This is an automated email from the ASF dual-hosted git repository. kishor pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
commit f06c75b3131e1fb98e951e53219d19bf789a2983 Author: Rakesh Gupta <[email protected]> AuthorDate: Mon Apr 28 20:40:11 2025 +0530 RANGER-5074: keyadmin user is able to get admin user logs Signed-off-by: Kishor Gollapalliwar <[email protected]> --- .../ranger/service/RangerServiceServiceBase.java | 14 +++ .../ranger/service/RangerTrxLogV2Service.java | 114 ++++++++++++++++++++- 2 files changed, 127 insertions(+), 1 deletion(-) diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceServiceBase.java b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceServiceBase.java index 98857638e..e8408c163 100755 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceServiceBase.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceServiceBase.java @@ -97,6 +97,20 @@ public RangerServiceList searchRangerServices(SearchFilter searchFilter) { return retList; } + @Override + public String getParentObjectName(V vObj, V oldObj) { + String serviceType = vObj != null ? vObj.getType() : null; + XXServiceDef xServiceDef = serviceType != null ? daoMgr.getXXServiceDef().findByName(serviceType) : null; + return xServiceDef != null ? xServiceDef.getName() : null; + } + + @Override + public Long getParentObjectId(V vObj, V oldObj) { + String serviceType = vObj != null ? vObj.getType() : null; + XXServiceDef xServiceDef = serviceType != null ? daoMgr.getXXServiceDef().findByName(serviceType) : null; + return xServiceDef != null ? xServiceDef.getId() : null; + } + @Override protected T mapViewToEntityBean(V vObj, T xObj, int operationContext) { String guid = (StringUtils.isEmpty(vObj.getGuid())) ? guidUtil.genGUID() : vObj.getGuid(); diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerTrxLogV2Service.java b/security-admin/src/main/java/org/apache/ranger/service/RangerTrxLogV2Service.java index 46c59ef45..46866065f 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerTrxLogV2Service.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerTrxLogV2Service.java @@ -21,13 +21,21 @@ import org.apache.commons.lang3.StringUtils; import org.apache.ranger.authorization.utils.StringUtil; +import org.apache.ranger.common.ContextUtil; +import org.apache.ranger.common.MessageEnums; +import org.apache.ranger.common.RESTErrorUtil; +import org.apache.ranger.common.RangerConstants; import org.apache.ranger.common.RangerSearchUtil; import org.apache.ranger.common.SearchCriteria; import org.apache.ranger.common.SearchField; import org.apache.ranger.common.SortField; +import org.apache.ranger.common.UserSessionBase; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.entity.XXPortalUser; +import org.apache.ranger.entity.XXService; +import org.apache.ranger.entity.XXServiceDef; import org.apache.ranger.entity.XXTrxLogV2; +import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.apache.ranger.plugin.store.PList; import org.apache.ranger.plugin.util.JsonUtilsV2; import org.apache.ranger.view.VXTrxLogV2; @@ -62,6 +70,9 @@ public class RangerTrxLogV2Service { @Autowired RangerDaoManager daoManager; + @Autowired + protected RESTErrorUtil restErrorUtil; + public RangerTrxLogV2Service() { searchFields.add(new SearchField("attributeName", "obj.changeInfo", SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.PARTIAL)); searchFields.add(new SearchField("action", "obj.action", SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.PARTIAL)); @@ -71,6 +82,8 @@ public RangerTrxLogV2Service() { searchFields.add(new SearchField("owner", "obj.addedByUserId", SearchField.DATA_TYPE.INT_LIST, SearchField.SEARCH_TYPE.FULL)); searchFields.add(new SearchField("objectClassType", "obj.objectClassType", SearchField.DATA_TYPE.INT_LIST, SearchField.SEARCH_TYPE.FULL)); searchFields.add(new SearchField("objectId", "obj.objectId", SearchField.DATA_TYPE.INT_LIST, SearchField.SEARCH_TYPE.FULL)); + searchFields.add(new SearchField("parentObjectId", "obj.parentObjectId", SearchField.DATA_TYPE.INT_LIST, SearchField.SEARCH_TYPE.FULL)); + searchFields.add(new SearchField("parentObjectName", "obj.parentObjectName", SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.FULL)); sortFields.add(new SortField("id", "obj.id", true, SortField.SORT_ORDER.DESC)); sortFields.add(new SortField("createDate", "obj.createTime", true, SortField.SORT_ORDER.DESC)); @@ -96,8 +109,22 @@ public PList<VXTrxLogV2> searchTrxLogs(SearchCriteria searchCriteria) { } public long getTrxLogsCount(SearchCriteria searchCriteria) { + Map<String, Object> params = new HashMap<>(); + UserSessionBase session = ContextUtil.getCurrentUserSession(); + + if (session != null && (session.isKeyAdmin() || session.isAuditKeyAdmin())) { + searchFields.stream().filter(field -> "parentObjectName".equals(field.getClientFieldName())).findFirst() + .ifPresent(parentObjNameField -> parentObjNameField.setCustomCondition(applyKeyAdminAccessFilters(params))); + searchCriteria.addParam("parentObjectName", ""); + } + String countQueryStr = "SELECT COUNT(obj) FROM " + XXTrxLogV2.class.getName() + " obj "; Query query = createQuery(countQueryStr, null, searchCriteria, searchFields, true); + + if (!params.isEmpty()) { + params.forEach(query::setParameter); + } + Long count = daoManager.getXXTrxLogV2().executeCountQueryInSecurityContext(XXTrxLogV2.class, query); return count == null ? 