RANGER-4777: Improve API /public/v2/api/service-headers to filter ser…

…vices depending on user role Signed-off-by: Mugdha Varadkar <[email protected]>
apache · Oct 21, 2024 · d767c78 · d767c78
1 parent 41de6c6
commit d767c78
Show file tree

Hide file tree

Showing 10 changed files with 45 additions and 7 deletions.
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java
@@ -59,6 +59,16 @@ public RangerServiceHeaderInfo(Long id, String name, String displayName, String
         setIsTagService(EMBEDDED_SERVICEDEF_TAG_NAME.equals(type));
     }
 
+    public RangerServiceHeaderInfo(Long id, String name, String displayName, String type, Boolean isEnabled) {
+        super();
+        setId(id);
+        setName(name);
+        setDisplayName(displayName);
+        setType(type);
+        setIsTagService(EMBEDDED_SERVICEDEF_TAG_NAME.equals(type));
+        setIsEnabled(isEnabled);
+    }
+
     public String getName() {
         return name;
     }

diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -62,6 +62,7 @@
 import org.apache.ranger.entity.XXUser;
 import org.apache.ranger.plugin.model.RangerBaseModelObject;
 import org.apache.ranger.plugin.model.RangerService;
+import org.apache.ranger.plugin.model.RangerServiceHeaderInfo;
 import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
 import org.apache.ranger.rest.ServiceREST;
 import org.apache.ranger.security.context.RangerAdminOpContext;
@@ -1317,6 +1318,10 @@ public Boolean hasAccess(XXDBBase xxDbBase, RangerBaseModelObject baseModel) {
 		if (xxDbBase != null && xxDbBase instanceof XXService) {
 			return hasAccessToXXService((XXService) xxDbBase, isKeyAdmin, isSysAdmin, isAuditor, isAuditorKeyAdmin, isUser);
 		}
+
+		if (baseModel != null && baseModel instanceof RangerServiceHeaderInfo) {
+			return hasAccessToRangerServiceHeaderInfo((RangerServiceHeaderInfo) baseModel, isKeyAdmin, isSysAdmin, isAuditor, isAuditorKeyAdmin, isUser);
+		}
 		return false;
 	}
 
@@ -1351,6 +1356,16 @@ private Boolean hasAccessToXXService(XXService xxDbBase, boolean isKeyAdmin, boo
 		}
 	}
 
+	private Boolean hasAccessToRangerServiceHeaderInfo(RangerServiceHeaderInfo serviceHeader, boolean isKeyAdmin, boolean isSysAdmin, boolean isAuditor, boolean isAuditorKeyAdmin, boolean isUser) {
+		// TODO: As of now we are allowing SYS_ADMIN to read all the
+		// services including KMS
+		if (isSysAdmin || isAuditor) {
+			return true;
+		}
+
+		return EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_KMS_NAME.equals(serviceHeader.getType()) ? (isKeyAdmin || isAuditorKeyAdmin) : isUser;
+	}
+
 	public void hasAdminPermissions(String objType) {
 
 		UserSessionBase session = ContextUtil.getCurrentUserSession();

diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java
@@ -97,7 +97,7 @@ public List<RangerServiceHeaderInfo> findServiceHeaderInfosByZoneId(Long zoneId)
             ret = new ArrayList<>(results.size());
 
             for (Object[] result : results) {
-                ret.add(new RangerServiceHeaderInfo((Long) result[0], (String) result[1], (String) result[2], (String) result[3]));
+                ret.add(new RangerServiceHeaderInfo((Long) result[0], (String) result[1], (String) result[2], (String) result[3], (Boolean) result[4]));
             }
         } else {
             ret = Collections.emptyList();

diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java
@@ -72,7 +72,7 @@ public List<RangerServiceHeaderInfo> findServiceHeaderInfosByZoneId(Long zoneId)
             ret = new ArrayList<>(results.size());
 
