This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch ranger-2.4
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.4 by this push:
new 85f34ecf4 RANGER-4121: fix for NPE in service-zone update
85f34ecf4 is described below
commit 85f34ecf4b2f535bf494787bdfa8d10378c04c97
Author: Madhan Neethiraj <[email protected]>
AuthorDate: Sat Mar 4 01:17:16 2023 -0800
RANGER-4121: fix for NPE in service-zone update
(cherry picked from commit be40c58f73193c09ceab8d8b71111e80055bb4bb)
---
.../java/org/apache/ranger/biz/ServiceMgr.java | 81 ++++++++++------------
.../org/apache/ranger/rest/SecurityZoneREST.java | 22 +++---
2 files changed, 46 insertions(+), 57 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
index 9ea222401..77f86a0ad 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
@@ -30,6 +30,7 @@ import java.util.Map;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
+import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.security.SecureClientLogin;
import org.apache.ranger.common.PropertiesUtil;
@@ -54,6 +55,8 @@ import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
+import static
org.apache.ranger.plugin.policyengine.RangerPolicyEngine.GROUP_PUBLIC;
+
@Component
public class ServiceMgr {
@@ -207,37 +210,33 @@ public class ServiceMgr {
}
public boolean isZoneAdmin(String zoneName) {
- boolean isZoneAdmin = false;
+ boolean isZoneAdmin = false;
RangerSecurityZone securityZone = null;
+
try {
securityZone =
zoneStore.getSecurityZoneByName(zoneName);
} catch (Exception e) {
- LOG.error(
- "Unexpected error when fetching
security zone with name:["
- + zoneName + "] from
database", e);
+ LOG.error("Unexpected error when fetching security zone
with name:[" + zoneName + "] from database", e);
}
if (securityZone != null) {
String userId = rangerBizUtil.getCurrentUserLoginId();
- List<XXGroupUser> groupUsers = groupUserDao
-
.findByUserId(rangerBizUtil.getXUserId());
- List<String> loggedInUsersGroups = new ArrayList<>();
- for (XXGroupUser groupUser : groupUsers) {
- loggedInUsersGroups.add(groupUser.getName());
- }
- for (String loggedInUsersGroup : loggedInUsersGroups) {
- if (securityZone != null
- &&
securityZone.getAdminUserGroups() != null
- &&
securityZone.getAdminUserGroups().contains(
-
loggedInUsersGroup)) {
- isZoneAdmin = true;
- break;
- }
- }
- if ((securityZone != null &&
securityZone.getAdminUsers() != null && securityZone
- .getAdminUsers().contains(userId))) {
+ if (securityZone.getAdminUsers() != null &&
securityZone.getAdminUsers().contains(userId)) {
isZoneAdmin = true;
+ } else if (securityZone.getAdminUserGroups() != null) {
+ List<XXGroupUser> groupUsers =
groupUserDao.findByUserId(rangerBizUtil.getXUserId());
+ List<String> loggedInUsersGroups = new
ArrayList<>();
+
+ loggedInUsersGroups.add(GROUP_PUBLIC);
+
+ if (groupUsers != null) {
+ for (XXGroupUser groupUser :
groupUsers) {
+
loggedInUsersGroups.add(groupUser.getName());
+ }
+ }
+
+ isZoneAdmin =
CollectionUtils.containsAny(securityZone.getAdminUserGroups(),
loggedInUsersGroups);
}
}
@@ -245,37 +244,33 @@ public class ServiceMgr {
}
public boolean isZoneAuditor(String zoneName) {
- boolean isZoneAuditor = false;
- RangerSecurityZone securityZone = null;
+ boolean isZoneAuditor = false;
+ RangerSecurityZone securityZone = null;
+
try {
securityZone =
zoneStore.getSecurityZoneByName(zoneName);
} catch (Exception e) {
- LOG.error(
- "Unexpected error when fetching
security zone with name:["
- + zoneName + "] from
database", e);
+ LOG.error("Unexpected error when fetching security zone
with name:[" + zoneName + "] from database", e);
}
if (securityZone != null) {
String userId = rangerBizUtil.getCurrentUserLoginId();
- List<XXGroupUser> groupUsers = groupUserDao
-
.findByUserId(rangerBizUtil.getXUserId());
- List<String> loggedInUsersGroups = new ArrayList<>();
- for (XXGroupUser groupUser : groupUsers) {
