diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java index accf287213..589a279d1e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java @@ -59,6 +59,16 @@ public RangerServiceHeaderInfo(Long id, String name, String displayName, String setIsTagService(EMBEDDED_SERVICEDEF_TAG_NAME.equals(type)); } + public RangerServiceHeaderInfo(Long id, String name, String displayName, String type, Boolean isEnabled) { + super(); + setId(id); + setName(name); + setDisplayName(displayName); + setType(type); + setIsTagService(EMBEDDED_SERVICEDEF_TAG_NAME.equals(type)); + setIsEnabled(isEnabled); + } + public String getName() { return name; } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java index 2ece2e22a9..b98504fd33 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java @@ -62,6 +62,7 @@ import org.apache.ranger.entity.XXUser; import org.apache.ranger.plugin.model.RangerBaseModelObject; import org.apache.ranger.plugin.model.RangerService; +import org.apache.ranger.plugin.model.RangerServiceHeaderInfo; import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.apache.ranger.rest.ServiceREST; import org.apache.ranger.security.context.RangerAdminOpContext; @@ -1317,6 +1318,10 @@ public Boolean hasAccess(XXDBBase xxDbBase, RangerBaseModelObject baseModel) { if (xxDbBase != null && xxDbBase instanceof XXService) { return hasAccessToXXService((XXService) xxDbBase, isKeyAdmin, isSysAdmin, isAuditor, isAuditorKeyAdmin, isUser); } + + if (baseModel != null && baseModel instanceof RangerServiceHeaderInfo) { + return hasAccessToRangerServiceHeaderInfo((RangerServiceHeaderInfo) baseModel, isKeyAdmin, isSysAdmin, isAuditor, isAuditorKeyAdmin, isUser); + } return false; } @@ -1351,6 +1356,16 @@ private Boolean hasAccessToXXService(XXService xxDbBase, boolean isKeyAdmin, boo } } + private Boolean hasAccessToRangerServiceHeaderInfo(RangerServiceHeaderInfo serviceHeader, boolean isKeyAdmin, boolean isSysAdmin, boolean isAuditor, boolean isAuditorKeyAdmin, boolean isUser) { + // TODO: As of now we are allowing SYS_ADMIN to read all the + // services including KMS + if (isSysAdmin || isAuditor) { + return true; + } + + return EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_KMS_NAME.equals(serviceHeader.getType()) ? (isKeyAdmin || isAuditorKeyAdmin) : isUser; + } + public void hasAdminPermissions(String objType) { UserSessionBase session = ContextUtil.getCurrentUserSession(); diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java index a7726d780f..00d157e5c0 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java @@ -97,7 +97,7 @@ public List findServiceHeaderInfosByZoneId(Long zoneId) ret = new ArrayList<>(results.size()); for (Object[] result : results) { - ret.add(new RangerServiceHeaderInfo((Long) result[0], (String) result[1], (String) result[2], (String) result[3])); + ret.add(new RangerServiceHeaderInfo((Long) result[0], (String) result[1], (String) result[2], (String) result[3], (Boolean) result[4])); } } else { ret = Collections.emptyList(); diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java index 9e1fb13efe..9a587891ee 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java @@ -72,7 +72,7 @@ public List findServiceHeaderInfosByZoneId(Long zoneId) ret = new ArrayList<>(results.size()); for (Object[] result : results) { - ret.add(new RangerServiceHeaderInfo((Long) result[0], (String) result[1], (String) result[2], (String) result[3])); + ret.add(new RangerServiceHeaderInfo((Long) result[0], (String) result[1], (String) result[2], (String) result[3], (Boolean) result[4])); } } else { ret = Collections.emptyList(); diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXServiceDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXServiceDao.java index 0a01440942..a1f93b152b 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXServiceDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXServiceDao.java @@ -173,7 +173,7 @@ public List findServiceHeaders() { ret = new ArrayList<>(results.size()); for (Object[] result : results) { - ret.add(new RangerServiceHeaderInfo((Long) result[0], (String) result[1], (String) result[2], (String) result[3])); + ret.add(new RangerServiceHeaderInfo((Long) result[0], (String) result[1], (String) result[2], (String) result[3], (Boolean) result[4])); } } catch (NoResultException excp) { ret = Collections.emptyList(); diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java index 3aeda199a4..b93b63f85e 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java @@ -41,6 +41,7 @@ import org.apache.ranger.plugin.util.GrantRevokeRoleRequest; import org.apache.ranger.plugin.util.RangerPurgeResult; import org.apache.ranger.plugin.util.ServiceTags; +import org.apache.ranger.security.context.RangerAPIList; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -437,7 +438,7 @@ public List searchServices(@Context HttpServletRequest request) { @GET @Path("/api/service-headers") @Produces({ "application/json" }) - @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_HEADERS + "\")") public