             for (Object[] result : results) {
-                ret.add(new RangerServiceHeaderInfo((Long) result[0], (String) result[1], (String) result[2], (String) result[3]));
+                ret.add(new RangerServiceHeaderInfo((Long) result[0], (String) result[1], (String) result[2], (String) result[3], (Boolean) result[4]));
             }
         } else {
             ret = Collections.emptyList();

diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXServiceDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXServiceDao.java
@@ -173,7 +173,7 @@ public List<RangerServiceHeaderInfo> findServiceHeaders() {
 			ret = new ArrayList<>(results.size());
 
 			for (Object[] result : results) {
-				ret.add(new RangerServiceHeaderInfo((Long) result[0], (String) result[1], (String) result[2], (String) result[3]));
+				ret.add(new RangerServiceHeaderInfo((Long) result[0], (String) result[1], (String) result[2], (String) result[3], (Boolean) result[4]));
 			}
 		} catch (NoResultException excp) {
 			ret = Collections.emptyList();

diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
@@ -41,6 +41,7 @@
 import org.apache.ranger.plugin.util.GrantRevokeRoleRequest;
 import org.apache.ranger.plugin.util.RangerPurgeResult;
 import org.apache.ranger.plugin.util.ServiceTags;
+import org.apache.ranger.security.context.RangerAPIList;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -437,7 +438,7 @@ public List<RangerService> searchServices(@Context HttpServletRequest request) {
 	@GET
 	@Path("/api/service-headers")
 	@Produces({ "application/json" })
-	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()")
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_HEADERS + "\")")
 	public List<RangerServiceHeaderInfo> getServiceHeaders(@Context HttpServletRequest request) {
 		return serviceREST.getServiceHeaders(request);
 	}

diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -1113,6 +1113,8 @@ public List<RangerServiceHeaderInfo> getServiceHeaders(@Context HttpServletReque
 				iter.remove();
 			} else if (filterByType && !StringUtils.equals(serviceHeader.getType(), svcType)) {
 				iter.remove();
+			} else if(!bizUtil.hasAccess(null, serviceHeader)) {
+				iter.remove();
 			}
 		}
 

diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java
@@ -260,4 +260,9 @@ public class RangerAPIList {
 	public static final String REMOVE_DATASET_IN_PROJECT = "GdsREST.removeDatasetInProject";
 	public static final String GET_DATASET_IN_PROJECT    = "GdsREST.getDatasetInProject";
 	public static final String SEARCH_DATASET_IN_PROJECT = "GdsREST.searchDatasetInProject";
+
+	/**
+	 * List of APIs for PublicAPIsv2
+	 */
+	public static final String GET_SERVICE_HEADERS = "PublicAPIsv2.getServiceHeaders";
 }
diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java
@@ -97,6 +97,7 @@ private void mapReportsWithAPIs() {
 		apiAssociatedWithReports.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME);
 		apiAssociatedWithReports.add(RangerAPIList.GET_SERVICE_DEFS);
 		apiAssociatedWithReports.add(RangerAPIList.GET_SERVICES);
+		apiAssociatedWithReports.add(RangerAPIList.GET_SERVICE_HEADERS);
 		apiAssociatedWithReports.add(RangerAPIList.LOOKUP_RESOURCE);
 