0 : count; @@ -110,7 +137,12 @@ public List<VXTrxLogV2> findByTransactionId(String transactionId) { if (trxLogsV2 != null && !trxLogsV2.isEmpty()) { Map<Long, String> uidNameCache = new HashMap<>(); - ret = trxLogsV2.stream().map(xTrxLog -> toViewObject(xTrxLog, uidNameCache)).collect(Collectors.toList()); + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null && (session.isKeyAdmin() || session.isAuditKeyAdmin())) { + ret = trxLogsV2.stream().filter(xTrxLog -> getValidTrxLogsForKeyAdminAndAuditor(xTrxLog)).map(xTrxLog -> toViewObject(xTrxLog, uidNameCache)).collect(Collectors.toList()); + } else { + ret = trxLogsV2.stream().map(xTrxLog -> toViewObject(xTrxLog, uidNameCache)).collect(Collectors.toList()); + } } else { ret = Collections.emptyList(); } @@ -132,6 +164,17 @@ public VXTrxLogV2 readResource(Long id) { XXTrxLogV2 dbObj = id != null ? daoManager.getXXTrxLogV2().getById(id) : null; VXTrxLogV2 ret = dbObj != null ? toViewObject(dbObj, null) : null; + if (ret != null) { + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null && (session.isKeyAdmin() || session.isAuditKeyAdmin())) { + if (!getValidTrxLogsForKeyAdminAndAuditor(dbObj)) { + return null; + } + } + } else { + throw restErrorUtil.create404RESTException("Object not found", MessageEnums.DATA_NOT_FOUND, id, null, "readResource : No Object found with given id."); + } + LOG.debug("readResource({}): ret={}", id, ret); return ret; @@ -167,10 +210,23 @@ private List<XXTrxLogV2> searchTrxLogs(SearchCriteria searchCriteria, PList<VXTr } } + Map<String, Object> params = new HashMap<>(); + UserSessionBase session = ContextUtil.getCurrentUserSession(); + + if (session != null && (session.isKeyAdmin() || session.isAuditKeyAdmin())) { + searchFields.stream().filter(field -> "parentObjectName".equals(field.getClientFieldName())).findFirst() + .ifPresent(parentObjNameField -> parentObjNameField.setCustomCondition(applyKeyAdminAccessFilters(params))); + searchCriteria.addParam("parentObjectName", ""); + } + String sortClause = searchUtil.constructSortClause(searchCriteria, sortFields); String queryStr = "SELECT obj FROM " + XXTrxLogV2.class.getName() + " obj "; Query query = createQuery(queryStr, sortClause, searchCriteria, searchFields, false); + if (!params.isEmpty()) { + params.forEach(query::setParameter); + } + List<XXTrxLogV2> ret = daoManager.getXXTrxLogV2().executeQueryInSecurityContext(XXTrxLogV2.class, query); if (pList != null) { @@ -283,4 +339,60 @@ private String toUserName(Long userId, Map<Long, String> userIdNameCache) { return ret; } + + public String applyKeyAdminAccessFilters(Map<String, Object> parameters) { + StringBuilder filterClause = new StringBuilder(); + + List<XXPortalUser> listXXPortalUser = daoManager.getXXPortalUser().findByRole(RangerConstants.ROLE_KEY_ADMIN); + listXXPortalUser.addAll(daoManager.getXXPortalUser().findByRole(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)); + List<Long> addedByUserId = listXXPortalUser.stream().map(XXPortalUser::getId).collect(Collectors.toList()); + + if (!addedByUserId.isEmpty()) { + filterClause.append("obj.addedByUserId IN :addedByUserId"); + parameters.put("addedByUserId", addedByUserId); + } + + if (filterClause.length() > 0) { + filterClause.append(" OR "); + } + String parentObjectName = EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_KMS_NAME; + filterClause.append("obj.parentObjectName = :parentObjectName"); + parameters.put("parentObjectName", parentObjectName); + + XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_KMS_NAME); + if (xxServiceDef != null) { + List<Long> parentObjectId = daoManager.getXXService().findByServiceDefId(xxServiceDef.getId()).stream().map(XXService::getId).collect(Collectors.toList()); + + if (!parentObjectId.isEmpty()) { + if (filterClause.length() > 0) { + filterClause.append(" OR "); + } + filterClause.append("obj.parentObjectId IN :parentObjectId"); + parameters.put("parentObjectId", parentObjectId); + } + } + + if (filterClause.length() > 0) { + filterClause.insert(0, "(").append(")"); + } + return filterClause.toString(); + } + + public boolean getValidTrxLogsForKeyAdminAndAuditor(XXTrxLogV2 xXTrxLog) { + Map<String, Object> params = new HashMap<>(); + applyKeyAdminAccessFilters(params); + + List<Long> addedByUserIdList = (List<Long>) params.get("addedByUserId"); + List<Long> parentObjectIdList = (List<Long>) params.get("parentObjectId"); + String parentObjectName = (String) params.get("parentObjectName"); + + if (addedByUserIdList == null || parentObjectIdList == null || parentObjectName == null) { + return false; + } + + boolean isValid = addedByUserIdList.contains(xXTrxLog.getAddedByUserId()) || parentObjectIdList.contains(xXTrxLog.getParentObjectId()) + || parentObjectName.equals(xXTrxLog.getParentObjectName()); + + return isValid; + } }
