in security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java [183:479]
public String getLatestRepoPolicy(VXAsset xAsset, List<VXResource> xResourceList, Long updatedTime, X509Certificate[] certchain, boolean httpEnabled, String epoch, String ipAddress, boolean isSecure, String count, String agentId) {
if (xAsset == null) {
logger.error("Requested repository not found");
throw restErrorUtil.createRESTException("No Data Found.", MessageEnums.DATA_NOT_FOUND);
}
if (xResourceList == null) {
logger.error("ResourceList is found");
throw restErrorUtil.createRESTException("No Data Found.", MessageEnums.DATA_NOT_FOUND);
}
if (xAsset.getActiveStatus() == RangerCommonEnums.ACT_STATUS_DISABLED) {
logger.error("Requested repository is disabled");
throw restErrorUtil.createRESTException("Unauthorized access.", MessageEnums.OPER_NO_EXPORT);
}
HashMap<String, Object> updatedRepo = new HashMap<>();
updatedRepo.put("repository_name", xAsset.getName());
XXPolicyExportAudit policyExportAudit = new XXPolicyExportAudit();
policyExportAudit.setRepositoryName(xAsset.getName());
if (agentId != null && !agentId.isEmpty()) {
policyExportAudit.setAgentId(agentId);
}
policyExportAudit.setClientIP(ipAddress);
if (epoch != null && !epoch.trim().isEmpty() && !"null".equalsIgnoreCase(epoch)) {
policyExportAudit.setRequestedEpoch(Long.parseLong(epoch));
} else {
policyExportAudit.setRequestedEpoch(0L);
}
if (!httpEnabled) {
if (!isSecure) {
policyExportAudit.setHttpRetCode(HttpServletResponse.SC_BAD_REQUEST);
createPolicyAudit(policyExportAudit);
throw restErrorUtil.createRESTException("Unauthorized access - only https allowed", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
if (certchain == null || certchain.length == 0) {
policyExportAudit.setHttpRetCode(HttpServletResponse.SC_BAD_REQUEST);
createPolicyAudit(policyExportAudit);
throw restErrorUtil.createRESTException("Unauthorized access - unable to get client certificate", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
}
Long policyCount = restErrorUtil.parseLong(count, "Invalid value for policyCount", MessageEnums.INVALID_INPUT_DATA, null, "policyCount");
String commonName = null;
if (certchain != null) {
X509Certificate clientCert = certchain[0];
String dn = clientCert.getSubjectX500Principal().getName();
try {
LdapName ln = new LdapName(dn);
for (Rdn rdn : ln.getRdns()) {
if ("CN".equalsIgnoreCase(rdn.getType())) {
commonName = rdn.getValue() + "";
break;
}
}
if (commonName == null) {
policyExportAudit.setHttpRetCode(HttpServletResponse.SC_BAD_REQUEST);
createPolicyAudit(policyExportAudit);
throw restErrorUtil.createRESTException("Unauthorized access - Unable to find Common Name from [" + dn + "]", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
} catch (InvalidNameException e) {
policyExportAudit.setHttpRetCode(HttpServletResponse.SC_BAD_REQUEST);
createPolicyAudit(policyExportAudit);
logger.error("Invalid Common Name.", e);
throw restErrorUtil.createRESTException("Unauthorized access - Invalid Common Name", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
}
if (policyCount == null) {
policyCount = 0L;
}
if (commonName != null) {
String config = xAsset.getConfig();
Map<String, String> configMap = jsonUtil.jsonToMap(config);
String cnFromConfig = configMap.get("commonNameForCertificate");
if (!commonName.equalsIgnoreCase(cnFromConfig)) {
policyExportAudit.setHttpRetCode(HttpServletResponse.SC_BAD_REQUEST);
createPolicyAudit(policyExportAudit);
throw restErrorUtil.createRESTException("Unauthorized access. expected [" + cnFromConfig + "], found [" + commonName + "]", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
}
long epochTime = epoch != null ? Long.parseLong(epoch) : 0;
if (epochTime == updatedTime) {
int resourceListSz = xResourceList.size();
if (policyCount == resourceListSz) {
policyExportAudit.setHttpRetCode(HttpServletResponse.SC_NOT_MODIFIED);
createPolicyAudit(policyExportAudit);
throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_MODIFIED, "No change since last update", false);
}
}
List<HashMap<String, Object>> resourceList = new ArrayList<>();
// HDFS Repository
if (xAsset.getAssetType() == AppConstants.ASSET_HDFS) {
for (VXResource xResource : xResourceList) {
HashMap<String, Object> resourceMap = new HashMap<>();
resourceMap.put("id", xResource.getId());
resourceMap.put("resource", xResource.getName());
resourceMap.put("isRecursive", getBooleanValue(xResource.getIsRecursive()));
resourceMap.put("policyStatus", RangerCommonEnums.getLabelFor_ActiveStatus(xResource.getResourceStatus()));
// resourceMap.put("isEncrypt", AKAConstants.getLabelFor_BooleanValue(xResource.getIsEncrypt()));
populatePermMap(xResource, resourceMap, AppConstants.ASSET_HDFS);
List<VXAuditMap> xAuditMaps = xResource.getAuditList();
if (!xAuditMaps.isEmpty()) {
resourceMap.put("audit", 1);
} else {
resourceMap.put("audit", 0);
}
resourceList.add(resourceMap);
}
