> TagREST.getTagResourceMap({}, {})", tagGuid, resourceGuid); return ret; } @GET @Path(TagRESTConstants.TAGRESOURCEMAPS_RESOURCE) - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public List getAllTagResourceMaps() { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getAllTagResourceMaps()"); - } + LOG.debug("==> TagREST.getAllTagResourceMaps()"); List ret; try { ret = tagStore.getTagResourceMaps(new SearchFilter()); - } catch(Exception excp) { + } catch (Exception excp) { LOG.error("getAllTagResourceMaps() failed", excp); throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } if (CollectionUtils.isEmpty(ret)) { - if (LOG.isDebugEnabled()) { - LOG.debug("getAllTagResourceMaps() - No tag-resource-maps found"); - } - } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getAllTagResourceMaps(): " + ret); + LOG.debug("getAllTagResourceMaps() - No tag-resource-maps found"); } + LOG.debug("<== TagREST.getAllTagResourceMaps(): {}", ret); return ret; } @GET @Path(TagRESTConstants.TAGRESOURCEMAPS_RESOURCE_PAGINATED) - @Produces({ "application/json" }) + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public PList getTagResourceMaps(@Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getTagResourceMaps()"); - } + LOG.debug("==> TagREST.getTagResourceMaps()"); final PList ret; @@ -1338,33 +1199,28 @@ public PList getTagResourceMaps(@Context HttpServletReques throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); } - if (LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getTagResourceMaps(): " + ret); - } + LOG.debug("<== TagREST.getTagResourceMaps(): {}", ret); return ret; } - // This API is used by tag-sync to upload tag-objects - @PUT @Path(TagRESTConstants.IMPORT_SERVICETAGS_RESOURCE) - @Consumes({ "application/json" }) - @Produces({ "application/json" }) + @Consumes("application/json") + @Produces("application/json") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public void importServiceTags(ServiceTags serviceTags) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.importServiceTags()"); - } + LOG.debug("==> TagREST.importServiceTags()"); RangerPerfTracer perf = null; - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "TagREST.importServiceTags(service=" + (serviceTags != null ? serviceTags.getServiceName() : null) + ")"); } try { ServiceTagsProcessor serviceTagsProcessor = new ServiceTagsProcessor(tagStore); + serviceTagsProcessor.process(serviceTags); } catch (Exception excp) { LOG.error("importServiceTags() failed", excp); @@ -1374,40 +1230,32 @@ public void importServiceTags(ServiceTags serviceTags) { RangerPerfTracer.log(perf); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.importServiceTags()"); - } + LOG.debug("<== TagREST.importServiceTags()"); } - // This API is typically used by plug-in to get selected tagged resources from RangerAdmin + // This API is used by tag-sync to upload tag-objects @GET @Path(TagRESTConstants.TAGS_DOWNLOAD + "{serviceName}") - @Produces({ "application/json" }) - public ServiceTags getServiceTagsIfUpdated(@PathParam("serviceName") String serviceName, - @QueryParam(TagRESTConstants.LAST_KNOWN_TAG_VERSION_PARAM) Long lastKnownVersion, - @DefaultValue("0") @QueryParam(TagRESTConstants.LAST_ACTIVATION_TIME) Long lastActivationTime, @QueryParam("pluginId") String pluginId, - @DefaultValue("false") @QueryParam(RangerRESTUtils.REST_PARAM_SUPPORTS_TAG_DELTAS) Boolean supportsTagDeltas, - @DefaultValue("") @QueryParam(RangerRESTUtils.REST_PARAM_CAPABILITIES) String pluginCapabilities, - @Context HttpServletRequest request) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getServiceTagsIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + lastActivationTime + ", " + pluginId + ", " + supportsTagDeltas + ")"); - } + @Produces("application/json") + public ServiceTags getServiceTagsIfUpdated(@PathParam("serviceName") String serviceName, @QueryParam(TagRESTConstants.LAST_KNOWN_TAG_VERSION_PARAM) Long lastKnownVersion, @DefaultValue("0") @QueryParam(TagRESTConstants.LAST_ACTIVATION_TIME) Long lastActivationTime, @QueryParam("pluginId") String pluginId, @DefaultValue("false") @QueryParam(RangerRESTUtils.REST_PARAM_SUPPORTS_TAG_DELTAS) Boolean supportsTagDeltas, @DefaultValue("") @QueryParam(RangerRESTUtils.REST_PARAM_CAPABILITIES) String pluginCapabilities, @Context HttpServletRequest request) { + LOG.debug("==> TagREST.getServiceTagsIfUpdated({}, {}, {}, {}, {})", serviceName, lastKnownVersion, lastActivationTime, pluginId, supportsTagDeltas); RangerPerfTracer perf = null; - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "TagREST.getServiceTagsIfUpdated(service=" + serviceName + ", lastKnownVersion=" + lastKnownVersion + ")"); } - ServiceTags ret = null; - int httpCode = HttpServletResponse.SC_OK; - String logMsg = null; - Long downloadedVersion = null; - String clusterName = null; - if (request != null) { - clusterName = !StringUtils.isEmpty(request.getParameter(SearchFilter.CLUSTER_NAME)) ? request.getParameter(SearchFilter.CLUSTER_NAME) : ""; - } + ServiceTags ret = null; + int httpCode = HttpServletResponse.SC_OK; + Long downloadedVersion = null; + String clusterName = null; + String logMsg; + + if (request != null) { + clusterName = !StringUtils.isEmpty(request.getParameter(SearchFilter.CLUSTER_NAME)) ? request.getParameter(SearchFilter.CLUSTER_NAME) : ""; + } try { bizUtil.failUnauthenticatedDownloadIfNotAllowed(); @@ -1416,129 +1264,123 @@ public ServiceTags getServiceTagsIfUpdated(@PathParam("serviceName") String serv if (ret == null) { downloadedVersion = lastKnownVersion; - httpCode = HttpServletResponse.SC_NOT_MODIFIED; - logMsg = "No change since last update"; + httpCode = HttpServletResponse.SC_NOT_MODIFIED; + logMsg = "No change since last update"; } else { downloadedVersion = ret.getTagVersion(); - httpCode = HttpServletResponse.SC_OK; - logMsg = "Returning " + (ret.getTags() != null ? ret.getTags().size() : 0) + " tags. Tag version=" + ret.getTagVersion(); + logMsg = "Returning " + (ret.getTags() != null ? ret.getTags().size() : 0) + " tags. Tag version=" + ret.getTagVersion(); } } catch (WebApplicationException webException) { httpCode = webException.getResponse().getStatus(); - logMsg = webException.getResponse().getEntity().toString(); - } catch(Exception excp) { - httpCode = HttpServletResponse.SC_BAD_REQUEST; - logMsg = excp.getMessage(); + logMsg = webException.getResponse().getEntity().toString(); + } catch (Exception excp) { + httpCode = HttpServletResponse.SC_BAD_REQUEST; + logMsg = excp.getMessage(); } finally { assetMgr.createPluginInfo(serviceName, pluginId, request, RangerPluginInfo.ENTITY_TYPE_TAGS, downloadedVersion, lastKnownVersion, lastActivationTime, httpCode, clusterName, pluginCapabilities); RangerPerfTracer.log(perf); } - if(httpCode != HttpServletResponse.SC_OK) { + if (httpCode != HttpServletResponse.SC_OK) { boolean logError = httpCode != HttpServletResponse.SC_NOT_MODIFIED; + throw restErrorUtil.createRESTException(httpCode, logMsg, logError); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getServiceTagsIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + lastActivationTime + ", " + pluginId + ", " + supportsTagDeltas + ")"); - } + LOG.debug("<== TagREST.getServiceTagsIfUpdated({}, {}, {}, {}, {})", serviceName, lastKnownVersion, lastActivationTime, pluginId, supportsTagDeltas); return ret; } + // This API is typically used by plug-in to get selected tagged resources from RangerAdmin + @GET @Path(TagRESTConstants.TAGS_SECURE_DOWNLOAD + "{serviceName}") - @Produces({ "application/json" }) - public ServiceTags getSecureServiceTagsIfUpdated(@PathParam("serviceName") String serviceName, - @QueryParam(TagRESTConstants.LAST_KNOWN_TAG_VERSION_PARAM) Long lastKnownVersion, - @DefaultValue("0") @QueryParam(TagRESTConstants.LAST_ACTIVATION_TIME) Long lastActivationTime, @QueryParam("pluginId") String pluginId, - @DefaultValue("false") @QueryParam(RangerRESTUtils.REST_PARAM_SUPPORTS_TAG_DELTAS) Boolean supportsTagDeltas, - @DefaultValue("") @QueryParam(RangerRESTUtils.REST_PARAM_CAPABILITIES) String pluginCapabilities, - @Context HttpServletRequest request) { - - if(LOG.isDebugEnabled()) { - LOG.debug("==> TagREST.getSecureServiceTagsIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + lastActivationTime + ", " + pluginId + ", " + supportsTagDeltas + ")"); - } + @Produces("application/json") + public ServiceTags getSecureServiceTagsIfUpdated(@PathParam("serviceName") String serviceName, @QueryParam(TagRESTConstants.LAST_KNOWN_TAG_VERSION_PARAM) Long lastKnownVersion, @DefaultValue("0") @QueryParam(TagRESTConstants.LAST_ACTIVATION_TIME) Long lastActivationTime, @QueryParam("pluginId") String pluginId, @DefaultValue("false") @QueryParam(RangerRESTUtils.REST_PARAM_SUPPORTS_TAG_DELTAS) Boolean supportsTagDeltas, @DefaultValue("") @QueryParam(RangerRESTUtils.REST_PARAM_CAPABILITIES) String pluginCapabilities, @Context HttpServletRequest request) { + LOG.debug("==> TagREST.getSecureServiceTagsIfUpdated({}, {}, {}, {}, {})", serviceName, lastKnownVersion, lastActivationTime, pluginId, supportsTagDeltas); RangerPerfTracer perf = null; - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "TagREST.getSecureServiceTagsIfUpdated(service=" + serviceName + ", lastKnownVersion=" + lastKnownVersion + ")"); } - ServiceTags ret = null; - int httpCode = HttpServletResponse.SC_OK; - String logMsg = null; - boolean isAllowed = false; - boolean isAdmin = bizUtil.isAdmin(); - boolean isKeyAdmin = bizUtil.isKeyAdmin(); - Long downloadedVersion = null; - String clusterName = null; - if (request != null) { - clusterName = !StringUtils.isEmpty(request.getParameter(SearchFilter.CLUSTER_NAME)) ? request.getParameter(SearchFilter.CLUSTER_NAME) : ""; - } + ServiceTags ret = null; + int httpCode = HttpServletResponse.SC_OK; + boolean isAdmin = bizUtil.isAdmin(); + boolean isKeyAdmin = bizUtil.isKeyAdmin(); + Long downloadedVersion = null; + String clusterName = null; + String logMsg; + boolean isAllowed; + + if (request != null) { + clusterName = !StringUtils.isEmpty(request.getParameter(SearchFilter.CLUSTER_NAME)) ? request.getParameter(SearchFilter.CLUSTER_NAME) : ""; + } try { - XXService xService = daoManager.getXXService().findByName(serviceName); - if (xService == null) { - LOG.error("Requested Service not found. serviceName=" + serviceName); - throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Service:" + serviceName + " not found", - false); + XXService xService = daoManager.getXXService().findByName(serviceName); + + if (xService == null) { + LOG.error("Requested Service not found. serviceName={}", serviceName); + + throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Service:" + serviceName + " not found", false); } - XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); - RangerService rangerService = svcStore.getServiceByName(serviceName); - - if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { - if (isKeyAdmin) { - isAllowed = true; - }else { - isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Tag_Download); - } - }else{ - if (isAdmin) { - isAllowed = true; - }else{ - isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Tag_Download); - } - } - if (isAllowed) { - ret = tagStore.getServiceTagsIfUpdated(serviceName, lastKnownVersion, !supportsTagDeltas); - - if(ret == null) { + + XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); + RangerService rangerService = svcStore.getServiceByName(serviceName); + + if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { + if (isKeyAdmin) { + isAllowed = true; + } else { + isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Tag_Download); + } + } else { + if (isAdmin) { + isAllowed = true; + } else { + isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Tag_Download); + } + } + if (isAllowed) { + ret = tagStore.getServiceTagsIfUpdated(serviceName, lastKnownVersion, !supportsTagDeltas); + + if (ret == null) { downloadedVersion = lastKnownVersion; - httpCode = HttpServletResponse.SC_NOT_MODIFIED; - logMsg = "No change since last update"; - } else { + httpCode = HttpServletResponse.SC_NOT_MODIFIED; + logMsg = "No change since last update"; + } else { downloadedVersion = ret.getTagVersion(); - httpCode = HttpServletResponse.SC_OK; - logMsg = "Returning " + (ret.getTags() != null ? ret.getTags().size() : 0) + " tags. Tag version=" + ret.getTagVersion(); - } - }else{ - LOG.error("getSecureServiceTagsIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + lastActivationTime + ") failed as User doesn't have permission to download tags"); - httpCode = HttpServletResponse.SC_FORBIDDEN; // assert user is authenticated. - logMsg = "User doesn't have permission to download tags"; - } + logMsg = "Returning " + (ret.getTags() != null ? ret.getTags().size() : 0) + " tags. Tag version=" + ret.getTagVersion(); + } + } else { + LOG.error("getSecureServiceTagsIfUpdated({}, {}, {}) failed as User doesn't have permission to download tags", serviceName, lastKnownVersion, lastActivationTime); + + httpCode = HttpServletResponse.SC_FORBIDDEN; // assert user is authenticated. + logMsg = "User doesn't have permission to download tags"; + } } catch (WebApplicationException webException) { httpCode = webException.getResponse().getStatus(); - logMsg = webException.getResponse().getEntity().toString(); + logMsg = webException.getResponse().getEntity().toString(); } catch (Exception excp) { - httpCode = HttpServletResponse.SC_BAD_REQUEST; - logMsg = excp.getMessage(); - } finally { + httpCode = HttpServletResponse.SC_BAD_REQUEST; + logMsg = excp.getMessage(); + } finally { assetMgr.createPluginInfo(serviceName, pluginId, request, RangerPluginInfo.ENTITY_TYPE_TAGS, downloadedVersion, lastKnownVersion, lastActivationTime, httpCode, clusterName, pluginCapabilities); RangerPerfTracer.log(perf); } - if(httpCode != HttpServletResponse.SC_OK) { + if (httpCode != HttpServletResponse.SC_OK) { boolean logError = httpCode != HttpServletResponse.SC_NOT_MODIFIED; + throw restErrorUtil.createRESTException(httpCode, logMsg, logError); } - if(LOG.isDebugEnabled()) { - LOG.debug("<== TagREST.getSecureServiceTagsIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + lastActivationTime + ", " + pluginId + ", " + supportsTagDeltas + ")"); - } + LOG.debug("<== TagREST.getSecureServiceTagsIfUpdated({}, {}, {}, {}, {})", serviceName, lastKnownVersion, lastActivationTime, pluginId, supportsTagDeltas); return ret; } @@ -1547,15 +1389,14 @@ public ServiceTags getSecureServiceTagsIfUpdated(@PathParam("serviceName") Strin @Path("/server/tagdeltas") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public void deleteTagDeltas(@DefaultValue("3") @QueryParam("days") Integer olderThan, @Context HttpServletRequest request) { - if (LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.deleteTagDeltas(" + olderThan + ")"); - } + LOG.debug("==> ServiceREST.deleteTagDeltas({})", olderThan); svcStore.resetTagUpdateLog(olderThan, ServiceTags.TagsChangeType.INVALIDATE_TAG_DELTAS); - if (LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.deleteTagDeltas(" + olderThan + ")"); - } + LOG.debug("<== ServiceREST.deleteTagDeltas({})", olderThan); } + TagStore getTagStore() { + return tagStore; + } } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/TagRESTConstants.java b/security-admin/src/main/java/org/apache/ranger/rest/TagRESTConstants.java index fe05d9febf..ee80ad8eeb 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/TagRESTConstants.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/TagRESTConstants.java @@ -20,28 +20,30 @@ package org.apache.ranger.rest; public class TagRESTConstants { - public static final String TAGDEF_NAME_AND_VERSION = "tags"; + public static final String TAGDEF_NAME_AND_VERSION = "tags"; + public static final String SERVICE_NAME_PARAM = "serviceName"; + public static final String LAST_KNOWN_TAG_VERSION_PARAM = "lastKnownVersion"; + public static final String LAST_ACTIVATION_TIME = "lastActivationTime"; + public static final String PATTERN_PARAM = "pattern"; + static final String TAGDEFS_RESOURCE = "/tagdefs/"; + static final String TAGDEFS_RESOURCE_PAGINATED = "/tagdefs/paginated"; + static final String TAGDEF_RESOURCE = "/tagdef/"; + static final String TAGS_RESOURCE = "/tags/"; + static final String TAGS_RESOURCE_PAGINATED = "/tags/paginated"; + static final String TAG_RESOURCE = "/tag/"; + static final String RESOURCES_RESOURCE = "/resources/"; + static final String RESOURCES_RESOURCE_PAGINATED = "/resources/paginated"; + static final String RESOURCE_RESOURCE = "/resource/"; + static final String TAGRESOURCEMAPS_RESOURCE = "/tagresourcemaps/"; + static final String TAGRESOURCEMAPS_RESOURCE_PAGINATED = "/tagresourcemaps/paginated"; + static final String IMPORT_SERVICETAGS_RESOURCE = "/importservicetags/"; + static final String TAGRESOURCEMAP_RESOURCE = "/tagresourcemap/"; + static final String TAGTYPES_RESOURCE = "/types/"; + static final String TAGTYPES_LOOKUP_RESOURCE = "/types/lookup/"; + static final String TAGS_DOWNLOAD = "/download/"; + static final String TAGS_SECURE_DOWNLOAD = "/secure/download/"; - static final String TAGDEFS_RESOURCE = "/tagdefs/"; - static final String TAGDEFS_RESOURCE_PAGINATED = "/tagdefs/paginated"; - static final String TAGDEF_RESOURCE = "/tagdef/"; - static final String TAGS_RESOURCE = "/tags/"; - static final String TAGS_RESOURCE_PAGINATED = "/tags/paginated"; - static final String TAG_RESOURCE = "/tag/"; - static final String RESOURCES_RESOURCE = "/resources/"; - static final String RESOURCES_RESOURCE_PAGINATED = "/resources/paginated"; - static final String RESOURCE_RESOURCE = "/resource/"; - static final String TAGRESOURCEMAPS_RESOURCE = "/tagresourcemaps/"; - static final String TAGRESOURCEMAPS_RESOURCE_PAGINATED = "/tagresourcemaps/paginated"; - static final String IMPORT_SERVICETAGS_RESOURCE = "/importservicetags/"; - static final String TAGRESOURCEMAP_RESOURCE = "/tagresourcemap/"; - static final String TAGTYPES_RESOURCE = "/types/"; - static final String TAGTYPES_LOOKUP_RESOURCE = "/types/lookup/"; - static final String TAGS_DOWNLOAD = "/download/"; - static final String TAGS_SECURE_DOWNLOAD = "/secure/download/"; - - public static final String SERVICE_NAME_PARAM = "serviceName"; - public static final String LAST_KNOWN_TAG_VERSION_PARAM = "lastKnownVersion"; - public static final String LAST_ACTIVATION_TIME = "lastActivationTime"; - public static final String PATTERN_PARAM = "pattern"; + private TagRESTConstants() { + //To block instantiation + } } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java index 4708b86387..8f8692afd5 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java @@ -17,22 +17,7 @@ * under the License. */ - package org.apache.ranger.rest; - -import java.util.Arrays; -import java.util.HashMap; -import java.util.List; -import java.util.Map; - -import javax.servlet.http.HttpServletRequest; -import javax.ws.rs.Consumes; -import javax.ws.rs.GET; -import javax.ws.rs.POST; -import javax.ws.rs.PUT; -import javax.ws.rs.Path; -import javax.ws.rs.PathParam; -import javax.ws.rs.Produces; -import javax.ws.rs.core.Context; +package org.apache.ranger.rest; import org.apache.ranger.biz.UserMgr; import org.apache.ranger.biz.XUserMgr; @@ -66,6 +51,20 @@ import org.springframework.transaction.annotation.Propagation; import org.springframework.transaction.annotation.Transactional; +import javax.servlet.http.HttpServletRequest; +import javax.ws.rs.Consumes; +import javax.ws.rs.GET; +import javax.ws.rs.POST; +import javax.ws.rs.PUT; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; +import javax.ws.rs.core.Context; + +import java.util.Arrays; +import java.util.HashMap; +import java.util.List; +import java.util.Map; @Path("users") @Component @@ -73,293 +72,289 @@ @RangerAnnotationJSMgrName("UserMgr") @Transactional(propagation = Propagation.REQUIRES_NEW) public class UserREST { - private static final Logger logger = LoggerFactory.getLogger(UserREST.class); - - @Autowired - StringUtil stringUtil; - - @Autowired - RangerDaoManager daoManager; - - @Autowired - RangerConfigUtil configUtil; - - @Autowired - RESTErrorUtil restErrorUtil; - - @Autowired - SearchUtil searchUtil; - - @Autowired - UserMgr userManager; - - @Autowired - RangerRestUtil msRestUtil; - - @Autowired - XUserMgr xUserMgr; - - private final static List SORT_FIELDS = Arrays.asList( - new SortField("requestDate", "requestDate"), - new SortField("approvedDate", "approvedDate"), - new SortField("activationDate", "activationDate"), - new SortField("emailAddress", "emailAddress"), - new SortField("firstName", "firstName"), - new SortField("lastName", "lastName") - ); - /** - * Implements the traditional search functionalities for UserProfile - * - * @param request - * @return - */ - @GET - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_USERS + "\")") - public VXPortalUserList searchUsers(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, SORT_FIELDS); - - // userId - searchUtil.extractLong(request, searchCriteria, "userId", "User Id"); - - // loginId - searchUtil.extractString(request, searchCriteria, "loginId", - "Login Id", null); - - // emailAddress - searchUtil.extractString(request, searchCriteria, "emailAddress", - "Email Address", null); - - // firstName - searchUtil.extractString(request, searchCriteria, "firstName", - "First Name", StringUtil.VALIDATION_NAME); - - // lastName - searchUtil.extractString(request, searchCriteria, "lastName", - "Last Name", StringUtil.VALIDATION_NAME); - - // status - searchUtil.extractEnum(request, searchCriteria, "status", "Status", - "statusList", RangerConstants.ActivationStatus_MAX); - - // publicScreenName - searchUtil.extractString(request, searchCriteria, "publicScreenName", - "Public Screen Name", StringUtil.VALIDATION_NAME); - // roles - searchUtil.extractStringList(request, searchCriteria, "role", "Role", - "roleList", configUtil.getRoles(), StringUtil.VALIDATION_NAME); - - return userManager.searchUsers(searchCriteria); - } - - /** - * Return the VUserProfile for the given userId - * - * @param userId - * @return - */ - @GET - @Path("{userId}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_USER_PROFILE_FOR_USER + "\")") - public VXPortalUser getUserProfileForUser(@PathParam("userId") Long userId) { - try { - VXPortalUser userProfile = userManager.getUserProfile(userId); - if (userProfile != null) { - if (logger.isDebugEnabled()) { - logger.debug("getUserProfile() Found User userId=" + userId); - } - } else { - logger.debug("getUserProfile() Not found userId=" + userId); - } - return userProfile; - } catch (Throwable t) { - logger.error("getUserProfile() no user session. error=" - + t.toString()); - } - return null; - } - - @POST - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE + "\")") - public VXPortalUser create(VXPortalUser userProfile, - @Context HttpServletRequest servletRequest) { - logger.info("create:" + userProfile.getEmailAddress()); - - return userManager.createUser(userProfile); - } - - // API to add user with default account - @POST - @Path("/default") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_DEFAULT_ACCOUNT_USER + "\")") - public VXPortalUser createDefaultAccountUser(VXPortalUser userProfile, - @Context HttpServletRequest servletRequest) { - VXPortalUser vxPortalUser; - vxPortalUser=userManager.createDefaultAccountUser(userProfile); - if(vxPortalUser!=null) - { - xUserMgr.assignPermissionToUser(vxPortalUser, true); - } - return vxPortalUser; - } - - - @PUT - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @RangerAnnotationRestAPI(updates_classes = "VUserProfile") - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE + "\")") - public VXPortalUser update(VXPortalUser userProfile, - @Context HttpServletRequest servletRequest) { - logger.info("update:" + userProfile.getEmailAddress()); - XXPortalUser gjUser = daoManager.getXXPortalUser().getById(userProfile.getId()); - userManager.checkAccess(gjUser); - if (gjUser != null) { - msRestUtil.validateVUserProfileForUpdate(gjUser, userProfile); - gjUser = userManager.updateUser(userProfile); - return userManager.mapXXPortalUserVXPortalUser(gjUser); - } else { - logger.info("update(): Invalid userId provided: userId=" - + userProfile.getId()); - throw restErrorUtil.createRESTException("serverMsg.userRestUser", - MessageEnums.DATA_NOT_FOUND, null, null, - userProfile.toString()); - } - } - - @PUT - @Path("/{userId}/roles") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SET_USER_ROLES + "\")") - public VXResponse setUserRoles(@PathParam("userId") Long userId, - VXStringList roleList) { - userManager.checkAccess(userId); - userManager.setUserRoles(userId, roleList.getVXStrings()); - VXResponse response = new VXResponse(); - response.setStatusCode(VXResponse.STATUS_SUCCESS); - return response; - } - - /** - * Deactivate the user - * - * @param userId - * @return - */ - @POST - @Path("{userId}/deactivate") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DEACTIVATE_USER + "\")") - @RangerAnnotationClassName(class_name = VXPortalUser.class) - public VXPortalUser deactivateUser(@PathParam("userId") Long userId) { - XXPortalUser gjUser = daoManager.getXXPortalUser().getById(userId); - if (gjUser == null) { - logger.info("update(): Invalid userId provided: userId=" + userId); - throw restErrorUtil.createRESTException("serverMsg.userRestUser", - MessageEnums.DATA_NOT_FOUND, null, null, "" + userId); - } - return userManager.deactivateUser(gjUser); - } - - /** - * This method returns the VUserProfile for the current session - * - * @param request - * @return - */ - @GET - @Path("/profile") - @Produces({ "application/json" }) - public VXPortalUser getUserProfile(@Context HttpServletRequest request) { - try { - logger.debug("getUserProfile(). httpSessionId=" - + request.getSession().getId()); - Map configProperties = new HashMap<>(); - Long inactivityTimeout = PropertiesUtil.getLongProperty("ranger.service.inactivity.timeout", 15*60); - configProperties.put("inactivityTimeout", Long.toString(inactivityTimeout)); - VXPortalUser userProfile = userManager.getUserProfileByLoginId(); - userProfile.setConfigProperties(configProperties); - return userProfile; - } catch (Throwable t) { - logger.error( - "getUserProfile() no user session. error=" + t.toString(), - t); - } - return null; - } - - /** - * @param userId - * @param changePassword - * @return - */ - @POST - @Path("{userId}/passwordchange") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXResponse changePassword(@PathParam("userId") Long userId, - VXPasswordChange changePassword) { - if(changePassword==null || stringUtil.isEmpty(changePassword.getLoginId())) { - logger.warn("SECURITY:changePassword(): Invalid loginId provided. loginId was empty or null"); - throw restErrorUtil.createRESTException("serverMsg.userRestUser", MessageEnums.DATA_NOT_FOUND, null, null, ""); - } else if (changePassword.getId() == null) { - changePassword.setId(userId); - } else if (!changePassword.getId().equals(userId) ) { - logger.warn("SECURITY:changePassword(): userId mismatch"); - throw restErrorUtil.createRESTException("serverMsg.userRestUser",MessageEnums.DATA_NOT_FOUND, null, null,""); - } - - XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(changePassword.getLoginId()); - if (gjUser == null) { - logger.warn("SECURITY:changePassword(): Invalid loginId provided: loginId="+ changePassword.getLoginId()); - throw restErrorUtil.createRESTException("serverMsg.userRestUser",MessageEnums.DATA_NOT_FOUND, null, null, changePassword.getLoginId()); - } - - changePassword.setId(gjUser.getId()); - VXResponse ret = userManager.changePassword(changePassword); - return ret; - } - - /** - * - * @param userId - * @param changeEmail - * @return - */ - @POST - @Path("{userId}/emailchange") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXPortalUser changeEmailAddress(@PathParam("userId") Long userId, - VXPasswordChange changeEmail) { - if(changeEmail==null || stringUtil.isEmpty(changeEmail.getLoginId())) { - logger.warn("SECURITY:changeEmail(): Invalid loginId provided. loginId was empty or null"); - throw restErrorUtil.createRESTException("serverMsg.userRestUser", MessageEnums.DATA_NOT_FOUND, null, null, ""); - } else if (changeEmail.getId() == null) { - changeEmail.setId(userId); - } else if (!changeEmail.getId().equals(userId) ) { - logger.warn("SECURITY:changeEmail(): userId mismatch"); - throw restErrorUtil.createRESTException("serverMsg.userRestUser",MessageEnums.DATA_NOT_FOUND, null, null,""); - } - - logger.info("changeEmail:" + changeEmail.getLoginId()); - XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(changeEmail.getLoginId()); - if (gjUser == null) { - logger.warn("SECURITY:changeEmail(): Invalid loginId provided: loginId="+ changeEmail.getLoginId()); - throw restErrorUtil.createRESTException("serverMsg.userRestUser",MessageEnums.DATA_NOT_FOUND, null, null, changeEmail.getLoginId()); - } - - changeEmail.setId(gjUser.getId()); - VXPortalUser ret = userManager.changeEmailAddress(gjUser, changeEmail); - return ret; - } - + private static final Logger logger = LoggerFactory.getLogger(UserREST.class); + + private static final List SORT_FIELDS = Arrays.asList(new SortField("requestDate", "requestDate"), new SortField("approvedDate", "approvedDate"), new SortField("activationDate", "activationDate"), new SortField("emailAddress", "emailAddress"), new SortField("firstName", "firstName"), new SortField("lastName", "lastName")); + + @Autowired + StringUtil stringUtil; + + @Autowired + RangerDaoManager daoManager; + + @Autowired + RangerConfigUtil configUtil; + + @Autowired + RESTErrorUtil restErrorUtil; + + @Autowired + SearchUtil searchUtil; + + @Autowired + UserMgr userManager; + + @Autowired + RangerRestUtil msRestUtil; + + @Autowired + XUserMgr xUserMgr; + + /** + * Implements the traditional search functionalities for UserProfile + * + * @param request + * @return + */ + @GET + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_USERS + "\")") + public VXPortalUserList searchUsers(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, SORT_FIELDS); + + // userId + searchUtil.extractLong(request, searchCriteria, "userId", "User Id"); + + // loginId + searchUtil.extractString(request, searchCriteria, "loginId", "Login Id", null); + + // emailAddress + searchUtil.extractString(request, searchCriteria, "emailAddress", "Email Address", null); + + // firstName + searchUtil.extractString(request, searchCriteria, "firstName", "First Name", StringUtil.VALIDATION_NAME); + + // lastName + searchUtil.extractString(request, searchCriteria, "lastName", "Last Name", StringUtil.VALIDATION_NAME); + + // status + searchUtil.extractEnum(request, searchCriteria, "status", "Status", "statusList", RangerConstants.ActivationStatus_MAX); + + // publicScreenName + searchUtil.extractString(request, searchCriteria, "publicScreenName", "Public Screen Name", StringUtil.VALIDATION_NAME); + // roles + searchUtil.extractStringList(request, searchCriteria, "role", "Role", "roleList", configUtil.getRoles(), StringUtil.VALIDATION_NAME); + + return userManager.searchUsers(searchCriteria); + } + + /** + * Return the VUserProfile for the given userId + * + * @param userId + * @return + */ + @GET + @Path("{userId}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_USER_PROFILE_FOR_USER + "\")") + public VXPortalUser getUserProfileForUser(@PathParam("userId") Long userId) { + try { + VXPortalUser userProfile = userManager.getUserProfile(userId); + + if (userProfile != null) { + logger.debug("getUserProfile() Found User userId={}", userId); + } else { + logger.debug("getUserProfile() Not found userId={}", userId); + } + + return userProfile; + } catch (Throwable t) { + logger.error("getUserProfile() no user session. error={}", String.valueOf(t)); + } + + return null; + } + + @POST + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE + "\")") + public VXPortalUser create(VXPortalUser userProfile, @Context HttpServletRequest servletRequest) { + logger.info("create:{}", userProfile.getEmailAddress()); + + return userManager.createUser(userProfile); + } + + // API to add user with default account + @POST + @Path("/default") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_DEFAULT_ACCOUNT_USER + "\")") + public VXPortalUser createDefaultAccountUser(VXPortalUser userProfile, @Context HttpServletRequest servletRequest) { + VXPortalUser vxPortalUser = userManager.createDefaultAccountUser(userProfile); + + if (vxPortalUser != null) { + xUserMgr.assignPermissionToUser(vxPortalUser, true); + } + + return vxPortalUser; + } + + @PUT + @Consumes("application/json") + @Produces("application/json") + @RangerAnnotationRestAPI(updates_classes = "VUserProfile") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE + "\")") + public VXPortalUser update(VXPortalUser userProfile, @Context HttpServletRequest servletRequest) { + logger.info("update:{}", userProfile.getEmailAddress()); + + XXPortalUser gjUser = daoManager.getXXPortalUser().getById(userProfile.getId()); + + userManager.checkAccess(gjUser); + + if (gjUser != null) { + msRestUtil.validateVUserProfileForUpdate(gjUser, userProfile); + + gjUser = userManager.updateUser(userProfile); + + return userManager.mapXXPortalUserVXPortalUser(gjUser); + } else { + logger.info("update(): Invalid userId provided: userId={}", userProfile.getId()); + + throw restErrorUtil.createRESTException("serverMsg.userRestUser", MessageEnums.DATA_NOT_FOUND, null, null, userProfile.toString()); + } + } + + @PUT + @Path("/{userId}/roles") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SET_USER_ROLES + "\")") + public VXResponse setUserRoles(@PathParam("userId") Long userId, VXStringList roleList) { + userManager.checkAccess(userId); + userManager.setUserRoles(userId, roleList.getVXStrings()); + + VXResponse response = new VXResponse(); + + response.setStatusCode(VXResponse.STATUS_SUCCESS); + + return response; + } + + /** + * Deactivate the user + * + * @param userId + * @return + */ + @POST + @Path("{userId}/deactivate") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DEACTIVATE_USER + "\")") + @RangerAnnotationClassName(class_name = VXPortalUser.class) + public VXPortalUser deactivateUser(@PathParam("userId") Long userId) { + XXPortalUser gjUser = daoManager.getXXPortalUser().getById(userId); + + if (gjUser == null) { + logger.info("update(): Invalid userId provided: userId={}", userId); + + throw restErrorUtil.createRESTException("serverMsg.userRestUser", MessageEnums.DATA_NOT_FOUND, null, null, "" + userId); + } + + return userManager.deactivateUser(gjUser); + } + + /** + * This method returns the VUserProfile for the current session + * + * @param request + * @return + */ + @GET + @Path("/profile") + @Produces("application/json") + public VXPortalUser getUserProfile(@Context HttpServletRequest request) { + try { + logger.debug("getUserProfile(). httpSessionId={}", request.getSession().getId()); + + Map configProperties = new HashMap<>(); + long inactivityTimeout = PropertiesUtil.getLongProperty("ranger.service.inactivity.timeout", 15 * 60); + + configProperties.put("inactivityTimeout", Long.toString(inactivityTimeout)); + + VXPortalUser userProfile = userManager.getUserProfileByLoginId(); + + userProfile.setConfigProperties(configProperties); + + return userProfile; + } catch (Throwable t) { + logger.error("getUserProfile() no user session. error={}", t, t); + } + return null; + } + + /** + * @param userId + * @param changePassword + * @return + */ + @POST + @Path("{userId}/passwordchange") + @Consumes("application/json") + @Produces("application/json") + public VXResponse changePassword(@PathParam("userId") Long userId, VXPasswordChange changePassword) { + if (changePassword == null || stringUtil.isEmpty(changePassword.getLoginId())) { + logger.warn("SECURITY:changePassword(): Invalid loginId provided. loginId was empty or null"); + + throw restErrorUtil.createRESTException("serverMsg.userRestUser", MessageEnums.DATA_NOT_FOUND, null, null, ""); + } else if (changePassword.getId() == null) { + changePassword.setId(userId); + } else if (!changePassword.getId().equals(userId)) { + logger.warn("SECURITY:changePassword(): userId mismatch"); + + throw restErrorUtil.createRESTException("serverMsg.userRestUser", MessageEnums.DATA_NOT_FOUND, null, null, ""); + } + + XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(changePassword.getLoginId()); + + if (gjUser == null) { + logger.warn("SECURITY:changePassword(): Invalid loginId provided: loginId={}", changePassword.getLoginId()); + + throw restErrorUtil.createRESTException("serverMsg.userRestUser", MessageEnums.DATA_NOT_FOUND, null, null, changePassword.getLoginId()); + } + + changePassword.setId(gjUser.getId()); + + return userManager.changePassword(changePassword); + } + + /** + * @param userId + * @param changeEmail + * @return + */ + @POST + @Path("{userId}/emailchange") + @Consumes("application/json") + @Produces("application/json") + public VXPortalUser changeEmailAddress(@PathParam("userId") Long userId, VXPasswordChange changeEmail) { + if (changeEmail == null || stringUtil.isEmpty(changeEmail.getLoginId())) { + logger.warn("SECURITY:changeEmail(): Invalid loginId provided. loginId was empty or null"); + + throw restErrorUtil.createRESTException("serverMsg.userRestUser", MessageEnums.DATA_NOT_FOUND, null, null, ""); + } else if (changeEmail.getId() == null) { + changeEmail.setId(userId); + } else if (!changeEmail.getId().equals(userId)) { + logger.warn("SECURITY:changeEmail(): userId mismatch"); + + throw restErrorUtil.createRESTException("serverMsg.userRestUser", MessageEnums.DATA_NOT_FOUND, null, null, ""); + } + + logger.info("changeEmail:{}", changeEmail.getLoginId()); + + XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(changeEmail.getLoginId()); + + if (gjUser == null) { + logger.warn("SECURITY:changeEmail(): Invalid loginId provided: loginId={}", changeEmail.getLoginId()); + + throw restErrorUtil.createRESTException("serverMsg.userRestUser", MessageEnums.DATA_NOT_FOUND, null, null, changeEmail.getLoginId()); + } + + changeEmail.setId(gjUser.getId()); + + return userManager.changeEmailAddress(gjUser, changeEmail); + } } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java index 4160f15022..6784143490 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java @@ -17,27 +17,18 @@ * under the License. */ - package org.apache.ranger.rest; - -import javax.servlet.http.HttpServletRequest; -import javax.ws.rs.Consumes; -import javax.ws.rs.DELETE; -import javax.ws.rs.GET; -import javax.ws.rs.POST; -import javax.ws.rs.PUT; -import javax.ws.rs.Path; -import javax.ws.rs.PathParam; -import javax.ws.rs.Produces; -import javax.ws.rs.core.Context; +package org.apache.ranger.rest; +import org.apache.ranger.biz.RangerBizUtil; import org.apache.ranger.biz.XAuditMgr; import org.apache.ranger.common.SearchCriteria; import org.apache.ranger.common.SearchUtil; import org.apache.ranger.common.annotation.RangerAnnotationClassName; import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName; +import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.apache.ranger.security.context.RangerAPIList; -import org.apache.ranger.service.XAccessAuditService; import org.apache.ranger.service.RangerTrxLogV2Service; +import org.apache.ranger.service.XAccessAuditService; import org.apache.ranger.view.VXAccessAuditList; import org.apache.ranger.view.VXLong; import org.apache.ranger.view.VXTrxLog; @@ -48,8 +39,17 @@ import org.springframework.stereotype.Component; import org.springframework.transaction.annotation.Propagation; import org.springframework.transaction.annotation.Transactional; -import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; -import org.apache.ranger.biz.RangerBizUtil; + +import javax.servlet.http.HttpServletRequest; +import javax.ws.rs.Consumes; +import javax.ws.rs.DELETE; +import javax.ws.rs.GET; +import javax.ws.rs.POST; +import javax.ws.rs.PUT; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; +import javax.ws.rs.core.Context; @Path("xaudit") @Component @@ -57,125 +57,120 @@ @RangerAnnotationJSMgrName("XAuditMgr") @Transactional(propagation = Propagation.REQUIRES_NEW) public class XAuditREST { - - @Autowired - SearchUtil searchUtil; - - @Autowired - XAuditMgr xAuditMgr; - - @Autowired - RangerTrxLogV2Service xTrxLogService; - - @Autowired - XAccessAuditService xAccessAuditService; - - @Autowired - RangerBizUtil bizUtil; - - // Handle XTrxLog - @GET - @Path("/trx_log/{id}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_TRX_LOG + "\")") - public VXTrxLog getXTrxLog( - @PathParam("id") Long id) { - return xAuditMgr.getXTrxLog(id); - } - - @POST - @Path("/trx_log") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_TRX_LOG + "\")") - public VXTrxLog createXTrxLog(VXTrxLog vXTrxLog) { - return xAuditMgr.createXTrxLog(vXTrxLog); - } - - @PUT - @Path("/trx_log") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_TRX_LOG + "\")") - public VXTrxLog updateXTrxLog(VXTrxLog vXTrxLog) { - return xAuditMgr.updateXTrxLog(vXTrxLog); - } - - @DELETE - @Path("/trx_log/{id}") - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_TRX_LOG + "\")") - @RangerAnnotationClassName(class_name = VXTrxLog.class) - public void deleteXTrxLog(@PathParam("id") Long id, - @Context HttpServletRequest request) { - boolean force = false; - xAuditMgr.deleteXTrxLog(id, force); - } - - /** - * Implements the traditional search functionalities for XTrxLogs - * - * @param request - * @return - */ - @GET - @Path("/trx_log") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_TRX_LOG + "\")") - public VXTrxLogList searchXTrxLogs(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xTrxLogService.getSortFields()); - return xAuditMgr.searchXTrxLogs(searchCriteria); - } - - @GET - @Path("/trx_log/count") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_TRX_LOGS + "\")") - public VXLong countXTrxLogs(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xTrxLogService.getSortFields()); - - return xAuditMgr.getXTrxLogSearchCount(searchCriteria); - } - - - /** - * Implements the traditional search functionalities for XAccessAudits - * - * @param request - * @return - */ - @GET - @Path("/access_audit") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_ACCESS_AUDITS + "\")") - public VXAccessAuditList searchXAccessAudits(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xAccessAuditService.sortFields); - long kmsServiceDefId = EmbeddedServiceDefsUtil.instance().getKmsServiceDefId(); - - if (kmsServiceDefId != -1) { - boolean includeKmsAuditLogs = bizUtil.isKeyAdmin() || bizUtil.isAuditKeyAdmin(); - - if (includeKmsAuditLogs) { - searchCriteria.getParamList().put("repoType", kmsServiceDefId); - } else { - searchCriteria.getParamList().put("-repoType", kmsServiceDefId); - } - } - - return xAuditMgr.searchXAccessAudits(searchCriteria); - } - - @GET - @Path("/access_audit/count") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_ACCESS_AUDITS + "\")") - public VXLong countXAccessAudits(@Context HttpServletRequest request) { - VXLong ret = new VXLong(); - - ret.setValue(searchXAccessAudits(request).getTotalCount()); - - return ret; - } - + @Autowired + SearchUtil searchUtil; + + @Autowired + XAuditMgr xAuditMgr; + + @Autowired + RangerTrxLogV2Service xTrxLogService; + + @Autowired + XAccessAuditService xAccessAuditService; + + @Autowired + RangerBizUtil bizUtil; + + // Handle XTrxLog + @GET + @Path("/trx_log/{id}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_TRX_LOG + "\")") + public VXTrxLog getXTrxLog(@PathParam("id") Long id) { + return xAuditMgr.getXTrxLog(id); + } + + @POST + @Path("/trx_log") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_TRX_LOG + "\")") + public VXTrxLog createXTrxLog(VXTrxLog vXTrxLog) { + return xAuditMgr.createXTrxLog(vXTrxLog); + } + + @PUT + @Path("/trx_log") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_TRX_LOG + "\")") + public VXTrxLog updateXTrxLog(VXTrxLog vXTrxLog) { + return xAuditMgr.updateXTrxLog(vXTrxLog); + } + + @DELETE + @Path("/trx_log/{id}") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_TRX_LOG + "\")") + @RangerAnnotationClassName(class_name = VXTrxLog.class) + public void deleteXTrxLog(@PathParam("id") Long id, @Context HttpServletRequest request) { + boolean force = false; + + xAuditMgr.deleteXTrxLog(id, force); + } + + /** + * Implements the traditional search functionalities for XTrxLogs + * + * @param request + * @return + */ + @GET + @Path("/trx_log") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_TRX_LOG + "\")") + public VXTrxLogList searchXTrxLogs(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xTrxLogService.getSortFields()); + + return xAuditMgr.searchXTrxLogs(searchCriteria); + } + + @GET + @Path("/trx_log/count") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_TRX_LOGS + "\")") + public VXLong countXTrxLogs(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xTrxLogService.getSortFields()); + + return xAuditMgr.getXTrxLogSearchCount(searchCriteria); + } + + /** + * Implements the traditional search functionalities for XAccessAudits + * + * @param request + * @return + */ + @GET + @Path("/access_audit") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_ACCESS_AUDITS + "\")") + public VXAccessAuditList searchXAccessAudits(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xAccessAuditService.sortFields); + long kmsServiceDefId = EmbeddedServiceDefsUtil.instance().getKmsServiceDefId(); + + if (kmsServiceDefId != -1) { + boolean includeKmsAuditLogs = bizUtil.isKeyAdmin() || bizUtil.isAuditKeyAdmin(); + + if (includeKmsAuditLogs) { + searchCriteria.getParamList().put("repoType", kmsServiceDefId); + } else { + searchCriteria.getParamList().put("-repoType", kmsServiceDefId); + } + } + + return xAuditMgr.searchXAccessAudits(searchCriteria); + } + + @GET + @Path("/access_audit/count") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_ACCESS_AUDITS + "\")") + public VXLong countXAccessAudits(@Context HttpServletRequest request) { + VXLong ret = new VXLong(); + + ret.setValue(searchXAccessAudits(request).getTotalCount()); + + return ret; + } } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java index f07c7824c1..192fe63211 100755 --- a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java @@ -18,20 +18,9 @@ */ package org.apache.ranger.rest; -import javax.servlet.http.HttpServletRequest; -import javax.ws.rs.Consumes; -import javax.ws.rs.DELETE; -import javax.ws.rs.GET; -import javax.ws.rs.POST; -import javax.ws.rs.PUT; -import javax.ws.rs.Path; -import javax.ws.rs.PathParam; -import javax.ws.rs.Produces; -import javax.ws.rs.QueryParam; -import javax.ws.rs.core.Context; - import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.JsonNode; +import com.sun.jersey.api.client.UniformInterfaceException; import org.apache.ranger.biz.KmsKeyMgr; import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.RESTErrorUtil; @@ -50,8 +39,17 @@ import org.springframework.transaction.annotation.Propagation; import org.springframework.transaction.annotation.Transactional; -import com.sun.jersey.api.client.UniformInterfaceException; - +import javax.servlet.http.HttpServletRequest; +import javax.ws.rs.Consumes; +import javax.ws.rs.DELETE; +import javax.ws.rs.GET; +import javax.ws.rs.POST; +import javax.ws.rs.PUT; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; +import javax.ws.rs.QueryParam; +import javax.ws.rs.core.Context; @Path("keys") @Component @@ -59,164 +57,200 @@ @RangerAnnotationJSMgrName("KeyMgr") @Transactional(propagation = Propagation.REQUIRES_NEW) public class XKeyREST { - private static final Logger logger = LoggerFactory.getLogger(XKeyREST.class); - - private static String UNAUTHENTICATED_MSG = "Unauthenticated : Please check the permission in the policy for the user"; - - @Autowired - KmsKeyMgr keyMgr; - - @Autowired - SearchUtil searchUtil; - - @Autowired - RESTErrorUtil restErrorUtil; - - /** - * Implements the traditional search functionalities for Keys - * - * @param request - * @return - */ - @GET - @Path("/keys") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_KEYS + "\")") - public VXKmsKeyList searchKeys(@Context HttpServletRequest request, @QueryParam("provider") String provider) { - VXKmsKeyList vxKmsKeyList = new VXKmsKeyList(); - try{ - vxKmsKeyList = keyMgr.searchKeys(request, provider); - }catch(Exception e){ - handleError(e); - } - return vxKmsKeyList; - } - - /** - * Implements the Rollover key functionality - * @param vXKey - * @return - */ - @PUT - @Path("/key") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.ROLLOVER_KEYS + "\")") - public VXKmsKey rolloverKey(@QueryParam("provider") String provider, VXKmsKey vXKey) { - VXKmsKey vxKmsKey = new VXKmsKey(); - try{ - String name = vXKey.getName(); - if (name == null || name.isEmpty()) { - throw restErrorUtil.createRESTException("Please provide a valid " - + "alias.", MessageEnums.INVALID_INPUT_DATA); - } - if(vXKey.getCipher() == null || vXKey.getCipher().trim().isEmpty()){ - vXKey.setCipher(null); - } - vxKmsKey = keyMgr.rolloverKey(provider, vXKey); - }catch(Exception e){ - handleError(e); - } - return vxKmsKey; - } - - /** - * Implements the delete key functionality - * @param name - * @param request - */ - @DELETE - @Path("/key/{alias}") - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_KEY + "\")") - public void deleteKey(@PathParam("alias") String name, @QueryParam("provider") String provider, @Context HttpServletRequest request) { - try{ - if (name == null || name.isEmpty()) { - throw restErrorUtil.createRESTException("Please provide a valid " - + "alias.", MessageEnums.INVALID_INPUT_DATA); - } - keyMgr.deleteKey(provider, name); - }catch(Exception e){ - handleError(e); - } - } - - /** - * Implements the create key functionality - * @param vXKey - * @return - */ - @POST - @Path("/key") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_KEY + "\")") - public VXKmsKey createKey(@QueryParam("provider") String provider, VXKmsKey vXKey) { - VXKmsKey vxKmsKey = new VXKmsKey(); - try{ - String name = vXKey.getName(); - if (name == null || name.isEmpty()) { - throw restErrorUtil.createRESTException("Please provide a valid " - + "alias.", MessageEnums.INVALID_INPUT_DATA); - } - if(vXKey.getCipher() == null || vXKey.getCipher().trim().isEmpty()){ - vXKey.setCipher(null); - } - vxKmsKey = keyMgr.createKey(provider, vXKey); - }catch(Exception e){ - handleError(e); - } - return vxKmsKey; - } - - /** - * - * @param name - * @param provider - * @return - */ - @GET - @Path("/key/{alias}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_KEY + "\")") - public VXKmsKey getKey(@PathParam("alias") String name,@QueryParam("provider") String provider){ - VXKmsKey vxKmsKey = new VXKmsKey(); - try{ - if (name == null || name.isEmpty()) { - throw restErrorUtil.createRESTException("Please provide a valid " - + "alias.", MessageEnums.INVALID_INPUT_DATA); - } - vxKmsKey = keyMgr.getKey(provider, name); - }catch(Exception e){ - handleError(e); - } - return vxKmsKey; - } - - private void handleError(Exception e) { - String message = e.getMessage(); - if (e instanceof UniformInterfaceException){ - UniformInterfaceException uie=(UniformInterfaceException)e; - message = uie.getResponse().getEntity(String.class); - logger.error(message); - try { - JsonNode rootNode = JsonUtilsV2.getMapper().readTree(message); - JsonNode excpNode = rootNode != null ? rootNode.get("RemoteException") : null; - JsonNode msgNode = excpNode != null ? excpNode.get("message") : null; - - message = msgNode != null ? msgNode.asText() : null; - } catch (JsonProcessingException e1) { - logger.error("Unable to parse the error message, So sending error message as it is - Error : " + e1.getMessage()); - } - } - if (!(message==null) && !(message.isEmpty()) && message.contains("Connection refused")){ - message = "Connection refused : Please check the KMS provider URL and whether the Ranger KMS is running"; - } else if (!(message==null) && !(message.isEmpty()) && (message.contains("response status of 403") || message.contains("HTTP Status 403"))){ - message = UNAUTHENTICATED_MSG; - } else if (!(message==null) && !(message.isEmpty()) && (message.contains("response status of 401") || message.contains("HTTP Status 401 - Authentication required"))){ - message = UNAUTHENTICATED_MSG; - } else if (message == null) { - message = UNAUTHENTICATED_MSG; - } - throw restErrorUtil.createRESTException(message, MessageEnums.ERROR_SYSTEM); - } + private static final Logger logger = LoggerFactory.getLogger(XKeyREST.class); + + private static final String UNAUTHENTICATED_MSG = "Unauthenticated : Please check the permission in the policy for the user"; + + @Autowired + KmsKeyMgr keyMgr; + + @Autowired + SearchUtil searchUtil; + + @Autowired + RESTErrorUtil restErrorUtil; + + /** + * Implements the traditional search functionalities for Keys + * + * @param request + * @return + */ + @GET + @Path("/keys") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_KEYS + "\")") + public VXKmsKeyList searchKeys(@Context HttpServletRequest request, @QueryParam("provider") String provider) { + VXKmsKeyList vxKmsKeyList = null; + + try { + vxKmsKeyList = keyMgr.searchKeys(request, provider); + } catch (Exception e) { + handleError(e); + } finally { + if (vxKmsKeyList == null) { + vxKmsKeyList = new VXKmsKeyList(); + } + } + + return vxKmsKeyList; + } + + /** + * Implements the Rollover key functionality + * + * @param vXKey + * @return + */ + @PUT + @Path("/key") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.ROLLOVER_KEYS + "\")") + public VXKmsKey rolloverKey(@QueryParam("provider") String provider, VXKmsKey vXKey) { + VXKmsKey vxKmsKey = null; + + try { + String name = vXKey.getName(); + + if (name == null || name.isEmpty()) { + throw restErrorUtil.createRESTException("Please provide a valid " + "alias.", MessageEnums.INVALID_INPUT_DATA); + } + + if (vXKey.getCipher() == null || vXKey.getCipher().trim().isEmpty()) { + vXKey.setCipher(null); + } + + vxKmsKey = keyMgr.rolloverKey(provider, vXKey); + } catch (Exception e) { + handleError(e); + } finally { + if (vxKmsKey == null) { + vxKmsKey = new VXKmsKey(); + } + } + + return vxKmsKey; + } + + /** + * Implements the delete key functionality + * + * @param name + * @param request + */ + @DELETE + @Path("/key/{alias}") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_KEY + "\")") + public void deleteKey(@PathParam("alias") String name, @QueryParam("provider") String provider, @Context HttpServletRequest request) { + try { + if (name == null || name.isEmpty()) { + throw restErrorUtil.createRESTException("Please provide a valid " + "alias.", MessageEnums.INVALID_INPUT_DATA); + } + + keyMgr.deleteKey(provider, name); + } catch (Exception e) { + handleError(e); + } + } + + /** + * Implements the create key functionality + * + * @param vXKey + * @return + */ + @POST + @Path("/key") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_KEY + "\")") + public VXKmsKey createKey(@QueryParam("provider") String provider, VXKmsKey vXKey) { + VXKmsKey vxKmsKey = null; + + try { + String name = vXKey.getName(); + + if (name == null || name.isEmpty()) { + throw restErrorUtil.createRESTException("Please provide a valid " + "alias.", MessageEnums.INVALID_INPUT_DATA); + } + + if (vXKey.getCipher() == null || vXKey.getCipher().trim().isEmpty()) { + vXKey.setCipher(null); + } + + vxKmsKey = keyMgr.createKey(provider, vXKey); + } catch (Exception e) { + handleError(e); + } finally { + if (vxKmsKey == null) { + vxKmsKey = new VXKmsKey(); + } + } + + return vxKmsKey; + } + + /** + * @param name + * @param provider + * @return + */ + @GET + @Path("/key/{alias}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_KEY + "\")") + public VXKmsKey getKey(@PathParam("alias") String name, @QueryParam("provider") String provider) { + VXKmsKey vxKmsKey = null; + + try { + if (name == null || name.isEmpty()) { + throw restErrorUtil.createRESTException("Please provide a valid " + "alias.", MessageEnums.INVALID_INPUT_DATA); + } + + vxKmsKey = keyMgr.getKey(provider, name); + } catch (Exception e) { + handleError(e); + } finally { + if (vxKmsKey == null) { + vxKmsKey = new VXKmsKey(); + } + } + + return vxKmsKey; + } + + private void handleError(Exception e) { + String message = e.getMessage(); + + if (e instanceof UniformInterfaceException) { + UniformInterfaceException uie = (UniformInterfaceException) e; + + message = uie.getResponse().getEntity(String.class); + + logger.error(message); + + try { + JsonNode rootNode = JsonUtilsV2.getMapper().readTree(message); + JsonNode excpNode = rootNode != null ? rootNode.get("RemoteException") : null; + JsonNode msgNode = excpNode != null ? excpNode.get("message") : null; + + message = msgNode != null ? msgNode.asText() : null; + } catch (JsonProcessingException e1) { + logger.error("Unable to parse the error message, So sending error message as it is - Error : {}", e1.getMessage()); + } + } + + if (message == null) { + message = UNAUTHENTICATED_MSG; + } else if (message.contains("Connection refused")) { + message = "Connection refused : Please check the KMS provider URL and whether the Ranger KMS is running"; + } else if (message.contains("response status of 403") || message.contains("HTTP Status 403")) { + message = UNAUTHENTICATED_MSG; + } else if (message.contains("response status of 401") || message.contains("HTTP Status 401 - Authentication required")) { + message = UNAUTHENTICATED_MSG; + } + + throw restErrorUtil.createRESTException(message, MessageEnums.ERROR_SYSTEM); + } } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java index 9f7e79f7f5..03c33c746c 100755 --- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java @@ -19,42 +19,20 @@ package org.apache.ranger.rest; -import java.util.Set; -import java.util.Map; -import java.util.List; -import java.util.ArrayList; -import java.util.HashMap; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.ws.rs.Consumes; -import javax.ws.rs.DefaultValue; -import javax.ws.rs.DELETE; -import javax.ws.rs.GET; -import javax.ws.rs.POST; -import javax.ws.rs.PUT; -import javax.ws.rs.Path; -import javax.ws.rs.PathParam; -import javax.ws.rs.Produces; -import javax.ws.rs.QueryParam; -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.Context; -import javax.ws.rs.core.Response; - import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; +import org.apache.ranger.biz.AssetMgr; import org.apache.ranger.biz.RangerBizUtil; +import org.apache.ranger.biz.ServiceDBStore; import org.apache.ranger.biz.SessionMgr; import org.apache.ranger.biz.XUserMgr; -import org.apache.ranger.biz.AssetMgr; -import org.apache.ranger.biz.ServiceDBStore; -import org.apache.ranger.common.ServiceUtil; import org.apache.ranger.common.ContextUtil; import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.common.RangerConstants; import org.apache.ranger.common.SearchCriteria; import org.apache.ranger.common.SearchUtil; +import org.apache.ranger.common.ServiceUtil; import org.apache.ranger.common.StringUtil; import org.apache.ranger.common.UserSessionBase; import org.apache.ranger.common.annotation.RangerAnnotationClassName; @@ -82,7 +60,31 @@ import org.apache.ranger.service.XUserService; import org.apache.ranger.ugsyncutil.model.GroupUserInfo; import org.apache.ranger.ugsyncutil.model.UsersGroupRoleAssignments; -import org.apache.ranger.view.