List getServiceHeaders(@Context HttpServletRequest request) { return serviceREST.getServiceHeaders(request); } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index be56c487fa..6fc6a3c1ce 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -1113,6 +1113,8 @@ public List getServiceHeaders(@Context HttpServletReque iter.remove(); } else if (filterByType && !StringUtils.equals(serviceHeader.getType(), svcType)) { iter.remove(); + } else if(!bizUtil.hasAccess(null, serviceHeader)) { + iter.remove(); } } diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java index 892414d8d8..83a82c86c9 100755 --- a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java +++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java @@ -260,4 +260,9 @@ public class RangerAPIList { public static final String REMOVE_DATASET_IN_PROJECT = "GdsREST.removeDatasetInProject"; public static final String GET_DATASET_IN_PROJECT = "GdsREST.getDatasetInProject"; public static final String SEARCH_DATASET_IN_PROJECT = "GdsREST.searchDatasetInProject"; + + /** + * List of APIs for PublicAPIsv2 + */ + public static final String GET_SERVICE_HEADERS = "PublicAPIsv2.getServiceHeaders"; } diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java index 59cd2a6dc5..37ccc0785e 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java +++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java @@ -97,6 +97,7 @@ private void mapReportsWithAPIs() { apiAssociatedWithReports.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME); apiAssociatedWithReports.add(RangerAPIList.GET_SERVICE_DEFS); apiAssociatedWithReports.add(RangerAPIList.GET_SERVICES); + apiAssociatedWithReports.add(RangerAPIList.GET_SERVICE_HEADERS); apiAssociatedWithReports.add(RangerAPIList.LOOKUP_RESOURCE); apiAssociatedWithReports.add(RangerAPIList.GET_USER_PROFILE_FOR_USER); @@ -162,6 +163,7 @@ private void mapTagBasedPoliciesWithAPIs() { apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_SERVICE_DEFS); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_SERVICES); + apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_SERVICE_HEADERS); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.LOOKUP_RESOURCE); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.UPDATE_SERVICE); apiAssociatedWithTagBasedPolicy.add(RangerAPIList.UPDATE_SERVICE_DEF); @@ -246,6 +248,7 @@ private void mapKeyManagerWithAPIs() { apiAssociatedWithKeyManager.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME); apiAssociatedWithKeyManager.add(RangerAPIList.GET_SERVICE_DEFS); apiAssociatedWithKeyManager.add(RangerAPIList.GET_SERVICES); + apiAssociatedWithKeyManager.add(RangerAPIList.GET_SERVICE_HEADERS); apiAssociatedWithKeyManager.add(RangerAPIList.LOOKUP_RESOURCE); apiAssociatedWithKeyManager.add(RangerAPIList.UPDATE_SERVICE); apiAssociatedWithKeyManager.add(RangerAPIList.UPDATE_SERVICE_DEF); @@ -379,6 +382,7 @@ private void mapAuditWithAPIs() { apiAssociatedWithAudit.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME); apiAssociatedWithAudit.add(RangerAPIList.GET_SERVICE_DEFS); apiAssociatedWithAudit.add(RangerAPIList.GET_SERVICES); + apiAssociatedWithAudit.add(RangerAPIList.GET_SERVICE_HEADERS); apiAssociatedWithAudit.add(RangerAPIList.LOOKUP_RESOURCE); apiAssociatedWithAudit.add(RangerAPIList.GET_USER_PROFILE_FOR_USER); @@ -459,6 +463,7 @@ private void mapResourceBasedPoliciesWithAPIs() { apiAssociatedWithRBPolicies.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME); apiAssociatedWithRBPolicies.add(RangerAPIList.GET_SERVICE_DEFS); apiAssociatedWithRBPolicies.add(RangerAPIList.GET_SERVICES); + apiAssociatedWithRBPolicies.add(RangerAPIList.GET_SERVICE_HEADERS); apiAssociatedWithRBPolicies.add(RangerAPIList.LOOKUP_RESOURCE); apiAssociatedWithRBPolicies.add(RangerAPIList.UPDATE_SERVICE); apiAssociatedWithRBPolicies.add(RangerAPIList.UPDATE_SERVICE_DEF); diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml index 47bb6e9afd..1a2acd1883 100755 --- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml +++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml @@ -748,7 +748,7 @@ - SELECT obj.id, obj.name, obj.displayName, svcDef.name FROM XXService obj + SELECT obj.id, obj.name, obj.displayName, svcDef.name, obj.isEnabled FROM XXService obj LEFT OUTER JOIN XXServiceDef svcDef ON obj.type = svcDef.id @@ -1794,7 +1794,7 @@ - SELECT obj.id, obj.name, obj.displayName, svcDef.name FROM XXService obj + SELECT obj.id, obj.name, obj.displayName, svcDef.name, obj.isEnabled FROM XXService obj LEFT OUTER JOIN XXServiceDef svcDef ON obj.type = svcDef.id WHERE obj.id IN (SELECT ref.serviceId FROM XXSecurityZoneRefService ref WHERE ref.zoneId = :zoneId) @@ -1814,7 +1814,7 @@ - SELECT obj.id, obj.name, obj.displayName, svcDef.name FROM XXService obj + SELECT obj.id, obj.name, obj.displayName, svcDef.name, obj.isEnabled FROM XXService obj LEFT OUTER JOIN XXServiceDef svcDef ON obj.type = svcDef.id WHERE obj.id IN (SELECT ref.tagServiceId FROM XXSecurityZoneRefTagService ref WHERE ref.zoneId = :zoneId)