 		apiAssociatedWithReports.add(RangerAPIList.GET_USER_PROFILE_FOR_USER);
@@ -162,6 +163,7 @@ private void mapTagBasedPoliciesWithAPIs() {
 		apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME);
 		apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_SERVICE_DEFS);
 		apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_SERVICES);
+		apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_SERVICE_HEADERS);
 		apiAssociatedWithTagBasedPolicy.add(RangerAPIList.LOOKUP_RESOURCE);
 		apiAssociatedWithTagBasedPolicy.add(RangerAPIList.UPDATE_SERVICE);
 		apiAssociatedWithTagBasedPolicy.add(RangerAPIList.UPDATE_SERVICE_DEF);
@@ -246,6 +248,7 @@ private void mapKeyManagerWithAPIs() {
 		apiAssociatedWithKeyManager.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME);
 		apiAssociatedWithKeyManager.add(RangerAPIList.GET_SERVICE_DEFS);
 		apiAssociatedWithKeyManager.add(RangerAPIList.GET_SERVICES);
+		apiAssociatedWithKeyManager.add(RangerAPIList.GET_SERVICE_HEADERS);
 		apiAssociatedWithKeyManager.add(RangerAPIList.LOOKUP_RESOURCE);
 		apiAssociatedWithKeyManager.add(RangerAPIList.UPDATE_SERVICE);
 		apiAssociatedWithKeyManager.add(RangerAPIList.UPDATE_SERVICE_DEF);
@@ -379,6 +382,7 @@ private void mapAuditWithAPIs() {
 		apiAssociatedWithAudit.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME);
 		apiAssociatedWithAudit.add(RangerAPIList.GET_SERVICE_DEFS);
 		apiAssociatedWithAudit.add(RangerAPIList.GET_SERVICES);
+		apiAssociatedWithAudit.add(RangerAPIList.GET_SERVICE_HEADERS);
 		apiAssociatedWithAudit.add(RangerAPIList.LOOKUP_RESOURCE);
 
 		apiAssociatedWithAudit.add(RangerAPIList.GET_USER_PROFILE_FOR_USER);
@@ -459,6 +463,7 @@ private void mapResourceBasedPoliciesWithAPIs() {
 		apiAssociatedWithRBPolicies.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME);
 		apiAssociatedWithRBPolicies.add(RangerAPIList.GET_SERVICE_DEFS);
 		apiAssociatedWithRBPolicies.add(RangerAPIList.GET_SERVICES);
+		apiAssociatedWithRBPolicies.add(RangerAPIList.GET_SERVICE_HEADERS);
 		apiAssociatedWithRBPolicies.add(RangerAPIList.LOOKUP_RESOURCE);
 		apiAssociatedWithRBPolicies.add(RangerAPIList.UPDATE_SERVICE);
 		apiAssociatedWithRBPolicies.add(RangerAPIList.UPDATE_SERVICE_DEF);

diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
@@ -748,7 +748,7 @@
 
 	<named-query name="XXService.getAllServiceHeaders">
 		<query>
-			SELECT obj.id, obj.name, obj.displayName, svcDef.name FROM XXService obj
+			SELECT obj.id, obj.name, obj.displayName, svcDef.name, obj.isEnabled FROM XXService obj
 			  LEFT OUTER JOIN XXServiceDef svcDef ON obj.type = svcDef.id
 		</query>
 	</named-query>
@@ -1794,7 +1794,7 @@
 
     <named-query name="XXSecurityZoneRefService.findServiceHeaderInfosByZoneId">
         <query>
-			SELECT obj.id, obj.name, obj.displayName, svcDef.name FROM XXService obj
+			SELECT obj.id, obj.name, obj.displayName, svcDef.name, obj.isEnabled FROM XXService obj
 			  LEFT OUTER JOIN XXServiceDef svcDef ON obj.type = svcDef.id
 			 WHERE obj.id IN (SELECT ref.serviceId FROM XXSecurityZoneRefService ref WHERE ref.zoneId = :zoneId)
         </query>
@@ -1814,7 +1814,7 @@
 
     <named-query name="XXSecurityZoneRefTagService.findServiceHeaderInfosByZoneId">
         <query>
-			SELECT obj.id, obj.name, obj.displayName, svcDef.name FROM XXService obj
+			SELECT obj.id, obj.name, obj.displayName, svcDef.name, obj.isEnabled FROM XXService obj
 			  LEFT OUTER JOIN XXServiceDef svcDef ON obj.type = svcDef.id
 			 WHERE obj.id IN (SELECT ref.tagServiceId FROM XXSecurityZoneRefTagService ref WHERE ref.zoneId = :zoneId)
         </query>