*; +import org.apache.ranger.view.VXAuditMap; +import org.apache.ranger.view.VXAuditMapList; +import org.apache.ranger.view.VXAuthSession; +import org.apache.ranger.view.VXAuthSessionList; +import org.apache.ranger.view.VXGroup; +import org.apache.ranger.view.VXGroupList; +import org.apache.ranger.view.VXGroupPermission; +import org.apache.ranger.view.VXGroupPermissionList; +import org.apache.ranger.view.VXGroupUser; +import org.apache.ranger.view.VXGroupUserInfo; +import org.apache.ranger.view.VXGroupUserList; +import org.apache.ranger.view.VXLong; +import org.apache.ranger.view.VXModuleDef; +import org.apache.ranger.view.VXModuleDefList; +import org.apache.ranger.view.VXModulePermissionList; +import org.apache.ranger.view.VXPermMap; +import org.apache.ranger.view.VXPermMapList; +import org.apache.ranger.view.VXString; +import org.apache.ranger.view.VXStringList; +import org.apache.ranger.view.VXUgsyncAuditInfo; +import org.apache.ranger.view.VXUser; +import org.apache.ranger.view.VXUserGroupInfo; +import org.apache.ranger.view.VXUserList; +import org.apache.ranger.view.VXUserPermission; +import org.apache.ranger.view.VXUserPermissionList; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -92,1327 +94,1297 @@ import org.springframework.transaction.annotation.Propagation; import org.springframework.transaction.annotation.Transactional; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.Consumes; +import javax.ws.rs.DELETE; +import javax.ws.rs.DefaultValue; +import javax.ws.rs.GET; +import javax.ws.rs.POST; +import javax.ws.rs.PUT; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; +import javax.ws.rs.QueryParam; +import javax.ws.rs.WebApplicationException; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.Response; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Set; + import static org.apache.ranger.common.RangerCommonEnums.GROUP_EXTERNAL; import static org.apache.ranger.common.RangerCommonEnums.USER_EXTERNAL; - @Path("xusers") @Component @Scope("request") @RangerAnnotationJSMgrName("XUserMgr") @Transactional(propagation = Propagation.REQUIRES_NEW) public class XUserREST { + static final Logger logger = LoggerFactory.getLogger(XUserREST.class); - public static final String USERSTORE_DOWNLOAD_USERS = "userstore.download.auth.users"; + public static final String USERSTORE_DOWNLOAD_USERS = "userstore.download.auth.users"; - @Autowired - SearchUtil searchUtil; + @Autowired + SearchUtil searchUtil; - @Autowired - XUserMgr xUserMgr; + @Autowired + XUserMgr xUserMgr; - @Autowired - XGroupService xGroupService; + @Autowired + XGroupService xGroupService; - @Autowired - XModuleDefService xModuleDefService; + @Autowired + XModuleDefService xModuleDefService; - @Autowired - XUserPermissionService xUserPermissionService; + @Autowired + XUserPermissionService xUserPermissionService; - @Autowired - XGroupPermissionService xGroupPermissionService; - - @Autowired - XUserService xUserService; - - @Autowired - XGroupUserService xGroupUserService; - - @Autowired - XPermMapService xPermMapService; - - @Autowired - XAuditMapService xAuditMapService; - - @Autowired - RESTErrorUtil restErrorUtil; - - @Autowired - RangerDaoManager rangerDaoManager; - - @Autowired - SessionMgr sessionMgr; - - @Autowired - AuthSessionService authSessionService; - - @Autowired - RangerBizUtil bizUtil; - - @Autowired - XResourceService xResourceService; - - @Autowired - StringUtil stringUtil; - - @Autowired - AssetMgr assetMgr; - - @Autowired - ServiceUtil serviceUtil; - - @Autowired - ServiceDBStore svcStore; - - - static final Logger logger = LoggerFactory.getLogger(XUserMgr.class); - - // Handle XGroup - @GET - @Path("/groups/{id}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP + "\")") - public VXGroup getXGroup(@PathParam("id") Long id) { - return xUserMgr.getXGroup(id); - } - - @GET - @Path("/secure/groups/{id}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SECURE_GET_X_GROUP + "\")") - public VXGroup secureGetXGroup(@PathParam("id") Long id) { - return xUserMgr.getXGroup(id); - } - - @POST - @Path("/groups") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public VXGroup createXGroup(VXGroup vXGroup) { - return xUserMgr.createXGroupWithoutLogin(vXGroup); - } - - @POST - @Path("/groups/groupinfo") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public VXGroupUserInfo createXGroupUserFromMap(VXGroupUserInfo vXGroupUserInfo) { - return xUserMgr.createXGroupUserFromMap(vXGroupUserInfo); - } - - @POST - @Path("/secure/groups") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public VXGroup secureCreateXGroup(VXGroup vXGroup) { - return xUserMgr.createXGroup(vXGroup); - } - - @PUT - @Path("/groups") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXGroup updateXGroup(VXGroup vXGroup) { - return xUserMgr.updateXGroup(vXGroup); - } - - @PUT - @Path("/secure/groups/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXGroup secureUpdateXGroup(VXGroup vXGroup) { - return xUserMgr.updateXGroup(vXGroup); - } - - @PUT - @Path("/secure/groups/visibility") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.MODIFY_GROUPS_VISIBILITY + "\")") - public void modifyGroupsVisibility(HashMap groupVisibilityMap){ - xUserMgr.modifyGroupsVisibility(groupVisibilityMap); - } - - @DELETE - @Path("/groups/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - @RangerAnnotationClassName(class_name = VXGroup.class) - public void deleteXGroup(@PathParam("id") Long id, - @Context HttpServletRequest request) { - String forceDeleteStr = request.getParameter("forceDelete"); - boolean forceDelete = false; - if(!StringUtils.isEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr.trim())) { - forceDelete = true; - } - xUserMgr.deleteXGroup(id, forceDelete); - } - - /** - * Implements the traditional search functionalities for XGroups - * - * @param request - * @return - */ - @GET - @Path("/groups") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUPS + "\")") - public VXGroupList searchXGroups(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xGroupService.sortFields); - searchUtil.extractString(request, searchCriteria, "name", "group name", null); - searchUtil.extractInt(request, searchCriteria, "isVisible", "Group Visibility"); - searchUtil.extractInt(request, searchCriteria, "groupSource", "group source"); - searchUtil.extractString(request, searchCriteria, "syncSource", "Sync Source", null); - return xUserMgr.searchXGroups(searchCriteria); - } - - @GET - @Path("/groups/count") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUPS + "\")") - public VXLong countXGroups(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xGroupService.sortFields); - - return xUserMgr.getXGroupSearchCount(searchCriteria); - } - - // Handle XUser - @GET - @Path("/users/{id}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER + "\")") - public VXUser getXUser(@PathParam("id") Long id) { - return xUserMgr.getXUser(id); - } - - @GET - @Path("/secure/users/{id}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SECURE_GET_X_USER + "\")") - public VXUser secureGetXUser(@PathParam("id") Long id) { - return xUserMgr.getXUser(id); - } - - @POST - @Path("/users") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public VXUser createXUser(VXUser vXUser) { - return xUserMgr.createXUserWithOutLogin(vXUser); - } - - @POST - @Path("/users/external") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public VXUser createExternalUser(VXUser vXUser) { - return xUserMgr.createExternalUser(vXUser.getName()); - } - - @POST - @Path("/users/userinfo") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public VXUserGroupInfo createXUserGroupFromMap(VXUserGroupInfo vXUserGroupInfo) { - return xUserMgr.createXUserGroupFromMap(vXUserGroupInfo); - } - - @POST - @Path("/secure/users") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public VXUser secureCreateXUser(VXUser vXUser) { - - bizUtil.checkUserAccessible(vXUser); - return xUserMgr.createXUser(vXUser); - } - - @PUT - @Path("/users") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXUser updateXUser(VXUser vXUser) { - bizUtil.checkUserAccessible(vXUser); - return xUserMgr.updateXUser(vXUser); - } - - @PUT - @Path("/secure/users/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXUser secureUpdateXUser(VXUser vXUser) { - - bizUtil.checkUserAccessible(vXUser); - return xUserMgr.updateXUser(vXUser); - } - - @PUT - @Path("/secure/users/visibility") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.MODIFY_USER_VISIBILITY + "\")") - public void modifyUserVisibility(HashMap visibilityMap){ - xUserMgr.modifyUserVisibility(visibilityMap); - } - - @DELETE - @Path("/users/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - @RangerAnnotationClassName(class_name = VXUser.class) - public void deleteXUser(@PathParam("id") Long id, - @Context HttpServletRequest request) { - String forceDeleteStr = request.getParameter("forceDelete"); - boolean forceDelete = false; - if(!StringUtils.isEmpty(forceDeleteStr) && forceDeleteStr.equalsIgnoreCase("true")) { - forceDelete = true; - } - xUserMgr.deleteXUser(id, forceDelete); - } - - /** - * Implements the traditional search functionalities for XUsers - * - * @param request - * @return - */ - @GET - @Path("/users") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_USERS + "\")") - public VXUserList searchXUsers(@Context HttpServletRequest request, @QueryParam("syncSource") String syncSource, @QueryParam("userRole") String userRole) { - String UserRoleParamName = RangerConstants.ROLE_USER; - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xUserService.sortFields); - String userName = null; - if (request.getUserPrincipal() != null){ - userName = request.getUserPrincipal().getName(); - } - searchUtil.extractString(request, searchCriteria, "name", "User name",null); - searchUtil.extractString(request, searchCriteria, "emailAddress", "Email Address", - null); - searchUtil.extractInt(request, searchCriteria, "userSource", "User Source"); - searchUtil.extractInt(request, searchCriteria, "isVisible", "User Visibility"); - searchUtil.extractInt(request, searchCriteria, "status", "User Status"); - List userRolesList = searchUtil.extractStringList(request, searchCriteria, "userRoleList", - "User Role List", "userRoleList", null, null); - searchUtil.extractRoleString(request, searchCriteria, "userRole", "Role", null); - searchUtil.extractString(request, searchCriteria, "syncSource", "Sync Source", null); - - if (CollectionUtils.isNotEmpty(userRolesList) && CollectionUtils.size(userRolesList) == 1 && userRolesList.get(0).equalsIgnoreCase(UserRoleParamName)) { - if (!(searchCriteria.getParamList().containsKey("name"))) { - searchCriteria.addParam("name", userName); - } - else if ((searchCriteria.getParamList().containsKey("name")) && userName!= null && userName.contains((String) searchCriteria.getParamList().get("name"))) { - searchCriteria.addParam("name", userName); - } - } - - - UserSessionBase userSession = ContextUtil.getCurrentUserSession(); - if (userSession != null && userSession.getLoginId() != null) { - VXUser loggedInVXUser = xUserService.getXUserByUserName(userSession.getLoginId()); - if (loggedInVXUser != null && loggedInVXUser.getUserRoleList().size() == 1) { - if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN) || loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR)) { - boolean hasRole = false; - hasRole = !userRolesList.contains(RangerConstants.ROLE_SYS_ADMIN) ? userRolesList.add(RangerConstants.ROLE_SYS_ADMIN) : hasRole; - hasRole = !userRolesList.contains(RangerConstants.ROLE_ADMIN_AUDITOR) ? userRolesList.add(RangerConstants.ROLE_ADMIN_AUDITOR) : hasRole; - hasRole = !userRolesList.contains(RangerConstants.ROLE_USER) ? userRolesList.add(RangerConstants.ROLE_USER) : hasRole; - if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN) && "rangerusersync".equalsIgnoreCase(userSession.getLoginId())) { - hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN) : hasRole; - hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) : hasRole; - } - } else if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN) || loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) { - boolean hasRole = false; - hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN) : hasRole; - hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) : hasRole; - hasRole = !userRolesList.contains(RangerConstants.ROLE_USER) ? userRolesList.add(RangerConstants.ROLE_USER) : hasRole; - } else if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) { - logger.info("Logged-In user having user role will be able to fetch his own user details."); - if (!searchCriteria.getParamList().containsKey("name")) { - searchCriteria.addParam("name", loggedInVXUser.getName()); - }else if(searchCriteria.getParamList().containsKey("name") - && !stringUtil.isEmpty(searchCriteria.getParamValue("name").toString()) - && !searchCriteria.getParamValue("name").toString().equalsIgnoreCase(loggedInVXUser.getName())){ - throw restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data."); - } - - } - } - } - - return xUserMgr.searchXUsers(searchCriteria); - } - - @GET - @Path("/lookup/users") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_USERS_LOOKUP + "\")") - public VXStringList getUsersLookup(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xUserService.sortFields); - VXStringList ret = new VXStringList(); - List vXList = new ArrayList<>(); - searchUtil.extractString(request, searchCriteria, "name", "User name",null); - searchUtil.extractInt(request, searchCriteria, "isVisible", "User Visibility"); - try { - VXUserList vXUserList = xUserMgr.lookupXUsers(searchCriteria); - VXString VXString = null; - for (VXUser vxUser : vXUserList.getList()) { - VXString = new VXString(); - VXString.setValue(vxUser.getName()); - vXList.add(VXString); - } - ret.setVXStrings(vXList); - ret.setPageSize(vXUserList.getPageSize()); - ret.setTotalCount(vXUserList.getTotalCount()); - ret.setSortType(vXUserList.getSortType()); - ret.setSortBy(vXUserList.getSortBy()); - } - catch(Throwable excp){ - throw restErrorUtil.createRESTException(excp.getMessage()); - } - return ret; - } - - @GET - @Path("/lookup/groups") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_GROUPS_LOOKUP + "\")") - public VXStringList getGroupsLookup(@Context HttpServletRequest request) { - VXStringList ret = new VXStringList(); - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xGroupService.sortFields); - List vXList = new ArrayList<>(); - searchUtil.extractString(request, searchCriteria, "name", "group name", null); - searchUtil.extractInt(request, searchCriteria, "isVisible", "Group Visibility"); - try { - VXGroupList vXGroupList = xUserMgr.lookupXGroups(searchCriteria); - for (VXGroup vxGroup : vXGroupList.getList()) { - VXString VXString = new VXString(); - VXString.setValue(vxGroup.getName()); - vXList.add(VXString); - } - ret.setVXStrings(vXList); - ret.setPageSize(vXGroupList.getPageSize()); - ret.setTotalCount(vXGroupList.getTotalCount()); - ret.setSortType(vXGroupList.getSortType()); - ret.setSortBy(vXGroupList.getSortBy()); - } - catch(Throwable excp){ - throw restErrorUtil.createRESTException(excp.getMessage()); - } - return ret; - } - - @GET - @Path("/lookup/principals") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_PRINCIPALS_LOOKUP + "\")") - public List getPrincipalsLookup(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xGroupService.sortFields); - - searchUtil.extractString(request, searchCriteria, "name", null, null); - - List ret = xUserMgr.getRangerPrincipals(searchCriteria); - - return ret; - } - @GET - @Path("/users/count") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_USERS + "\")") - public VXLong countXUsers(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xUserService.sortFields); - - return xUserMgr.getXUserSearchCount(searchCriteria); - } - - // Handle XGroupUser - @GET - @Path("/groupusers/{id}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_USER + "\")") - public VXGroupUser getXGroupUser(@PathParam("id") Long id) { - return xUserMgr.getXGroupUser(id); - } - - @POST - @Path("/groupusers") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public VXGroupUser createXGroupUser(VXGroupUser vXGroupUser) { - if (vXGroupUser == null || StringUtils.isBlank(vXGroupUser.getName()) || vXGroupUser.getUserId() == null) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "Group name or UserId is empty or null", true); - } - return xUserMgr.createXGroupUser(vXGroupUser); - } - - @PUT - @Path("/groupusers") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - public VXGroupUser updateXGroupUser(VXGroupUser vXGroupUser) { - if (vXGroupUser == null || StringUtils.isBlank(vXGroupUser.getName()) || vXGroupUser.getUserId() == null) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "Group name or UserId is empty or null", true); - } - return xUserMgr.updateXGroupUser(vXGroupUser); - } - - @DELETE - @Path("/groupusers/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - @RangerAnnotationClassName(class_name = VXGroupUser.class) - public void deleteXGroupUser(@PathParam("id") Long id, - @Context HttpServletRequest request) { - boolean force = true; - xUserMgr.deleteXGroupUser(id, force); - } - - /** - * Implements the traditional search functionalities for XGroupUsers - * - * @param request - * @return - */ - @GET - @Path("/groupusers") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUP_USERS + "\")") - public VXGroupUserList searchXGroupUsers(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xGroupUserService.sortFields); - return xUserMgr.searchXGroupUsers(searchCriteria); - } - - /** - * Implements the traditional search functionalities for XGroupUsers by Group name - * - * @param request - * @return - */ - @GET - @Path("/groupusers/groupName/{groupName}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_USERS_BY_GROUP_NAME + "\")") - public VXGroupUserInfo getXGroupUsersByGroupName(@Context HttpServletRequest request, - @PathParam("groupName") String groupName) { - return xUserMgr.getXGroupUserFromMap(groupName); - } - - @GET - @Path("/groupusers/count") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUP_USERS + "\")") - public VXLong countXGroupUsers(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xGroupUserService.sortFields); - - return xUserMgr.getXGroupUserSearchCount(searchCriteria); - } - - // Handle XPermMap - @GET - @Path("/permmaps/{id}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_PERM_MAP + "\")") - public VXPermMap getXPermMap(@PathParam("id") Long id) { - VXPermMap permMap = xUserMgr.getXPermMap(id); - - if (permMap != null) { - if (xResourceService.readResource(permMap.getResourceId()) == null) { - throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + permMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); - } - } - - return permMap; - } - - @POST - @Path("/permmaps") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_PERM_MAP + "\")") - public VXPermMap createXPermMap(VXPermMap vXPermMap) { - - if (vXPermMap != null) { - if (xResourceService.readResource(vXPermMap.getResourceId()) == null) { - throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXPermMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); - } - } - - return xUserMgr.createXPermMap(vXPermMap); - } - - @PUT - @Path("/permmaps") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_PERM_MAP + "\")") - public VXPermMap updateXPermMap(VXPermMap vXPermMap) { - VXPermMap vXPermMapRet = null; - if (vXPermMap != null) { - if (xResourceService.readResource(vXPermMap.getResourceId()) == null) { - throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXPermMap.getResourceId()); - } - else{ - vXPermMapRet = xUserMgr.updateXPermMap(vXPermMap); - } - } - - return vXPermMapRet; - } - - @DELETE - @Path("/permmaps/{id}") - @RangerAnnotationClassName(class_name = VXPermMap.class) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_PERM_MAP + "\")") - public void deleteXPermMap(@PathParam("id") Long id, - @Context HttpServletRequest request) { - boolean force = false; - xUserMgr.deleteXPermMap(id, force); - } - - /** - * Implements the traditional search functionalities for XPermMaps - * - * @param request - * @return - */ - @GET - @Path("/permmaps") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_PERM_MAPS + "\")") - public VXPermMapList searchXPermMaps(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xPermMapService.sortFields); - return xUserMgr.searchXPermMaps(searchCriteria); - } - - @GET - @Path("/permmaps/count") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_PERM_MAPS + "\")") - public VXLong countXPermMaps(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xPermMapService.sortFields); - - return xUserMgr.getXPermMapSearchCount(searchCriteria); - } - - // Handle XAuditMap - @GET - @Path("/auditmaps/{id}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_AUDIT_MAP + "\")") - public VXAuditMap getXAuditMap(@PathParam("id") Long id) { - VXAuditMap vXAuditMap = xUserMgr.getXAuditMap(id); - - if (vXAuditMap != null) { - if (xResourceService.readResource(vXAuditMap.getResourceId()) == null) { - throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); - } - } - - return vXAuditMap; - } - - @POST - @Path("/auditmaps") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_AUDIT_MAP + "\")") - public VXAuditMap createXAuditMap(VXAuditMap vXAuditMap) { - - if (vXAuditMap != null) { - if (xResourceService.readResource(vXAuditMap.getResourceId()) == null) { - throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); - } - } - - return xUserMgr.createXAuditMap(vXAuditMap); - } - - @PUT - @Path("/auditmaps") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_AUDIT_MAP + "\")") - public VXAuditMap updateXAuditMap(VXAuditMap vXAuditMap) { - VXAuditMap vXAuditMapRet = null; - if (vXAuditMap != null) { - if (xResourceService.readResource(vXAuditMap.getResourceId()) == null) { - throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); - } - else{ - vXAuditMapRet = xUserMgr.updateXAuditMap(vXAuditMap); - } - } - - return vXAuditMapRet; - } - - @DELETE - @Path("/auditmaps/{id}") - @RangerAnnotationClassName(class_name = VXAuditMap.class) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_AUDIT_MAP + "\")") - public void deleteXAuditMap(@PathParam("id") Long id, - @Context HttpServletRequest request) { - boolean force = false; - xUserMgr.deleteXAuditMap(id, force); - } - - /** - * Implements the traditional search functionalities for XAuditMaps - * - * @param request - * @return - */ - @GET - @Path("/auditmaps") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_AUDIT_MAPS + "\")") - public VXAuditMapList searchXAuditMaps(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xAuditMapService.sortFields); - return xUserMgr.searchXAuditMaps(searchCriteria); - } - - @GET - @Path("/auditmaps/count") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_AUDIT_MAPS + "\")") - public VXLong countXAuditMaps(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xAuditMapService.sortFields); - - return xUserMgr.getXAuditMapSearchCount(searchCriteria); - } - - // Handle XUser - @GET - @Path("/users/userName/{userName}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER_BY_USER_NAME + "\")") - public VXUser getXUserByUserName(@Context HttpServletRequest request, - @PathParam("userName") String userName) { - return xUserMgr.getXUserByUserName(userName); - } - - @GET - @Path("/groups/groupName/{groupName}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_BY_GROUP_NAME + "\")") - public VXGroup getXGroupByGroupName(@Context HttpServletRequest request, - @PathParam("groupName") String groupName) { - VXGroup vXGroup = xGroupService.getGroupByGroupName(groupName); - UserSessionBase userSession = ContextUtil.getCurrentUserSession(); - if (userSession != null && userSession.getLoginId() != null && userSession.getUserRoleList().contains(RangerConstants.ROLE_USER)) { - VXUser loggedInVXUser = xUserService.getXUserByUserName(userSession.getLoginId()); - boolean isMatch = false; - if (loggedInVXUser != null && vXGroup != null) { - List userGroups = xGroupService.getGroupsByUserId(loggedInVXUser.getId()); - for (XXGroup xXGroup: userGroups) { - if (xXGroup != null && StringUtils.equals(xXGroup.getName(), vXGroup.getName())) { - isMatch = true; - break; - } - } - } - if (!isMatch) { - vXGroup = null; - } - } - return vXGroup; - } - - @DELETE - @Path("/users/userName/{userName}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public void deleteXUserByUserName(@PathParam("userName") String userName, - @Context HttpServletRequest request) { - String forceDeleteStr = request.getParameter("forceDelete"); - boolean forceDelete = false; - if(!StringUtils.isEmpty(forceDeleteStr) && forceDeleteStr.equalsIgnoreCase("true")) { - forceDelete = true; - } - VXUser vxUser = xUserService.getXUserByUserName(userName); - xUserMgr.deleteXUser(vxUser.getId(), forceDelete); - } - - - /** - * Proceed with caution: Force deletes users from the ranger db, - * Delete happens one at a time with immediate commit on the transaction. - */ - @DELETE - @Path("/delete/external/users") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - @Produces({ "application/json" }) - public Response forceDeleteExternalUsers(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = new SearchCriteria(); - searchUtil.extractString( - request, searchCriteria, "name", "User name",null); - searchUtil.extractString( - request, searchCriteria, "emailAddress", "Email Address", null); - searchUtil.extractInt( - request, searchCriteria, "isVisible", "User Visibility"); - searchUtil.extractInt( - request, searchCriteria, "status", "User Status"); - searchUtil.extractString( - request, searchCriteria, "syncSource", "Sync Source", null); - searchUtil.extractRoleString( - request, searchCriteria, "userRole", "Role", null); - - // for invalid params - if(request.getQueryString() != null && searchCriteria.getParamList().size() == 0){ - return Response.status(Response.Status.BAD_REQUEST).entity("Invalid query params!").build(); - } - - // only for external users - searchCriteria.addParam("userSource", USER_EXTERNAL); - - List userIds = xUserService.searchXUsersForIds(searchCriteria); - long usersDeleted = xUserMgr.forceDeleteExternalUsers(userIds); - String response = "No users were deleted!"; - if (usersDeleted == 1) { - response = "1 user deleted successfully."; - } else if (usersDeleted > 0) { - response = String.format("%d users deleted successfully.", usersDeleted); - } - return Response.ok(response).build(); - } - - /** - * Proceed with caution: Force deletes groups from the ranger db, - * Delete happens one at a time with immediate commit on the transaction. - */ - @DELETE - @Path("/delete/external/groups") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - @Produces({ "application/json" }) - public Response forceDeleteExternalGroups(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = new SearchCriteria(); - searchUtil.extractString( - request, searchCriteria, "name", "Group Name",null); - searchUtil.extractInt( - request, searchCriteria, "isVisible", "Group Visibility"); - searchUtil.extractString( - request, searchCriteria, "syncSource", "Sync Source", null); - - // for invalid params - if(request.getQueryString() != null && searchCriteria.getParamList().size() == 0){ - return Response.status(Response.Status.BAD_REQUEST).entity("Invalid query params!").build(); - } - - // only for external groups - searchCriteria.addParam("groupSource", GROUP_EXTERNAL); - - List groupIds = xGroupService.searchXGroupsForIds(searchCriteria); - long groupsDeleted = xUserMgr.forceDeleteExternalGroups(groupIds); - String response = "No groups were deleted!"; - if (groupsDeleted == 1) { - response = "1 group deleted successfully."; - } else if (groupsDeleted > 0) { - response = String.format("%d groups deleted successfully.", groupsDeleted); - } - return Response.ok(response).build(); - } - - @DELETE - @Path("/groups/groupName/{groupName}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public void deleteXGroupByGroupName( - @PathParam("groupName") String groupName, - @Context HttpServletRequest request) { - String forceDeleteStr = request.getParameter("forceDelete"); - boolean forceDelete = false; - if(!StringUtils.isEmpty(forceDeleteStr) && forceDeleteStr.equalsIgnoreCase("true")) { - forceDelete = true; - } - VXGroup vxGroup = xGroupService.getGroupByGroupName(groupName); - xUserMgr.deleteXGroup(vxGroup.getId(), forceDelete); - } - - @DELETE - @Path("/group/{groupName}/user/{userName}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public void deleteXGroupAndXUser(@PathParam("groupName") String groupName, - @PathParam("userName") String userName, - @Context HttpServletRequest request) { - xUserMgr.deleteXGroupAndXUser(groupName, userName); - } - - @GET - @Path("/{userId}/groups") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER_GROUPS + "\")") - public VXGroupList getXUserGroups(@Context HttpServletRequest request, - @PathParam("userId") Long id){ - return xUserMgr.getXUserGroups(id); - } - - @GET - @Path("/{groupId}/users") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_USERS + "\")") - public VXUserList getXGroupUsers(@Context HttpServletRequest request, - @PathParam("groupId") Long id){ - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xGroupUserService.sortFields); - searchCriteria.addParam("xGroupId", id); - return xUserMgr.getXGroupUsers(searchCriteria); - } - - @GET - @Path("/authSessions") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_AUTH_SESSIONS + "\")") - public VXAuthSessionList getAuthSessions(@Context HttpServletRequest request){ - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, AuthSessionService.AUTH_SESSION_SORT_FLDS); - searchUtil.extractLong(request, searchCriteria, "id", "Auth Session Id"); - searchUtil.extractLong(request, searchCriteria, "userId", "User Id"); - searchUtil.extractInt(request, searchCriteria, "authStatus", "Auth Status"); - searchUtil.extractInt(request, searchCriteria, "authType", "Login Type"); - searchUtil.extractInt(request, searchCriteria, "deviceType", "Device Type"); - searchUtil.extractString(request, searchCriteria, "firstName", "User First Name", StringUtil.VALIDATION_NAME); - searchUtil.extractString(request, searchCriteria, "lastName", "User Last Name", StringUtil.VALIDATION_NAME); - searchUtil.extractString(request, searchCriteria, "requestUserAgent", "User Agent", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "requestIP", "Request IP Address", StringUtil.VALIDATION_IP_ADDRESS); - searchUtil.extractString(request, searchCriteria, "loginId", "Login ID", StringUtil.VALIDATION_TEXT); - searchUtil.extractDate(request, searchCriteria, "startDate", "Start Date", null); - searchUtil.extractDate(request, searchCriteria, "endDate", "End Date", null); - return sessionMgr.searchAuthSessions(searchCriteria); - } - - @GET - @Path("/authSessions/info") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_AUTH_SESSION + "\")") - public VXAuthSession getAuthSession(@Context HttpServletRequest request){ - String authSessionId = request.getParameter("extSessionId"); - return sessionMgr.getAuthSessionBySessionId(authSessionId); - } - - // Handle module permissions - @POST - @Path("/permission") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_MODULE_DEF_PERMISSION + "\")") - public VXModuleDef createXModuleDefPermission(VXModuleDef vXModuleDef) { - xUserMgr.checkAdminAccess(); - bizUtil.blockAuditorRoleUser(); - return xUserMgr.createXModuleDefPermission(vXModuleDef); - } - - @GET - @Path("/permission/{id}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_MODULE_DEF_PERMISSION + "\")") - public VXModuleDef getXModuleDefPermission(@PathParam("id") Long id) { - return xUserMgr.getXModuleDefPermission(id); - } - - @PUT - @Path("/permission/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_MODULE_DEF_PERMISSION + "\")") - public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { - xUserMgr.checkAdminAccess(); - bizUtil.blockAuditorRoleUser(); - return xUserMgr.updateXModuleDefPermission(vXModuleDef); - } - - @DELETE - @Path("/permission/{id}") - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_MODULE_DEF_PERMISSION + "\")") - public void deleteXModuleDefPermission(@PathParam("id") Long id, - @Context HttpServletRequest request) { - boolean force = true; - xUserMgr.checkAdminAccess(); - bizUtil.blockAuditorRoleUser(); - xUserMgr.deleteXModuleDefPermission(id, force); - } - - @GET - @Path("/permission") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_MODULE_DEF + "\")") - public VXModuleDefList searchXModuleDef(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xModuleDefService.sortFields); - - searchUtil.extractString(request, searchCriteria, "module", - "modulename", null); - - searchUtil.extractString(request, searchCriteria, "moduleDefList", - "id", null); - searchUtil.extractString(request, searchCriteria, "userName", - "userName", null); - searchUtil.extractString(request, searchCriteria, "groupName", - "groupName", null); - - return xUserMgr.searchXModuleDef(searchCriteria); - } - - @GET - @Path("/permissionlist") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_MODULE_DEF + "\")") - public VXModulePermissionList searchXModuleDefList(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xModuleDefService.sortFields); - - searchUtil.extractString(request, searchCriteria, "module", - "modulename", null); - - searchUtil.extractString(request, searchCriteria, "moduleDefList", - "id", null); - searchUtil.extractString(request, searchCriteria, "userName", - "userName", null); - searchUtil.extractString(request, searchCriteria, "groupName", - "groupName", null); - - return xUserMgr.searchXModuleDefList(searchCriteria); - } - - @GET - @Path("/permission/count") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_MODULE_DEF + "\")") - public VXLong countXModuleDef(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xModuleDefService.sortFields); - return xUserMgr.getXModuleDefSearchCount(searchCriteria); - } - - // Handle user permissions - @POST - @Path("/permission/user") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_USER_PERMISSION + "\")") - public VXUserPermission createXUserPermission( - VXUserPermission vXUserPermission) { - xUserMgr.checkAdminAccess(); - bizUtil.blockAuditorRoleUser(); - return xUserMgr.createXUserPermission(vXUserPermission); - } - - @GET - @Path("/permission/user/{id}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER_PERMISSION + "\")") - public VXUserPermission getXUserPermission(@PathParam("id") Long id) { - return xUserMgr.getXUserPermission(id); - } - - @PUT - @Path("/permission/user/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_USER_PERMISSION + "\")") - public VXUserPermission updateXUserPermission( - VXUserPermission vXUserPermission) { - xUserMgr.checkAdminAccess(); - bizUtil.blockAuditorRoleUser(); - return xUserMgr.updateXUserPermission(vXUserPermission); - } - - @DELETE - @Path("/permission/user/{id}") - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_USER_PERMISSION + "\")") - public void deleteXUserPermission(@PathParam("id") Long id, - @Context HttpServletRequest request) { - boolean force = true; - xUserMgr.checkAdminAccess(); - xUserMgr.deleteXUserPermission(id, force); - } - - @GET - @Path("/permission/user") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_USER_PERMISSION + "\")") - public VXUserPermissionList searchXUserPermission( - @Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xUserPermissionService.sortFields); - searchUtil.extractString(request, searchCriteria, "id", "id", - StringUtil.VALIDATION_NAME); - - searchUtil.extractString(request, searchCriteria, "userPermissionList", - "userId", StringUtil.VALIDATION_NAME); - return xUserMgr.searchXUserPermission(searchCriteria); - } - - @GET - @Path("/permission/user/count") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_USER_PERMISSION + "\")") - public VXLong countXUserPermission(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xUserPermissionService.sortFields); - return xUserMgr.getXUserPermissionSearchCount(searchCriteria); - } - - // Handle group permissions - @POST - @Path("/permission/group") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_GROUP_PERMISSION + "\")") - public VXGroupPermission createXGroupPermission( - VXGroupPermission vXGroupPermission) { - xUserMgr.checkAdminAccess(); - bizUtil.blockAuditorRoleUser(); - return xUserMgr.createXGroupPermission(vXGroupPermission); - } - - @GET - @Path("/permission/group/{id}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_PERMISSION + "\")") - public VXGroupPermission getXGroupPermission(@PathParam("id") Long id) { - return xUserMgr.getXGroupPermission(id); - } - - @PUT - @Path("/permission/group/{id}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_GROUP_PERMISSION + "\")") - public VXGroupPermission updateXGroupPermission(@PathParam("id") Long id, - VXGroupPermission vXGroupPermission) { - // if VXGroupPermission.id is specified, it should be same as the param 'id' - if(vXGroupPermission.getId() == null) { - vXGroupPermission.setId(id); - } else if(!vXGroupPermission.getId().equals(id)) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "vXGroupPermission Id mismatch", true); - } - xUserMgr.checkAdminAccess(); - bizUtil.blockAuditorRoleUser(); - return xUserMgr.updateXGroupPermission(vXGroupPermission); - } - - @DELETE - @Path("/permission/group/{id}") - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_GROUP_PERMISSION + "\")") - public void deleteXGroupPermission(@PathParam("id") Long id, - @Context HttpServletRequest request) { - boolean force = true; - xUserMgr.checkAdminAccess(); - bizUtil.blockAuditorRoleUser(); - xUserMgr.deleteXGroupPermission(id, force); - } - - @GET - @Path("/permission/group") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUP_PERMISSION + "\")") - public VXGroupPermissionList searchXGroupPermission( - @Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xGroupPermissionService.sortFields); - searchUtil.extractString(request, searchCriteria, "id", "id", - StringUtil.VALIDATION_NAME); - searchUtil.extractString(request, searchCriteria, - "groupPermissionList", "groupId", StringUtil.VALIDATION_NAME); - return xUserMgr.searchXGroupPermission(searchCriteria); - } - - @GET - @Path("/permission/group/count") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUP_PERMISSION + "\")") - public VXLong countXGroupPermission(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xGroupPermissionService.sortFields); - return xUserMgr.getXGroupPermissionSearchCount(searchCriteria); - } - - @PUT - @Path("/secure/users/activestatus") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.MODIFY_USER_ACTIVE_STATUS + "\")") - public void modifyUserActiveStatus(HashMap statusMap){ - xUserMgr.modifyUserActiveStatus(statusMap); - } - - @PUT - @Path("/secure/users/roles/{userId}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SET_USER_ROLES_BY_ID + "\")") - public VXStringList setUserRolesByExternalID(@PathParam("userId") Long userId, - VXStringList roleList) { - return xUserMgr.setUserRolesByExternalID(userId, roleList.getVXStrings()); - } - - @PUT - @Path("/secure/users/roles/userName/{userName}") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SET_USER_ROLES_BY_NAME + "\")") - public VXStringList setUserRolesByName(@PathParam("userName") String userName, - VXStringList roleList) { - return xUserMgr.setUserRolesByName(userName, roleList.getVXStrings()); - } - - @GET - @Path("/secure/users/external/{userId}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_USER_ROLES_BY_ID + "\")") - public VXStringList getUserRolesByExternalID(@PathParam("userId") Long userId) { - VXStringList vXStringList=new VXStringList(); - vXStringList=xUserMgr.getUserRolesByExternalID(userId); - return vXStringList; - } - - @GET - @Path("/secure/users/roles/userName/{userName}") - @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_USER_ROLES_BY_NAME + "\")") - public VXStringList getUserRolesByName(@PathParam("userName") String userName) { - VXStringList vXStringList=new VXStringList(); - vXStringList=xUserMgr.getUserRolesByName(userName); - return vXStringList; - } - - - @DELETE - @Path("/secure/users/delete") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public void deleteUsersByUserName(@Context HttpServletRequest request,VXStringList userList){ - String forceDeleteStr = request.getParameter("forceDelete"); - boolean forceDelete = false; - if(StringUtils.isNotEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr)) { - forceDelete = true; - } - if(userList!