RANGER-4607: Ranger REST API improvements

RANGER-4545: DELETE /assets/resources/{resource_id} API should return proper status code for non admin users RANGER-4546: /assets/ugsyncAudits/{sync_source} API is accessible by user without permission on audit module RANGER-4548: Return proper error message in the response for /tags/tags, /tags/resources and /tags/types API for non admin users RANGER-4547: The reponse metrics (pagination values) for the /assets/ugsyncAudits/{sync_source} API is not proper RANGER-4549: Non admin users cannot access /public/v2/api/roles/names and /public/v2/api/roles/name/{name} API, but can access /public/v2/api/roles API RANGER-4551: No response returned for /assets/policyList/{service_name} API RANGER-4550: API request to /assets/resource/{id} returns no response RANGER-4552: Response metrics for /assets/report is not proper, and pagination does not work RANGER-4553: Response metrics for /xaudit/trx_log not proper RANGER-4554: Response metrics for /assets/resources not proper RANGER-4555: Response metrics for /assets/assets API not proper RANGER-4573: /xaudit/trx_log API not accessible by keyadmin user RANGER-4578: /xuser/groupgroups and /xuser/groupusers APIs allow creation of entities even without groupId / userId fields in the request RANGER-4574: /public/v2/api/service/{service_name}/policy/{policy_name} API returns policies for users without access to the policy RANGER-4575: /plugins/policy/{policy_id}/version/{version_number} API returns policies for users without access to the policy RANGER-4576: User without access to policy is able to fetch policy details using /plugins/policies/{service_type}/for-resource API endpoint RANGER-4577: UI and API behaviour for fetching users not consistent for keyadmin users RANGER-4589: keyadmin user can update the user password via UI but cannot update the user password using /users/{user_id}/passwordchange API RANGER-4588: /xaudit/trx_log/{trx_log_id} is not accessible by keyadmin user RANGER-4591: keyadmin user can access non kms related admin audits using /assets/report/{transaction_id} API RANGER-4594: keyadmin user can mark ROLE_USER users as disabled by setting status to 0 using /users API RANGER-4595: keyadmin user able to view the user permission objects via /users API RANGER-4596: keyadmin can fetch the details of admin and auditor users through /users API endpoint RANGER-4598: ROLE_USER cannot acccess /xusers/groups API but can access /xusers/groups/groupName/{group_name} API RANGER-4586: XUserREST and UserREST API improvement for keyadmin users Change-Id: I1fa52a99049d81e58c40d071211d62b278ff8ef1
apache · Oct 9, 2024 · 9346283 · 9346283
1 parent f06d0e7
commit 9346283
Show file tree

Hide file tree

Showing 23 changed files with 645 additions and 819 deletions.
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java
@@ -19,8 +19,6 @@
 
  package org.apache.ranger.biz;
 
-import java.io.File;
-import java.io.IOException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Date;
@@ -68,8 +66,6 @@
 import org.apache.ranger.view.*;
 import org.apache.ranger.view.VXTrxLogV2.AttributeChangeInfo;
 import org.apache.ranger.view.VXTrxLogV2.ObjectChangeInfo;
-import com.fasterxml.jackson.core.JsonGenerationException;
-import com.fasterxml.jackson.databind.JsonMappingException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -165,53 +161,6 @@ public void init() {
 		logger.info("<== AssetMgr.init()");
 	}
 