} else if (xAsset.getAssetType() == AppConstants.ASSET_HIVE) {
for (VXResource xResource : xResourceList) {
HashMap<String, Object> resourceMap = new HashMap<>();
resourceMap.put("id", xResource.getId());
resourceMap.put("database_name", xResource.getDatabases());
resourceMap.put("policyStatus", RangerCommonEnums.getLabelFor_ActiveStatus(xResource.getResourceStatus()));
resourceMap.put("tablePolicyType", AppConstants.getLabelFor_PolicyType(xResource.getTableType()));
resourceMap.put("columnPolicyType", AppConstants.getLabelFor_PolicyType(xResource.getColumnType()));
int resourceType = xResource.getResourceType();
if (resourceType == AppConstants.RESOURCE_UDF) {
resourceMap.put("udf_name", xResource.getUdfs());
} else if (resourceType == AppConstants.RESOURCE_COLUMN) {
resourceMap.put("table_name", xResource.getTables());
resourceMap.put("column_name", xResource.getColumns());
} else if (resourceType == AppConstants.RESOURCE_TABLE) {
resourceMap.put("table_name", xResource.getTables());
}
populatePermMap(xResource, resourceMap, AppConstants.ASSET_HIVE);
List<VXAuditMap> xAuditMaps = xResource.getAuditList();
if (!xAuditMaps.isEmpty()) {
resourceMap.put("audit", 1);
} else {
resourceMap.put("audit", 0);
}
resourceList.add(resourceMap);
}
} else if (xAsset.getAssetType() == AppConstants.ASSET_HBASE) {
for (VXResource xResource : xResourceList) {
HashMap<String, Object> resourceMap = new HashMap<>();
resourceMap.put("id", xResource.getId());
resourceMap.put("table_name", xResource.getTables());
resourceMap.put("column_name", xResource.getColumns());
resourceMap.put("column_families", xResource.getColumnFamilies());
resourceMap.put("policyStatus", RangerCommonEnums.getLabelFor_ActiveStatus(xResource.getResourceStatus()));
if (xResource.getIsEncrypt() == 1) {
resourceMap.put("encrypt", 1);
} else {
resourceMap.put("encrypt", 0);
}
// resourceMap.put("isEncrypt", AKAConstants.getLabelFor_BooleanValue(xResource.getIsEncrypt()));
populatePermMap(xResource, resourceMap, AppConstants.ASSET_HBASE);
List<VXAuditMap> xAuditMaps = xResource.getAuditList();
if (!xAuditMaps.isEmpty()) {
resourceMap.put("audit", 1);
} else {
resourceMap.put("audit", 0);
}
resourceList.add(resourceMap);
}
} else if (xAsset.getAssetType() == AppConstants.ASSET_KNOX) {
for (VXResource xResource : xResourceList) {
HashMap<String, Object> resourceMap = new HashMap<>();
resourceMap.put("id", xResource.getId());
resourceMap.put("topology_name", xResource.getTopologies());
resourceMap.put("service_name", xResource.getServices());
resourceMap.put("policyStatus", RangerCommonEnums.getLabelFor_ActiveStatus(xResource.getResourceStatus()));
if (xResource.getIsEncrypt() == 1) {
resourceMap.put("encrypt", 1);
} else {
resourceMap.put("encrypt", 0);
}
// resourceMap.put("isEncrypt", AKAConstants.getLabelFor_BooleanValue(xResource.getIsEncrypt()));
populatePermMap(xResource, resourceMap, AppConstants.ASSET_KNOX);
List<VXAuditMap> xAuditMaps = xResource.getAuditList();
if (!xAuditMaps.isEmpty()) {
resourceMap.put("audit", 1);
} else {
resourceMap.put("audit", 0);
}
resourceList.add(resourceMap);
}
} else if (xAsset.getAssetType() == AppConstants.ASSET_STORM) {
for (VXResource xResource : xResourceList) {
HashMap<String, Object> resourceMap = new HashMap<>();
resourceMap.put("id", xResource.getId());
resourceMap.put("topology_name", xResource.getTopologies());
resourceMap.put("policyStatus", RangerCommonEnums.getLabelFor_ActiveStatus(xResource.getResourceStatus()));
if (xResource.getIsEncrypt() == 1) {
resourceMap.put("encrypt", 1);
} else {
resourceMap.put("encrypt", 0);
}
populatePermMap(xResource, resourceMap, AppConstants.ASSET_STORM);
List<VXAuditMap> xAuditMaps = xResource.getAuditList();
if (!xAuditMaps.isEmpty()) {
resourceMap.put("audit", 1);
} else {
resourceMap.put("audit", 0);
}
resourceList.add(resourceMap);
}
} else {
policyExportAudit.setHttpRetCode(HttpServletResponse.SC_BAD_REQUEST);
createPolicyAudit(policyExportAudit);
throw restErrorUtil.createRESTException("The operation isn't yet supported for the repository", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
policyCount = (long) resourceList.size();
updatedRepo.put("last_updated", updatedTime);
updatedRepo.put("policyCount", policyCount);
updatedRepo.put("acl", resourceList);
String updatedPolicyStr = jsonUtil.readMapToString(updatedRepo);
// File file = null;
// try {
// file = jsonUtil.writeMapToFile(updatedRepo, repository);
// } catch (JsonGenerationException e) {
// logger.error("Error exporting policies for repository : {}", repository, e);
// } catch (JsonMappingException e) {
// logger.error("Error exporting policies for repository : {}", repository, e);
// } catch (IOException e) {
// logger.error("Error exporting policies for repository : {}", repository, e);
// }
policyExportAudit.setHttpRetCode(HttpServletResponse.SC_OK);
createPolicyAudit(policyExportAudit);
return updatedPolicyStr;
}