=null && userList.getList()!=null){ - for(VXString userName:userList.getList()){ - if(StringUtils.isNotEmpty(userName.getValue())){ - VXUser vxUser = xUserService.getXUserByUserName(userName.getValue()); - xUserMgr.deleteXUser(vxUser.getId(), forceDelete); - } - } - } - } - - - @DELETE - @Path("/secure/groups/delete") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public void deleteGroupsByGroupName( - @Context HttpServletRequest request,VXStringList groupList) { - String forceDeleteStr = request.getParameter("forceDelete"); - boolean forceDelete = false; - if(StringUtils.isNotEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr)) { - forceDelete = true; - } - if(groupList!=null && groupList.getList()!=null){ - for(VXString groupName:groupList.getList()){ - if(StringUtils.isNotEmpty(groupName.getValue())){ - VXGroup vxGroup = xGroupService.getGroupByGroupName(groupName.getValue()); - xUserMgr.deleteXGroup(vxGroup.getId(), forceDelete); - } - } - } - } - - @DELETE - @Path("/secure/users/{userName}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public void deleteSingleUserByUserName(@Context HttpServletRequest request, @PathParam("userName") String userName) { - String forceDeleteStr = request.getParameter("forceDelete"); - boolean forceDelete = false; - if (StringUtils.isNotEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr)) { - forceDelete = true; - } + @Autowired + XGroupPermissionService xGroupPermissionService; - if (StringUtils.isNotEmpty(userName)) { - VXUser vxUser = xUserService.getXUserByUserName(userName); - xUserMgr.deleteXUser(vxUser.getId(), forceDelete); - } + @Autowired + XUserService xUserService; + + @Autowired + XGroupUserService xGroupUserService; + + @Autowired + XPermMapService xPermMapService; + + @Autowired + XAuditMapService xAuditMapService; + + @Autowired + RESTErrorUtil restErrorUtil; + + @Autowired + RangerDaoManager rangerDaoManager; + + @Autowired + SessionMgr sessionMgr; + + @Autowired + AuthSessionService authSessionService; + + @Autowired + RangerBizUtil bizUtil; + + @Autowired + XResourceService xResourceService; + + @Autowired + StringUtil stringUtil; + + @Autowired + AssetMgr assetMgr; + + @Autowired + ServiceUtil serviceUtil; + + @Autowired + ServiceDBStore svcStore; + + // Handle XGroup + @GET + @Path("/groups/{id}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP + "\")") + public VXGroup getXGroup(@PathParam("id") Long id) { + return xUserMgr.getXGroup(id); + } + + @GET + @Path("/secure/groups/{id}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SECURE_GET_X_GROUP + "\")") + public VXGroup secureGetXGroup(@PathParam("id") Long id) { + return xUserMgr.getXGroup(id); + } + + @POST + @Path("/groups") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public VXGroup createXGroup(VXGroup vXGroup) { + return xUserMgr.createXGroupWithoutLogin(vXGroup); + } + + @POST + @Path("/groups/groupinfo") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public VXGroupUserInfo createXGroupUserFromMap(VXGroupUserInfo vXGroupUserInfo) { + return xUserMgr.createXGroupUserFromMap(vXGroupUserInfo); + } + + @POST + @Path("/secure/groups") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public VXGroup secureCreateXGroup(VXGroup vXGroup) { + return xUserMgr.createXGroup(vXGroup); + } + + @PUT + @Path("/groups") + @Consumes("application/json") + @Produces("application/json") + public VXGroup updateXGroup(VXGroup vXGroup) { + return xUserMgr.updateXGroup(vXGroup); + } + + @PUT + @Path("/secure/groups/{id}") + @Consumes("application/json") + @Produces("application/json") + public VXGroup secureUpdateXGroup(VXGroup vXGroup) { + return xUserMgr.updateXGroup(vXGroup); + } + + @PUT + @Path("/secure/groups/visibility") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.MODIFY_GROUPS_VISIBILITY + "\")") + public void modifyGroupsVisibility(HashMap groupVisibilityMap) { + xUserMgr.modifyGroupsVisibility(groupVisibilityMap); + } + + @DELETE + @Path("/groups/{id}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @RangerAnnotationClassName(class_name = VXGroup.class) + public void deleteXGroup(@PathParam("id") Long id, @Context HttpServletRequest request) { + String forceDeleteStr = request.getParameter("forceDelete"); + boolean forceDelete = !StringUtils.isEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr.trim()); + + xUserMgr.deleteXGroup(id, forceDelete); + } + + /** + * Implements the traditional search functionalities for XGroups + * + * @param request + * @return + */ + @GET + @Path("/groups") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUPS + "\")") + public VXGroupList searchXGroups(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xGroupService.sortFields); + + searchUtil.extractString(request, searchCriteria, "name", "group name", null); + searchUtil.extractInt(request, searchCriteria, "isVisible", "Group Visibility"); + searchUtil.extractInt(request, searchCriteria, "groupSource", "group source"); + searchUtil.extractString(request, searchCriteria, "syncSource", "Sync Source", null); + + return xUserMgr.searchXGroups(searchCriteria); + } + + @GET + @Path("/groups/count") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUPS + "\")") + public VXLong countXGroups(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xGroupService.sortFields); + + return xUserMgr.getXGroupSearchCount(searchCriteria); + } + + // Handle XUser + @GET + @Path("/users/{id}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER + "\")") + public VXUser getXUser(@PathParam("id") Long id) { + return xUserMgr.getXUser(id); + } + + @GET + @Path("/secure/users/{id}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SECURE_GET_X_USER + "\")") + public VXUser secureGetXUser(@PathParam("id") Long id) { + return xUserMgr.getXUser(id); + } + + @POST + @Path("/users") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public VXUser createXUser(VXUser vXUser) { + return xUserMgr.createXUserWithOutLogin(vXUser); + } + + @POST + @Path("/users/external") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public VXUser createExternalUser(VXUser vXUser) { + return xUserMgr.createExternalUser(vXUser.getName()); + } + + @POST + @Path("/users/userinfo") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public VXUserGroupInfo createXUserGroupFromMap(VXUserGroupInfo vXUserGroupInfo) { + return xUserMgr.createXUserGroupFromMap(vXUserGroupInfo); + } + + @POST + @Path("/secure/users") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public VXUser secureCreateXUser(VXUser vXUser) { + bizUtil.checkUserAccessible(vXUser); + + return xUserMgr.createXUser(vXUser); + } + + @PUT + @Path("/users") + @Consumes("application/json") + @Produces("application/json") + public VXUser updateXUser(VXUser vXUser) { + bizUtil.checkUserAccessible(vXUser); + + return xUserMgr.updateXUser(vXUser); + } + + @PUT + @Path("/secure/users/{id}") + @Consumes("application/json") + @Produces("application/json") + public VXUser secureUpdateXUser(VXUser vXUser) { + bizUtil.checkUserAccessible(vXUser); + + return xUserMgr.updateXUser(vXUser); + } + + @PUT + @Path("/secure/users/visibility") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.MODIFY_USER_VISIBILITY + "\")") + public void modifyUserVisibility(HashMap visibilityMap) { + xUserMgr.modifyUserVisibility(visibilityMap); + } + + @DELETE + @Path("/users/{id}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @RangerAnnotationClassName(class_name = VXUser.class) + public void deleteXUser(@PathParam("id") Long id, @Context HttpServletRequest request) { + String forceDeleteStr = request.getParameter("forceDelete"); + boolean forceDelete = !StringUtils.isEmpty(forceDeleteStr) && forceDeleteStr.equalsIgnoreCase("true"); + + xUserMgr.deleteXUser(id, forceDelete); + } + + /** + * Implements the traditional search functionalities for XUsers + * + * @param request + * @return + */ + @GET + @Path("/users") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_USERS + "\")") + public VXUserList searchXUsers(@Context HttpServletRequest request, @QueryParam("syncSource") String syncSource, @QueryParam("userRole") String userRole) { + String userRoleParamName = RangerConstants.ROLE_USER; + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xUserService.sortFields); + String userName = null; + + if (request.getUserPrincipal() != null) { + userName = request.getUserPrincipal().getName(); } - @DELETE - @Path("/secure/groups/{groupName}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public void deleteSingleGroupByGroupName(@Context HttpServletRequest request, @PathParam("groupName") String groupName) { - String forceDeleteStr = request.getParameter("forceDelete"); - boolean forceDelete = false; - if (StringUtils.isNotEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr)) { - forceDelete = true; - } - if (StringUtils.isNotEmpty(groupName)) { - VXGroup vxGroup = xGroupService.getGroupByGroupName(groupName.trim()); - xUserMgr.deleteXGroup(vxGroup.getId(), forceDelete); - } + searchUtil.extractString(request, searchCriteria, "name", "User name", null); + searchUtil.extractString(request, searchCriteria, "emailAddress", "Email Address", null); + searchUtil.extractInt(request, searchCriteria, "userSource", "User Source"); + searchUtil.extractInt(request, searchCriteria, "isVisible", "User Visibility"); + searchUtil.extractInt(request, searchCriteria, "status", "User Status"); + + List userRolesList = searchUtil.extractStringList(request, searchCriteria, "userRoleList", "User Role List", "userRoleList", null, null); + + searchUtil.extractRoleString(request, searchCriteria, "userRole", "Role", null); + searchUtil.extractString(request, searchCriteria, "syncSource", "Sync Source", null); + + if (CollectionUtils.isNotEmpty(userRolesList) && CollectionUtils.size(userRolesList) == 1 && userRolesList.get(0).equalsIgnoreCase(userRoleParamName)) { + if (!(searchCriteria.getParamList().containsKey("name"))) { + searchCriteria.addParam("name", userName); + } else if ((searchCriteria.getParamList().containsKey("name")) && userName != null && userName.contains((String) searchCriteria.getParamList().get("name"))) { + searchCriteria.addParam("name", userName); + } } - @DELETE - @Path("/secure/users/id/{userId}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public void deleteSingleUserByUserId(@Context HttpServletRequest request, @PathParam("userId") Long userId) { - String forceDeleteStr = request.getParameter("forceDelete"); - boolean forceDelete = false; - if (StringUtils.isNotEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr)) { - forceDelete = true; + UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + + if (userSession != null && userSession.getLoginId() != null) { + VXUser loggedInVXUser = xUserService.getXUserByUserName(userSession.getLoginId()); + + if (loggedInVXUser != null && loggedInVXUser.getUserRoleList().size() == 1) { + if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN) || loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR)) { + boolean hasRole = false; + + hasRole = !userRolesList.contains(RangerConstants.ROLE_SYS_ADMIN) ? userRolesList.add(RangerConstants.ROLE_SYS_ADMIN) : hasRole; + hasRole = !userRolesList.contains(RangerConstants.ROLE_ADMIN_AUDITOR) ? userRolesList.add(RangerConstants.ROLE_ADMIN_AUDITOR) : hasRole; + hasRole = !userRolesList.contains(RangerConstants.ROLE_USER) ? userRolesList.add(RangerConstants.ROLE_USER) : hasRole; + + if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN) && "rangerusersync".equalsIgnoreCase(userSession.getLoginId())) { + hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN) : hasRole; + hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) : hasRole; + } + } else if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN) || loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) { + boolean hasRole = false; + + hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN) : hasRole; + hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) : hasRole; + hasRole = !userRolesList.contains(RangerConstants.ROLE_USER) ? userRolesList.add(RangerConstants.ROLE_USER) : hasRole; + } else if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) { + logger.info("Logged-In user having user role will be able to fetch his own user details."); + + if (!searchCriteria.getParamList().containsKey("name")) { + searchCriteria.addParam("name", loggedInVXUser.getName()); + } else if (searchCriteria.getParamList().containsKey("name") && !stringUtil.isEmpty(searchCriteria.getParamValue("name").toString()) && !searchCriteria.getParamValue("name").toString().equalsIgnoreCase(loggedInVXUser.getName())) { + throw restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data."); + } } - if (userId != null) { - xUserMgr.deleteXUser(userId, forceDelete); + } + } + + return xUserMgr.searchXUsers(searchCriteria); + } + + @GET + @Path("/lookup/users") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_USERS_LOOKUP + "\")") + public VXStringList getUsersLookup(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xUserService.sortFields); + VXStringList ret = new VXStringList(); + List vXList = new ArrayList<>(); + + searchUtil.extractString(request, searchCriteria, "name", "User name", null); + searchUtil.extractInt(request, searchCriteria, "isVisible", "User Visibility"); + + try { + VXUserList vXUserList = xUserMgr.lookupXUsers(searchCriteria); + + for (VXUser vxUser : vXUserList.getList()) { + VXString vXString = new VXString(); + + vXString.setValue(vxUser.getName()); + + vXList.add(vXString); + } + + ret.setVXStrings(vXList); + ret.setPageSize(vXUserList.getPageSize()); + ret.setTotalCount(vXUserList.getTotalCount()); + ret.setSortType(vXUserList.getSortType()); + ret.setSortBy(vXUserList.getSortBy()); + } catch (Throwable excp) { + throw restErrorUtil.createRESTException(excp.getMessage()); + } + + return ret; + } + + @GET + @Path("/lookup/groups") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_GROUPS_LOOKUP + "\")") + public VXStringList getGroupsLookup(@Context HttpServletRequest request) { + VXStringList ret = new VXStringList(); + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xGroupService.sortFields); + List vXList = new ArrayList<>(); + + searchUtil.extractString(request, searchCriteria, "name", "group name", null); + searchUtil.extractInt(request, searchCriteria, "isVisible", "Group Visibility"); + + try { + VXGroupList vXGroupList = xUserMgr.lookupXGroups(searchCriteria); + + for (VXGroup vxGroup : vXGroupList.getList()) { + VXString vXString = new VXString(); + + vXString.setValue(vxGroup.getName()); + + vXList.add(vXString); + } + + ret.setVXStrings(vXList); + ret.setPageSize(vXGroupList.getPageSize()); + ret.setTotalCount(vXGroupList.getTotalCount()); + ret.setSortType(vXGroupList.getSortType()); + ret.setSortBy(vXGroupList.getSortBy()); + } catch (Throwable excp) { + throw restErrorUtil.createRESTException(excp.getMessage()); + } + + return ret; + } + + @GET + @Path("/lookup/principals") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_PRINCIPALS_LOOKUP + "\")") + public List getPrincipalsLookup(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xGroupService.sortFields); + + searchUtil.extractString(request, searchCriteria, "name", null, null); + + return xUserMgr.getRangerPrincipals(searchCriteria); + } + + @GET + @Path("/users/count") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_USERS + "\")") + public VXLong countXUsers(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xUserService.sortFields); + + return xUserMgr.getXUserSearchCount(searchCriteria); + } + + // Handle XGroupUser + @GET + @Path("/groupusers/{id}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_USER + "\")") + public VXGroupUser getXGroupUser(@PathParam("id") Long id) { + return xUserMgr.getXGroupUser(id); + } + + @POST + @Path("/groupusers") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public VXGroupUser createXGroupUser(VXGroupUser vXGroupUser) { + if (vXGroupUser == null || StringUtils.isBlank(vXGroupUser.getName()) || vXGroupUser.getUserId() == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Group name or UserId is empty or null", true); + } + + return xUserMgr.createXGroupUser(vXGroupUser); + } + + @PUT + @Path("/groupusers") + @Consumes("application/json") + @Produces("application/json") + public VXGroupUser updateXGroupUser(VXGroupUser vXGroupUser) { + if (vXGroupUser == null || StringUtils.isBlank(vXGroupUser.getName()) || vXGroupUser.getUserId() == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Group name or UserId is empty or null", true); + } + + return xUserMgr.updateXGroupUser(vXGroupUser); + } + + @DELETE + @Path("/groupusers/{id}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @RangerAnnotationClassName(class_name = VXGroupUser.class) + public void deleteXGroupUser(@PathParam("id") Long id, @Context HttpServletRequest request) { + boolean force = true; + + xUserMgr.deleteXGroupUser(id, force); + } + + /** + * Implements the traditional search functionalities for XGroupUsers + * + * @param request + * @return + */ + @GET + @Path("/groupusers") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUP_USERS + "\")") + public VXGroupUserList searchXGroupUsers(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xGroupUserService.sortFields); + + return xUserMgr.searchXGroupUsers(searchCriteria); + } + + /** + * Implements the traditional search functionalities for XGroupUsers by Group name + * + * @param request + * @return + */ + @GET + @Path("/groupusers/groupName/{groupName}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_USERS_BY_GROUP_NAME + "\")") + public VXGroupUserInfo getXGroupUsersByGroupName(@Context HttpServletRequest request, @PathParam("groupName") String groupName) { + return xUserMgr.getXGroupUserFromMap(groupName); + } + + @GET + @Path("/groupusers/count") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUP_USERS + "\")") + public VXLong countXGroupUsers(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xGroupUserService.sortFields); + + return xUserMgr.getXGroupUserSearchCount(searchCriteria); + } + + // Handle XPermMap + @GET + @Path("/permmaps/{id}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_PERM_MAP + "\")") + public VXPermMap getXPermMap(@PathParam("id") Long id) { + VXPermMap permMap = xUserMgr.getXPermMap(id); + + if (permMap != null) { + if (xResourceService.readResource(permMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + permMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } + } + + return permMap; + } + + @POST + @Path("/permmaps") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_PERM_MAP + "\")") + public VXPermMap createXPermMap(VXPermMap vXPermMap) { + if (vXPermMap != null) { + if (xResourceService.readResource(vXPermMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXPermMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } + } + + return xUserMgr.createXPermMap(vXPermMap); + } + + @PUT + @Path("/permmaps") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_PERM_MAP + "\")") + public VXPermMap updateXPermMap(VXPermMap vXPermMap) { + VXPermMap vXPermMapRet = null; + + if (vXPermMap != null) { + if (xResourceService.readResource(vXPermMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXPermMap.getResourceId()); + } else { + vXPermMapRet = xUserMgr.updateXPermMap(vXPermMap); + } + } + + return vXPermMapRet; + } + + @DELETE + @Path("/permmaps/{id}") + @RangerAnnotationClassName(class_name = VXPermMap.class) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_PERM_MAP + "\")") + public void deleteXPermMap(@PathParam("id") Long id, @Context HttpServletRequest request) { + boolean force = false; + + xUserMgr.deleteXPermMap(id, force); + } + + /** + * Implements the traditional search functionalities for XPermMaps + * + * @param request + * @return + */ + @GET + @Path("/permmaps") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_PERM_MAPS + "\")") + public VXPermMapList searchXPermMaps(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xPermMapService.sortFields); + + return xUserMgr.searchXPermMaps(searchCriteria); + } + + @GET + @Path("/permmaps/count") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_PERM_MAPS + "\")") + public VXLong countXPermMaps(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xPermMapService.sortFields); + + return xUserMgr.getXPermMapSearchCount(searchCriteria); + } + + // Handle XAuditMap + @GET + @Path("/auditmaps/{id}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_AUDIT_MAP + "\")") + public VXAuditMap getXAuditMap(@PathParam("id") Long id) { + VXAuditMap vXAuditMap = xUserMgr.getXAuditMap(id); + + if (vXAuditMap != null) { + if (xResourceService.readResource(vXAuditMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } + } + + return vXAuditMap; + } + + @POST + @Path("/auditmaps") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_AUDIT_MAP + "\")") + public VXAuditMap createXAuditMap(VXAuditMap vXAuditMap) { + if (vXAuditMap != null) { + if (xResourceService.readResource(vXAuditMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } + } + + return xUserMgr.createXAuditMap(vXAuditMap); + } + + @PUT + @Path("/auditmaps") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_AUDIT_MAP + "\")") + public VXAuditMap updateXAuditMap(VXAuditMap vXAuditMap) { + VXAuditMap vXAuditMapRet = null; + + if (vXAuditMap != null) { + if (xResourceService.readResource(vXAuditMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } else { + vXAuditMapRet = xUserMgr.updateXAuditMap(vXAuditMap); + } + } + + return vXAuditMapRet; + } + + @DELETE + @Path("/auditmaps/{id}") + @RangerAnnotationClassName(class_name = VXAuditMap.class) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_AUDIT_MAP + "\")") + public void deleteXAuditMap(@PathParam("id") Long id, @Context HttpServletRequest request) { + boolean force = false; + + xUserMgr.deleteXAuditMap(id, force); + } + + /** + * Implements the traditional search functionalities for XAuditMaps + * + * @param request + * @return + */ + @GET + @Path("/auditmaps") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_AUDIT_MAPS + "\")") + public VXAuditMapList searchXAuditMaps(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xAuditMapService.sortFields); + + return xUserMgr.searchXAuditMaps(searchCriteria); + } + + @GET + @Path("/auditmaps/count") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_AUDIT_MAPS + "\")") + public VXLong countXAuditMaps(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xAuditMapService.sortFields); + + return xUserMgr.getXAuditMapSearchCount(searchCriteria); + } + + // Handle XUser + @GET + @Path("/users/userName/{userName}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER_BY_USER_NAME + "\")") + public VXUser getXUserByUserName(@Context HttpServletRequest request, @PathParam("userName") String userName) { + return xUserMgr.getXUserByUserName(userName); + } + + @GET + @Path("/groups/groupName/{groupName}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_BY_GROUP_NAME + "\")") + public VXGroup getXGroupByGroupName(@Context HttpServletRequest request, @PathParam("groupName") String groupName) { + VXGroup vXGroup = xGroupService.getGroupByGroupName(groupName); + UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + + if (userSession != null && userSession.getLoginId() != null && userSession.getUserRoleList().contains(RangerConstants.ROLE_USER)) { + VXUser loggedInVXUser = xUserService.getXUserByUserName(userSession.getLoginId()); + boolean isMatch = false; + + if (loggedInVXUser != null && vXGroup != null) { + List userGroups = xGroupService.getGroupsByUserId(loggedInVXUser.getId()); + + for (XXGroup xXGroup : userGroups) { + if (xXGroup != null && StringUtils.equals(xXGroup.getName(), vXGroup.getName())) { + isMatch = true; + break; + } } + } + + if (!isMatch) { + vXGroup = null; + } + } + + return vXGroup; + } + + @DELETE + @Path("/users/userName/{userName}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void deleteXUserByUserName(@PathParam("userName") String userName, @Context HttpServletRequest request) { + String forceDeleteStr = request.getParameter("forceDelete"); + boolean forceDelete = !StringUtils.isEmpty(forceDeleteStr) && forceDeleteStr.equalsIgnoreCase("true"); + VXUser vxUser = xUserService.getXUserByUserName(userName); + + xUserMgr.deleteXUser(vxUser.getId(), forceDelete); + } + + /** + * Proceed with caution: Force deletes users from the ranger db, + * Delete happens one at a time with immediate commit on the transaction. + */ + @DELETE + @Path("/delete/external/users") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @Produces("application/json") + public Response forceDeleteExternalUsers(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = new SearchCriteria(); + + searchUtil.extractString(request, searchCriteria, "name", "User name", null); + searchUtil.extractString(request, searchCriteria, "emailAddress", "Email Address", null); + searchUtil.extractInt(request, searchCriteria, "isVisible", "User Visibility"); + searchUtil.extractInt(request, searchCriteria, "status", "User Status"); + searchUtil.extractString(request, searchCriteria, "syncSource", "Sync Source", null); + searchUtil.extractRoleString(request, searchCriteria, "userRole", "Role", null); + + // for invalid params + if (request.getQueryString() != null && searchCriteria.getParamList().isEmpty()) { + return Response.status(Response.Status.BAD_REQUEST).entity("Invalid query params!").build(); } - @DELETE - @Path("/secure/groups/id/{groupId}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public void deleteSingleGroupByGroupId(@Context HttpServletRequest request, @PathParam("groupId") Long groupId) { - String forceDeleteStr = request.getParameter("forceDelete"); - boolean forceDelete = false; - if (StringUtils.isNotEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr)) { - forceDelete = true; + // only for external users + searchCriteria.addParam("userSource", USER_EXTERNAL); + + List userIds = xUserService.searchXUsersForIds(searchCriteria); + long usersDeleted = xUserMgr.forceDeleteExternalUsers(userIds); + String response = "No users were deleted!"; + + if (usersDeleted == 1) { + response = "1 user deleted successfully."; + } else if (usersDeleted > 0) { + response = String.format("%d users deleted successfully.", usersDeleted); + } + + return Response.ok(response).build(); + } + + /** + * Proceed with caution: Force deletes groups from the ranger db, + * Delete happens one at a time with immediate commit on the transaction. + */ + @DELETE + @Path("/delete/external/groups") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @Produces("application/json") + public Response forceDeleteExternalGroups(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = new SearchCriteria(); + + searchUtil.extractString(request, searchCriteria, "name", "Group Name", null); + searchUtil.extractInt(request, searchCriteria, "isVisible", "Group Visibility"); + searchUtil.extractString(request, searchCriteria, "syncSource", "Sync Source", null); + + // for invalid params + if (request.getQueryString() != null && searchCriteria.getParamList().isEmpty()) { + return Response.status(Response.Status.BAD_REQUEST).entity("Invalid query params!").build(); + } + + // only for external groups + searchCriteria.addParam("groupSource", GROUP_EXTERNAL); + + List groupIds = xGroupService.searchXGroupsForIds(searchCriteria); + long groupsDeleted = xUserMgr.forceDeleteExternalGroups(groupIds); + String response = "No groups were deleted!"; + + if (groupsDeleted == 1) { + response = "1 group deleted successfully."; + } else if (groupsDeleted > 0) { + response = String.format("%d groups deleted successfully.", groupsDeleted); + } + + return Response.ok(response).build(); + } + + @DELETE + @Path("/groups/groupName/{groupName}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void deleteXGroupByGroupName(@PathParam("groupName") String groupName, @Context HttpServletRequest request) { + String forceDeleteStr = request.getParameter("forceDelete"); + boolean forceDelete = !StringUtils.isEmpty(forceDeleteStr) && forceDeleteStr.equalsIgnoreCase("true"); + VXGroup vxGroup = xGroupService.getGroupByGroupName(groupName); + + xUserMgr.deleteXGroup(vxGroup.getId(), forceDelete); + } + + @DELETE + @Path("/group/{groupName}/user/{userName}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void deleteXGroupAndXUser(@PathParam("groupName") String groupName, @PathParam("userName") String userName, @Context HttpServletRequest request) { + xUserMgr.deleteXGroupAndXUser(groupName, userName); + } + + @GET + @Path("/{userId}/groups") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER_GROUPS + "\")") + public VXGroupList getXUserGroups(@Context HttpServletRequest request, @PathParam("userId") Long id) { + return xUserMgr.getXUserGroups(id); + } + + @GET + @Path("/{groupId}/users") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_USERS + "\")") + public VXUserList getXGroupUsers(@Context HttpServletRequest request, @PathParam("groupId") Long id) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xGroupUserService.sortFields); + + searchCriteria.addParam("xGroupId", id); + + return xUserMgr.getXGroupUsers(searchCriteria); + } + + @GET + @Path("/authSessions") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_AUTH_SESSIONS + "\")") + public VXAuthSessionList getAuthSessions(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, AuthSessionService.AUTH_SESSION_SORT_FLDS); + + searchUtil.extractLong(request, searchCriteria, "id", "Auth Session Id"); + searchUtil.extractLong(request, searchCriteria, "userId", "User Id"); + searchUtil.extractInt(request, searchCriteria, "authStatus", "Auth Status"); + searchUtil.extractInt(request, searchCriteria, "authType", "Login Type"); + searchUtil.extractInt(request, searchCriteria, "deviceType", "Device Type"); + searchUtil.extractString(request, searchCriteria, "firstName", "User First Name", StringUtil.VALIDATION_NAME); + searchUtil.extractString(request, searchCriteria, "lastName", "User Last Name", StringUtil.VALIDATION_NAME); + searchUtil.extractString(request, searchCriteria, "requestUserAgent", "User Agent", StringUtil.VALIDATION_TEXT); + searchUtil.extractString(request, searchCriteria, "requestIP", "Request IP Address", StringUtil.VALIDATION_IP_ADDRESS); + searchUtil.extractString(request, searchCriteria, "loginId", "Login ID", StringUtil.VALIDATION_TEXT); + searchUtil.extractDate(request, searchCriteria, "startDate", "Start Date", null); + searchUtil.extractDate(request, searchCriteria, "endDate", "End Date", null); + + return sessionMgr.searchAuthSessions(searchCriteria); + } + + @GET + @Path("/authSessions/info") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_AUTH_SESSION + "\")") + public VXAuthSession getAuthSession(@Context HttpServletRequest request) { + String authSessionId = request.getParameter("extSessionId"); + + return sessionMgr.getAuthSessionBySessionId(authSessionId); + } + + // Handle module permissions + @POST + @Path("/permission") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_MODULE_DEF_PERMISSION + "\")") + public VXModuleDef createXModuleDefPermission(VXModuleDef vXModuleDef) { + xUserMgr.checkAdminAccess(); + bizUtil.blockAuditorRoleUser(); + + return xUserMgr.createXModuleDefPermission(vXModuleDef); + } + + @GET + @Path("/permission/{id}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_MODULE_DEF_PERMISSION + "\")") + public VXModuleDef getXModuleDefPermission(@PathParam("id") Long id) { + return xUserMgr.getXModuleDefPermission(id); + } + + @PUT + @Path("/permission/{id}") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_MODULE_DEF_PERMISSION + "\")") + public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { + xUserMgr.checkAdminAccess(); + bizUtil.blockAuditorRoleUser(); + + return xUserMgr.updateXModuleDefPermission(vXModuleDef); + } + + @DELETE + @Path("/permission/{id}") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_MODULE_DEF_PERMISSION + "\")") + public void deleteXModuleDefPermission(@PathParam("id") Long id, @Context HttpServletRequest request) { + boolean force = true; + + xUserMgr.checkAdminAccess(); + bizUtil.blockAuditorRoleUser(); + xUserMgr.deleteXModuleDefPermission(id, force); + } + + @GET + @Path("/permission") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_MODULE_DEF + "\")") + public VXModuleDefList searchXModuleDef(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xModuleDefService.sortFields); + + searchUtil.extractString(request, searchCriteria, "module", "modulename", null); + searchUtil.extractString(request, searchCriteria, "moduleDefList", "id", null); + searchUtil.extractString(request, searchCriteria, "userName", "userName", null); + searchUtil.extractString(request, searchCriteria, "groupName", "groupName", null); + + return xUserMgr.searchXModuleDef(searchCriteria); + } + + @GET + @Path("/permissionlist") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_MODULE_DEF + "\")") + public VXModulePermissionList searchXModuleDefList(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xModuleDefService.sortFields); + + searchUtil.extractString(request, searchCriteria, "module", "modulename", null); + searchUtil.extractString(request, searchCriteria, "moduleDefList", "id", null); + searchUtil.extractString(request, searchCriteria, "userName", "userName", null); + searchUtil.extractString(request, searchCriteria, "groupName", "groupName", null); + + return xUserMgr.searchXModuleDefList(searchCriteria); + } + + @GET + @Path("/permission/count") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_MODULE_DEF + "\")") + public VXLong countXModuleDef(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xModuleDefService.sortFields); + + return xUserMgr.getXModuleDefSearchCount(searchCriteria); + } + + // Handle user permissions + @POST + @Path("/permission/user") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_USER_PERMISSION + "\")") + public VXUserPermission createXUserPermission(VXUserPermission vXUserPermission) { + xUserMgr.checkAdminAccess(); + bizUtil.blockAuditorRoleUser(); + + return xUserMgr.createXUserPermission(vXUserPermission); + } + + @GET + @Path("/permission/user/{id}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER_PERMISSION + "\")") + public VXUserPermission getXUserPermission(@PathParam("id") Long id) { + return xUserMgr.getXUserPermission(id); + } + + @PUT + @Path("/permission/user/{id}") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_USER_PERMISSION + "\")") + public VXUserPermission updateXUserPermission(VXUserPermission vXUserPermission) { + xUserMgr.checkAdminAccess(); + bizUtil.blockAuditorRoleUser(); + + return xUserMgr.updateXUserPermission(vXUserPermission); + } + + @DELETE + @Path("/permission/user/{id}") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_USER_PERMISSION + "\")") + public void deleteXUserPermission(@PathParam("id") Long id, @Context HttpServletRequest request) { + boolean force = true; + + xUserMgr.checkAdminAccess(); + xUserMgr.deleteXUserPermission(id, force); + } + + @GET + @Path("/permission/user") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_USER_PERMISSION + "\")") + public VXUserPermissionList searchXUserPermission(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xUserPermissionService.sortFields); + + searchUtil.extractString(request, searchCriteria, "id", "id", StringUtil.VALIDATION_NAME); + searchUtil.extractString(request, searchCriteria, "userPermissionList", "userId", StringUtil.VALIDATION_NAME); + + return xUserMgr.searchXUserPermission(searchCriteria); + } + + @GET + @Path("/permission/user/count") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_USER_PERMISSION + "\")") + public VXLong countXUserPermission(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xUserPermissionService.sortFields); + + return xUserMgr.getXUserPermissionSearchCount(searchCriteria); + } + + // Handle group permissions + @POST + @Path("/permission/group") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_GROUP_PERMISSION + "\")") + public VXGroupPermission createXGroupPermission(VXGroupPermission vXGroupPermission) { + xUserMgr.checkAdminAccess(); + bizUtil.blockAuditorRoleUser(); + + return xUserMgr.createXGroupPermission(vXGroupPermission); + } + + @GET + @Path("/permission/group/{id}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_PERMISSION + "\")") + public VXGroupPermission getXGroupPermission(@PathParam("id") Long id) { + return xUserMgr.getXGroupPermission(id); + } + + @PUT + @Path("/permission/group/{id}") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_GROUP_PERMISSION + "\")") + public VXGroupPermission updateXGroupPermission(@PathParam("id") Long id, VXGroupPermission vXGroupPermission) { + // if VXGroupPermission.id is specified, it should be same as the param 'id' + if (vXGroupPermission.getId() == null) { + vXGroupPermission.setId(id); + } else if (!vXGroupPermission.getId().equals(id)) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "vXGroupPermission Id mismatch", true); + } + + xUserMgr.checkAdminAccess(); + bizUtil.blockAuditorRoleUser(); + + return xUserMgr.updateXGroupPermission(vXGroupPermission); + } + + @DELETE + @Path("/permission/group/{id}") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_GROUP_PERMISSION + "\")") + public void deleteXGroupPermission(@PathParam("id") Long id, @Context HttpServletRequest request) { + boolean force = true; + + xUserMgr.checkAdminAccess(); + bizUtil.blockAuditorRoleUser(); + xUserMgr.deleteXGroupPermission(id, force); + } + + @GET + @Path("/permission/group") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUP_PERMISSION + "\")") + public VXGroupPermissionList searchXGroupPermission(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xGroupPermissionService.sortFields); + + searchUtil.extractString(request, searchCriteria, "id", "id", StringUtil.VALIDATION_NAME); + searchUtil.extractString(request, searchCriteria, "groupPermissionList", "groupId", StringUtil.VALIDATION_NAME); + + return