-	public File getXResourceFile(Long id, String fileType) {
-		VXResource xResource = xResourceService.readResource(id);
-		if (xResource == null) {
-			throw this.restErrorUtil.createRESTException(
-					"serverMsg.datasourceIdEmpty" + "id " + id,
-					MessageEnums.DATA_NOT_FOUND, id, "dataSourceId",
-					"DataSource not found with " + "id " + id);
-		}
-
-		return getXResourceFile(xResource, fileType);
-	}
-
-	public File getXResourceFile(VXResource xResource, String fileType) {
-		File file = null;
-		try {
-			if (fileType != null) {
-				if ("json".equalsIgnoreCase(fileType)) {
-					file = jsonUtil.writeJsonToFile(xResource,
-							xResource.getName());
-				} else {
-					throw restErrorUtil.createRESTException(
-							"Please send the supported filetype.",
-							MessageEnums.INVALID_INPUT_DATA);
-				}
-			} else {
-				throw restErrorUtil
-						.createRESTException(
-								"Please send the file format in which you want to export.",
-								MessageEnums.DATA_NOT_FOUND);
-			}
-		} catch (JsonGenerationException e) {
-			throw this.restErrorUtil.createRESTException(
-					"serverMsg.jsonGeneration" + " : " + e.getMessage(),
-					MessageEnums.ERROR_SYSTEM);
-		} catch (JsonMappingException e) {
-			throw this.restErrorUtil.createRESTException(
-					"serverMsg.jsonMapping" + " : " + e.getMessage(),
-					MessageEnums.ERROR_SYSTEM);
-		} catch (IOException e) {
-			throw this.restErrorUtil.createRESTException(
-					"serverMsg.ioException" + " : " + e.getMessage(),
-					MessageEnums.ERROR_SYSTEM);
-		}
-
-		return file;
-	}
-
 	public String getLatestRepoPolicy(VXAsset xAsset, List<VXResource> xResourceList, Long updatedTime,
 									  X509Certificate[] certchain, boolean httpEnabled, String epoch,
 									  String ipAddress, boolean isSecure, String count, String agentId) {
@@ -1396,6 +1345,9 @@ public VXUgsyncAuditInfoList getUgsyncAudits(SearchCriteria searchCriteria) {
 	}
 
 	public VXUgsyncAuditInfoList getUgsyncAuditsBySyncSource(String syncSource) {
+		if (!msBizUtil.hasModuleAccess(RangerConstants.MODULE_AUDIT)) {
+			throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not having permissions on the "+RangerConstants.MODULE_AUDIT+" module.", true);
+		}
 		if(syncSource!=null && !syncSource.trim().isEmpty()){
 			return xUgsyncAuditInfoService.searchXUgsyncAuditInfoBySyncSource(syncSource);
 		}else{

diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -5067,62 +5067,62 @@ public int compare(RangerPolicy c1, RangerPolicy c2) {
 
 		// fetch policies maintained for the roles and groups belonging to the group
 		String groupName = searchFilter.getParam("group");
-		if (!StringUtils.isEmpty(groupName)) {
-			Set<String> groupNames = daoMgr.getXXGroupGroup().findGroupNamesByGroupName(groupName);
-			groupNames.add(RangerConstants.GROUP_PUBLIC);
-			groupNames.add(groupName);
-			Set<Long> processedSvcIdsForGroup = new HashSet<>();
-			Set<String> processedGroupsName = new HashSet<>();
-			List<XXPolicy> xPolList2;
-			for (String grpName : groupNames) {
-				searchFilter.setParam("group", grpName);
-				xPolList2 = policyService.searchResources(searchFilter, policyService.searchFields, policyService.sortFields, retList);
-				if (!CollectionUtils.isEmpty(xPolList2)) {
-					for (XXPolicy xPol2 : xPolList2) {
-						if(xPol2!=null){
-							if (!processedPolicies.contains(xPol2.getId())) {
-								if (!processedSvcIdsForGroup.contains(xPol2.getService())
-										|| !processedGroupsName.contains(groupName)) {
-									loadRangerPolicies(xPol2.getService(), processedSvcIdsForGroup, policyMap, searchFilter);
-									processedGroupsName.add(groupName);
-								}
-								if (policyMap.containsKey(xPol2.getId())) {
-									policyList.add(policyMap.get(xPol2.getId()));
-									processedPolicies.add(xPol2.getId());
-								}
+		if (StringUtils.isBlank(groupName)) {
+			groupName = RangerConstants.GROUP_PUBLIC;
+		}
+		Set<String> groupNames = daoMgr.getXXGroupGroup().findGroupNamesByGroupName(groupName);
+		groupNames.add(groupName);
+		Set<Long> processedSvcIdsForGroup = new HashSet<>();
+		Set<String> processedGroupsName = new HashSet<>();
+		List<XXPolicy> xPolList2;
+		for (String grpName : groupNames) {
+			searchFilter.setParam("group", grpName);
+			xPolList2 = policyService.searchResources(searchFilter, policyService.searchFields, policyService.sortFields, retList);
+			if (!CollectionUtils.isEmpty(xPolList2)) {
+				for (XXPolicy xPol2 : xPolList2) {
+					if(xPol2!=null){
+						if (!processedPolicies.contains(xPol2.getId())) {
+							if (!processedSvcIdsForGroup.contains(xPol2.getService())
+									|| !processedGroupsName.contains(groupName)) {
+								loadRangerPolicies(xPol2.getService(), processedSvcIdsForGroup, policyMap, searchFilter);
+								processedGroupsName.add(groupName);
+							}
+							if (policyMap.containsKey(xPol2.getId())) {
+								policyList.add(policyMap.get(xPol2.getId()));
+								processedPolicies.add(xPol2.getId());
 							}
 						}
 					}
 				}
 			}
+		}
 