- loggedInUsersGroups.add(groupUser.getName());
- }
- for (String loggedInUsersGroup : loggedInUsersGroups) {
- if (securityZone != null
- &&
securityZone.getAuditUserGroups() != null
- &&
securityZone.getAuditUserGroups().contains(
-
loggedInUsersGroup)) {
- isZoneAuditor = true;
- break;
- }
- }
- if ((securityZone != null &&
securityZone.getAuditUsers() != null && securityZone
- .getAuditUsers().contains(userId))) {
+ if (securityZone.getAuditUsers() != null &&
securityZone.getAuditUsers().contains(userId)) {
isZoneAuditor = true;
+ } else if (securityZone.getAuditUserGroups() != null) {
+ List<XXGroupUser> groupUsers =
groupUserDao.findByUserId(rangerBizUtil.getXUserId());
+ List<String> loggedInUsersGroups = new
ArrayList<>();
+
+ loggedInUsersGroups.add(GROUP_PUBLIC);
+
+ if (groupUsers != null) {
+ for (XXGroupUser groupUser :
groupUsers) {
+
loggedInUsersGroups.add(groupUser.getName());
+ }
+ }
+
+ isZoneAuditor =
CollectionUtils.containsAny(securityZone.getAuditUserGroups(),
loggedInUsersGroups);
}
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java
b/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java
index c9ea928a0..e35dc12cc 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java
@@ -25,6 +25,7 @@ import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
+import java.util.Objects;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
@@ -348,31 +349,25 @@ public class SecurityZoneREST {
/* Validation for non service related fields of
security zone */
- if (!securityZone.getName().equals(
-
existingSecurityZone.getName())) {
+ if (!Objects.equals(securityZone.getName(),
existingSecurityZone.getName())) {
throwRestError("User : " + userName
+ " is not allowed to
edit zone name of zone : " + existingSecurityZone.getName());
- } else if
(!securityZone.getDescription().equals(
-
existingSecurityZone.getDescription())) {
+ } else if
(!Objects.equals(securityZone.getDescription(),
existingSecurityZone.getDescription())) {
throwRestError("User : " + userName
+ " is not allowed to
edit zone description of zone : " + existingSecurityZone.getName());
}
if
(!serviceMgr.isZoneAdmin(existingSecurityZone.getName())) {
- if
(!securityZone.getAdminUserGroups().equals(
-
existingSecurityZone.getAdminUserGroups())) {
+ if
(!Objects.equals(securityZone.getAdminUserGroups(),
existingSecurityZone.getAdminUserGroups())) {
throwRestError("User : "
+ userName
+ " is not
allowed to edit zone Admin User Group of zone : " +
existingSecurityZone.getName());
- } else if
(!securityZone.getAdminUsers().equals(
-
existingSecurityZone.getAdminUsers())) {
+ } else if
(!Objects.equals(securityZone.getAdminUsers(),
existingSecurityZone.getAdminUsers())) {
throwRestError("User : " +
userName
+ " is not
allowed to edit zone Admin User of zone : " + existingSecurityZone.getName());
- } else if
(!securityZone.getAuditUsers().equals(
-
existingSecurityZone.getAuditUsers())) {
+ } else if
(!Objects.equals(securityZone.getAuditUsers(),
existingSecurityZone.getAuditUsers())) {
throwRestError("User : " +
userName
+ " is not
allowed to edit zone Audit User of zone : " + existingSecurityZone.getName());
- } else if
(!securityZone.getAuditUserGroups().equals(
-
existingSecurityZone.getAuditUserGroups())) {
+ } else if
(!Objects.equals(securityZone.getAuditUserGroups(),
existingSecurityZone.getAuditUserGroups())) {
throwRestError("User : "
+ userName
+ " is not
allowed to edit zone Audit User Group of zone : " +
existingSecurityZone.getName());
@@ -458,8 +453,7 @@ public class SecurityZoneREST {
.getServices().get(svc);
if (rangerSecurityZnSvcFromUI != null) {
- if
(!rangerSecurityZnSvcFromDB.getResources().equals(
-
rangerSecurityZnSvcFromUI.getResources())) {
+ if
(!Objects.equals(rangerSecurityZnSvcFromDB.getResources(),
rangerSecurityZnSvcFromUI.getResources())) {
if
(!svcStore.isServiceAdminUser(svc, userName)) {
throwRestError("User : "
+ userName