xUserMgr.searchXGroupPermission(searchCriteria); + } + + @GET + @Path("/permission/group/count") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUP_PERMISSION + "\")") + public VXLong countXGroupPermission(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(request, xGroupPermissionService.sortFields); + + return xUserMgr.getXGroupPermissionSearchCount(searchCriteria); + } + + @PUT + @Path("/secure/users/activestatus") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.MODIFY_USER_ACTIVE_STATUS + "\")") + public void modifyUserActiveStatus(HashMap statusMap) { + xUserMgr.modifyUserActiveStatus(statusMap); + } + + @PUT + @Path("/secure/users/roles/{userId}") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SET_USER_ROLES_BY_ID + "\")") + public VXStringList setUserRolesByExternalID(@PathParam("userId") Long userId, VXStringList roleList) { + return xUserMgr.setUserRolesByExternalID(userId, roleList.getVXStrings()); + } + + @PUT + @Path("/secure/users/roles/userName/{userName}") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SET_USER_ROLES_BY_NAME + "\")") + public VXStringList setUserRolesByName(@PathParam("userName") String userName, VXStringList roleList) { + return xUserMgr.setUserRolesByName(userName, roleList.getVXStrings()); + } + + @GET + @Path("/secure/users/external/{userId}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_USER_ROLES_BY_ID + "\")") + public VXStringList getUserRolesByExternalID(@PathParam("userId") Long userId) { + return xUserMgr.getUserRolesByExternalID(userId); + } + + @GET + @Path("/secure/users/roles/userName/{userName}") + @Produces("application/json") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_USER_ROLES_BY_NAME + "\")") + public VXStringList getUserRolesByName(@PathParam("userName") String userName) { + return xUserMgr.getUserRolesByName(userName); + } + + @DELETE + @Path("/secure/users/delete") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void deleteUsersByUserName(@Context HttpServletRequest request, VXStringList userList) { + String forceDeleteStr = request.getParameter("forceDelete"); + boolean forceDelete = StringUtils.isNotEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr); + + if (userList != null && userList.getList() != null) { + for (VXString userName : userList.getList()) { + if (StringUtils.isNotEmpty(userName.getValue())) { + VXUser vxUser = xUserService.getXUserByUserName(userName.getValue()); + + xUserMgr.deleteXUser(vxUser.getId(), forceDelete); } - if (groupId != null) { - xUserMgr.deleteXGroup(groupId, forceDelete); + } + } + } + + @DELETE + @Path("/secure/groups/delete") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void deleteGroupsByGroupName(@Context HttpServletRequest request, VXStringList groupList) { + String forceDeleteStr = request.getParameter("forceDelete"); + boolean forceDelete = StringUtils.isNotEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr); + + if (groupList != null && groupList.getList() != null) { + for (VXString groupName : groupList.getList()) { + if (StringUtils.isNotEmpty(groupName.getValue())) { + VXGroup vxGroup = xGroupService.getGroupByGroupName(groupName.getValue()); + + xUserMgr.deleteXGroup(vxGroup.getId(), forceDelete); } + } + } + } + + @DELETE + @Path("/secure/users/{userName}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void deleteSingleUserByUserName(@Context HttpServletRequest request, @PathParam("userName") String userName) { + String forceDeleteStr = request.getParameter("forceDelete"); + boolean forceDelete = StringUtils.isNotEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr); + + if (StringUtils.isNotEmpty(userName)) { + VXUser vxUser = xUserService.getXUserByUserName(userName); + + xUserMgr.deleteXUser(vxUser.getId(), forceDelete); } + } + + @DELETE + @Path("/secure/groups/{groupName}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void deleteSingleGroupByGroupName(@Context HttpServletRequest request, @PathParam("groupName") String groupName) { + String forceDeleteStr = request.getParameter("forceDelete"); + boolean forceDelete = StringUtils.isNotEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr); + + if (StringUtils.isNotEmpty(groupName)) { + VXGroup vxGroup = xGroupService.getGroupByGroupName(groupName.trim()); + + xUserMgr.deleteXGroup(vxGroup.getId(), forceDelete); + } + } + + @DELETE + @Path("/secure/users/id/{userId}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void deleteSingleUserByUserId(@Context HttpServletRequest request, @PathParam("userId") Long userId) { + String forceDeleteStr = request.getParameter("forceDelete"); + boolean forceDelete = StringUtils.isNotEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr); + + if (userId != null) { + xUserMgr.deleteXUser(userId, forceDelete); + } + } + + @DELETE + @Path("/secure/groups/id/{groupId}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void deleteSingleGroupByGroupId(@Context HttpServletRequest request, @PathParam("groupId") Long groupId) { + String forceDeleteStr = request.getParameter("forceDelete"); + boolean forceDelete = StringUtils.isNotEmpty(forceDeleteStr) && "true".equalsIgnoreCase(forceDeleteStr); + + if (groupId != null) { + xUserMgr.deleteXGroup(groupId, forceDelete); + } + } @GET @Path("/download/{serviceName}") - @Produces({ "application/json" }) - public RangerUserStore getRangerUserStoreIfUpdated(@PathParam("serviceName") String serviceName, - @DefaultValue("-1") @QueryParam("lastKnownUserStoreVersion") Long lastKnownUserStoreVersion, - @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime, - @QueryParam("pluginId") String pluginId, - @DefaultValue("") @QueryParam("clusterName") String clusterName, - @DefaultValue("") @QueryParam(RangerRESTUtils.REST_PARAM_CAPABILITIES) String pluginCapabilities, - @Context HttpServletRequest request) throws Exception { - if (logger.isDebugEnabled()) { - logger.debug("==> XUserREST.getRangerUserStoreIfUpdated(serviceName={}, lastKnownUserStoreVersion={}, lastActivationTime={})", serviceName, lastKnownUserStoreVersion, lastActivationTime); - } + @Produces("application/json") + public RangerUserStore getRangerUserStoreIfUpdated(@PathParam("serviceName") String serviceName, @DefaultValue("-1") @QueryParam("lastKnownUserStoreVersion") Long lastKnownUserStoreVersion, @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime, @QueryParam("pluginId") String pluginId, @DefaultValue("") @QueryParam("clusterName") String clusterName, @DefaultValue("") @QueryParam(RangerRESTUtils.REST_PARAM_CAPABILITIES) String pluginCapabilities, @Context HttpServletRequest request) { + logger.debug("==> XUserREST.getRangerUserStoreIfUpdated(serviceName={}, lastKnownUserStoreVersion={}, lastActivationTime={})", serviceName, lastKnownUserStoreVersion, lastActivationTime); - RangerUserStore ret = null; - boolean isValid = false; - int httpCode = HttpServletResponse.SC_OK; - String logMsg = null; - Long downloadedVersion = null; + RangerUserStore ret = null; + boolean isValid = false; + int httpCode = HttpServletResponse.SC_OK; + String logMsg = null; + Long downloadedVersion = null; - try { + try { bizUtil.failUnauthenticatedDownloadIfNotAllowed(); isValid = serviceUtil.isValidService(serviceName, request); @@ -1429,7 +1401,6 @@ public RangerUserStore getRangerUserStoreIfUpdated(@PathParam("serviceName") Str XXService xService = rangerDaoManager.getXXService().findByName(serviceName); if (xService != null) { - RangerUserStore rangerUserStore = xUserMgr.getRangerUserStoreIfUpdated(lastKnownUserStoreVersion); if (rangerUserStore == null) { @@ -1439,7 +1410,6 @@ public RangerUserStore getRangerUserStoreIfUpdated(@PathParam("serviceName") Str } else { downloadedVersion = rangerUserStore.getUserStoreVersion(); ret = rangerUserStore; - httpCode = HttpServletResponse.SC_OK; logMsg = "Returning RangerUserStore version " + downloadedVersion; } } @@ -1459,168 +1429,160 @@ public RangerUserStore getRangerUserStoreIfUpdated(@PathParam("serviceName") Str throw restErrorUtil.createRESTException(httpCode, logMsg, logError); } - if (logger.isDebugEnabled()) { - logger.debug("<== XUserREST.getRangerUserStoreIfUpdated(serviceName={}, lastKnownUserStoreVersion={}, lastActivationTime={}): {}", serviceName, lastKnownUserStoreVersion, lastActivationTime, ret); + logger.debug("<== XUserREST.getRangerUserStoreIfUpdated(serviceName={}, lastKnownUserStoreVersion={}, lastActivationTime={}): {}", serviceName, lastKnownUserStoreVersion, lastActivationTime, ret); + + return ret; + } + + @GET + @Path("/secure/download/{serviceName}") + @Produces("application/json") + public RangerUserStore getSecureRangerUserStoreIfUpdated(@PathParam("serviceName") String serviceName, @DefaultValue("-1") @QueryParam("lastKnownUserStoreVersion") Long lastKnownUserStoreVersion, @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime, @QueryParam("pluginId") String pluginId, @DefaultValue("") @QueryParam("clusterName") String clusterName, @DefaultValue("") @QueryParam(RangerRESTUtils.REST_PARAM_CAPABILITIES) String pluginCapabilities, @Context HttpServletRequest request) { + logger.debug("==> XUserREST.getSecureRangerUserStoreIfUpdated({}, {}, {})", serviceName, lastKnownUserStoreVersion, lastActivationTime); + + RangerUserStore ret = null; + int httpCode = HttpServletResponse.SC_OK; + String logMsg = null; + boolean isAdmin = bizUtil.isAdmin(); + boolean isKeyAdmin = bizUtil.isKeyAdmin(); + Long downloadedVersion = null; + boolean isValid = false; + boolean isAllowed; + + try { + XXService xService = rangerDaoManager.getXXService().findByName(serviceName); + + if (xService != null) { + isValid = true; + } + + if (isValid) { + XXServiceDef xServiceDef = rangerDaoManager.getXXServiceDef().getById(xService.getType()); + RangerService rangerService = svcStore.getServiceByName(serviceName); + + if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { + if (isKeyAdmin) { + isAllowed = true; + } else { + isAllowed = bizUtil.isUserAllowed(rangerService, USERSTORE_DOWNLOAD_USERS); + } + } else { + if (isAdmin) { + isAllowed = true; + } else { + isAllowed = bizUtil.isUserAllowed(rangerService, USERSTORE_DOWNLOAD_USERS); + } + } + + if (isAllowed) { + RangerUserStore rangerUserStore = xUserMgr.getRangerUserStoreIfUpdated(lastKnownUserStoreVersion); + + if (rangerUserStore == null) { + downloadedVersion = lastKnownUserStoreVersion; + httpCode = HttpServletResponse.SC_NOT_MODIFIED; + logMsg = "No change since last update"; + } else { + downloadedVersion = rangerUserStore.getUserStoreVersion(); + ret = rangerUserStore; + logMsg = "Returning RangerUserStore =>" + (ret); + } + } else { + logger.error("getSecureRangerUserStoreIfUpdated({}, {}) failed as User doesn't have permission to download UsersAndGroups", serviceName, lastKnownUserStoreVersion); + + httpCode = HttpServletResponse.SC_FORBIDDEN; // assert user is authenticated. + logMsg = "User doesn't have permission to download UsersAndGroups"; + } + } + } catch (Throwable excp) { + logger.error("getSecureRangerUserStoreIfUpdated({}, {}, {}) failed", serviceName, lastKnownUserStoreVersion, lastActivationTime, excp); + + httpCode = HttpServletResponse.SC_BAD_REQUEST; + logMsg = excp.getMessage(); + } + + assetMgr.createPluginInfo(serviceName, pluginId, request, RangerPluginInfo.ENTITY_TYPE_USERSTORE, downloadedVersion, lastKnownUserStoreVersion, lastActivationTime, httpCode, clusterName, pluginCapabilities); + + if (httpCode != HttpServletResponse.SC_OK) { + boolean logError = httpCode != HttpServletResponse.SC_NOT_MODIFIED; + + throw restErrorUtil.createRESTException(httpCode, logMsg, logError); } + logger.debug("<== XUserREST.getSecureRangerUserStoreIfUpdated({}, {}, {}): {}", serviceName, lastKnownUserStoreVersion, lastActivationTime, ret); + return ret; } - @GET - @Path("/secure/download/{serviceName}") - @Produces({ "application/json" }) - public RangerUserStore getSecureRangerUserStoreIfUpdated(@PathParam("serviceName") String serviceName, - @DefaultValue("-1") @QueryParam("lastKnownUserStoreVersion") Long lastKnownUserStoreVersion, - @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime, - @QueryParam("pluginId") String pluginId, - @DefaultValue("") @QueryParam("clusterName") String clusterName, - @DefaultValue("") @QueryParam(RangerRESTUtils.REST_PARAM_CAPABILITIES) String pluginCapabilities, - @Context HttpServletRequest request) throws Exception { - if (logger.isDebugEnabled()) { - logger.debug("==> XUserREST.getSecureRangerUserStoreIfUpdated(" - + serviceName + ", " + lastKnownUserStoreVersion + ", " + lastActivationTime + ")"); - } - RangerUserStore ret = null; - int httpCode = HttpServletResponse.SC_OK; - String logMsg = null; - boolean isAllowed = false; - boolean isAdmin = bizUtil.isAdmin(); - boolean isKeyAdmin = bizUtil.isKeyAdmin(); - Long downloadedVersion = null; - - boolean isValid = false; - try { - XXService xService = rangerDaoManager.getXXService().findByName(serviceName); - if (xService != null) { - isValid = true; - } - if (isValid) { - XXServiceDef xServiceDef = rangerDaoManager.getXXServiceDef().getById(xService.getType()); - RangerService rangerService = svcStore.getServiceByName(serviceName); - - if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { - if (isKeyAdmin) { - isAllowed = true; - } else { - isAllowed = bizUtil.isUserAllowed(rangerService, USERSTORE_DOWNLOAD_USERS); - } - } else { - if (isAdmin) { - isAllowed = true; - } else { - isAllowed = bizUtil.isUserAllowed(rangerService, USERSTORE_DOWNLOAD_USERS); - } - } - - if (isAllowed) { - RangerUserStore rangerUserStore = xUserMgr.getRangerUserStoreIfUpdated(lastKnownUserStoreVersion); - if (rangerUserStore == null) { - downloadedVersion = lastKnownUserStoreVersion; - httpCode = HttpServletResponse.SC_NOT_MODIFIED; - logMsg = "No change since last update"; - } else { - downloadedVersion = rangerUserStore.getUserStoreVersion(); - ret = rangerUserStore; - httpCode = HttpServletResponse.SC_OK; - logMsg = "Returning RangerUserStore =>" + (ret.toString()); - } - } else { - logger.error("getSecureRangerUserStoreIfUpdated(" + serviceName + ", " + lastKnownUserStoreVersion + ") failed as User doesn't have permission to download UsersAndGroups"); - httpCode = HttpServletResponse.SC_FORBIDDEN; // assert user is authenticated. - logMsg = "User doesn't have permission to download UsersAndGroups"; - } - } - - } catch (Throwable excp) { - logger.error("getSecureRangerUserStoreIfUpdated(" + serviceName + ", " + lastKnownUserStoreVersion + ", " + lastActivationTime + ") failed", excp); - httpCode = HttpServletResponse.SC_BAD_REQUEST; - logMsg = excp.getMessage(); - } - - assetMgr.createPluginInfo(serviceName, pluginId, request, RangerPluginInfo.ENTITY_TYPE_USERSTORE, downloadedVersion, lastKnownUserStoreVersion, lastActivationTime, httpCode, clusterName, pluginCapabilities); - - if (httpCode != HttpServletResponse.SC_OK) { - boolean logError = httpCode != HttpServletResponse.SC_NOT_MODIFIED; - throw restErrorUtil.createRESTException(httpCode, logMsg, logError); - } - - if (logger.isDebugEnabled()) { - logger.debug("<== XUserREST.getSecureRangerUserStoreIfUpdated(" + serviceName + ", " + lastKnownUserStoreVersion + ", " + lastActivationTime + ")" + ret); - } - return ret; - } - - @POST - @Path("/ugsync/auditinfo") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public VXUgsyncAuditInfo postUserGroupAuditInfo(VXUgsyncAuditInfo vxUgsyncAuditInfo) { - - return xUserMgr.postUserGroupAuditInfo(vxUgsyncAuditInfo); - } - - @GET - @Path("/ugsync/groupusers") - @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public Map> getAllGroupUsers() { - return rangerDaoManager.getXXGroupUser().findUsersByGroupIds(); - } - - @POST - @Path("/ugsync/users") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - @Transactional(readOnly = false, propagation = Propagation.NOT_SUPPORTED) - public String addOrUpdateUsers(VXUserList users) { - int ret = xUserMgr.createOrUpdateXUsers(users); - return String.valueOf(ret); - } - - @POST - @Path("/ugsync/groups") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public int addOrUpdateGroups(VXGroupList groups) { - int ret = xUserMgr.createOrUpdateXGroups(groups); - return ret; - } - - @POST - @Path("/ugsync/groupusers") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public int addOrUpdateGroupUsersList(List groupUserInfoList) { - return xUserMgr.createOrDeleteXGroupUserList(groupUserInfoList); - } - - @POST - @Path("/users/roleassignments") - @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public List setXUserRolesByName(UsersGroupRoleAssignments ugRoleAssignments) { - return xUserMgr.updateUserRoleAssignments(ugRoleAssignments); - } - - @POST - @Path("/ugsync/groups/visibility") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public int updateDeletedGroups(Set deletedGroups){ - return xUserMgr.updateDeletedGroups(deletedGroups); - } - - @POST - @Path("/ugsync/users/visibility") - @Consumes({ "application/json" }) - @Produces({ "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") - public int updateDeletedUsers(Set deletedUsers){ - return xUserMgr.updateDeletedUsers(deletedUsers); - } + @POST + @Path("/ugsync/auditinfo") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public VXUgsyncAuditInfo postUserGroupAuditInfo(VXUgsyncAuditInfo vxUgsyncAuditInfo) { + return xUserMgr.postUserGroupAuditInfo(vxUgsyncAuditInfo); + } + + @GET + @Path("/ugsync/groupusers") + @Produces("application/json") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public Map> getAllGroupUsers() { + return rangerDaoManager.getXXGroupUser().findUsersByGroupIds(); + } + + @POST + @Path("/ugsync/users") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @Transactional(readOnly = false, propagation = Propagation.NOT_SUPPORTED) + public String addOrUpdateUsers(VXUserList users) { + int ret = xUserMgr.createOrUpdateXUsers(users); + + return String.valueOf(ret); + } + + @POST + @Path("/ugsync/groups") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public int addOrUpdateGroups(VXGroupList groups) { + return xUserMgr.createOrUpdateXGroups(groups); + } + + @POST + @Path("/ugsync/groupusers") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public int addOrUpdateGroupUsersList(List groupUserInfoList) { + return xUserMgr.createOrDeleteXGroupUserList(groupUserInfoList); + } + + @POST + @Path("/users/roleassignments") + @Produces("application/json") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public List setXUserRolesByName(UsersGroupRoleAssignments ugRoleAssignments) { + return xUserMgr.updateUserRoleAssignments(ugRoleAssignments); + } + + @POST + @Path("/ugsync/groups/visibility") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public int updateDeletedGroups(Set deletedGroups) { + return xUserMgr.updateDeletedGroups(deletedGroups); + } + + @POST + @Path("/ugsync/users/visibility") + @Consumes("application/json") + @Produces("application/json") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public int updateDeletedUsers(Set deletedUsers) { + return xUserMgr.updateDeletedUsers(deletedUsers); + } } diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java index 3683442be9..3a23d96ceb 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java @@ -894,7 +894,7 @@ public void test23getServicePoliciesByName() throws Exception { HttpServletRequest request = Mockito.mock(HttpServletRequest.class); RangerPolicy rangerPolicy = rangerPolicy(); - List ret = Mockito.mock(List.class); + List ret = Collections.emptyList(); SearchFilter filter = new SearchFilter(); filter.setParam(SearchFilter.POLICY_NAME, "policyName");