-			searchFilter.removeParam("group");
-			XXGroup xxGroup = daoMgr.getXXGroup().findByGroupName(groupName);
-			if (xxGroup != null) {
-				Set<Long> allContainedRoles = new HashSet<>();
-				List<XXRole> xxRoles = daoMgr.getXXRole().findByGroupId(xxGroup.getId());
-				for (XXRole xxRole : xxRoles) {
-					getContainingRoles(xxRole.getId(), allContainedRoles);
-				}
-				Set<String> roleNames = getRoleNames(allContainedRoles);
-				Set<String> processedRoleName = new HashSet<>();
-				List<XXPolicy> xPolList3;
-				for (String roleName : roleNames) {
-					searchFilter.setParam("role", roleName);
-					xPolList3 = policyService.searchResources(searchFilter, policyService.searchFields, policyService.sortFields, retList);
-					if (!CollectionUtils.isEmpty(xPolList3)) {
-						for (XXPolicy xPol3 : xPolList3) {
-							if (xPol3 != null) {
-								if (!processedPolicies.contains(xPol3.getId())) {
-									if (!processedSvcIdsForRole.contains(xPol3.getService())
-											|| !processedRoleName.contains(roleName)) {
-										loadRangerPolicies(xPol3.getService(), processedSvcIdsForRole, policyMap, searchFilter);
-										processedRoleName.add(roleName);
-									}
-									if (policyMap.containsKey(xPol3.getId())) {
-										policyList.add(policyMap.get(xPol3.getId()));
-										processedPolicies.add(xPol3.getId());
-									}
+		searchFilter.removeParam("group");
+		XXGroup xxGroup = daoMgr.getXXGroup().findByGroupName(groupName);
+		if (xxGroup != null) {
+			Set<Long> allContainedRoles = new HashSet<>();
+			List<XXRole> xxRoles = daoMgr.getXXRole().findByGroupId(xxGroup.getId());
+			for (XXRole xxRole : xxRoles) {
+				getContainingRoles(xxRole.getId(), allContainedRoles);
+			}
+			Set<String> roleNames = getRoleNames(allContainedRoles);
+			Set<String> processedRoleName = new HashSet<>();
+			List<XXPolicy> xPolList3;
+			for (String roleName : roleNames) {
+				searchFilter.setParam("role", roleName);
+				xPolList3 = policyService.searchResources(searchFilter, policyService.searchFields, policyService.sortFields, retList);
+				if (!CollectionUtils.isEmpty(xPolList3)) {
+					for (XXPolicy xPol3 : xPolList3) {
+						if (xPol3 != null) {
+							if (!processedPolicies.contains(xPol3.getId())) {
+								if (!processedSvcIdsForRole.contains(xPol3.getService())
+										|| !processedRoleName.contains(roleName)) {
+									loadRangerPolicies(xPol3.getService(), processedSvcIdsForRole, policyMap, searchFilter);
+									processedRoleName.add(roleName);
+								}
+								if (policyMap.containsKey(xPol3.getId())) {
+									policyList.add(policyMap.get(xPol3.getId()));
+									processedPolicies.add(xPol3.getId());
 								}
 							}
 						}