From 602e6e4147b40cae2b69bcfcebd09da275983cdb Mon Sep 17 00:00:00 2001 From: Abhishek Kumar Date: Mon, 16 Dec 2024 20:32:45 -0800 Subject: [PATCH] RANGER-5064: Incorporating IntelliJ suggestions and refactoring --- .../ugsyncutil/model/UnixSyncSourceInfo.java | 8 +- .../model/UsersGroupRoleAssignments.java | 4 - .../ranger/ugsyncutil/model/XUserInfo.java | 6 +- .../util/UgsyncCommonConstants.java | 1 + .../ldapconfigcheck/AuthenticationCheck.java | 2 +- .../ldapconfigcheck/CommandLineOptions.java | 24 +- .../ranger/ldapconfigcheck/LdapConfig.java | 35 +- .../ldapconfigcheck/LdapConfigCheckMain.java | 3 +- .../ranger/ldapconfigcheck/UserSync.java | 68 +-- .../process/CustomSSLSocketFactory.java | 2 +- .../process/LdapUserGroupBuilder.java | 114 ++--- .../config/UserGroupSyncConfig.java | 435 +++++++++--------- .../process/FileSourceUserGroupBuilder.java | 4 +- .../process/PolicyMgrUserGroupBuilder.java | 72 +-- .../process/UnixUserGroupBuilder.java | 46 +- .../apache/ranger/usergroupsync/RegEx.java | 4 +- .../UserSyncMetricsProducer.java | 1 + .../TestFileSourceUserGroupBuilder.java | 2 +- .../PolicyMgrUserGroupBuilderTest.java | 12 +- .../ranger/usergroupsync/TestRegEx.java | 22 +- .../unix/jaas/PamLoginModule.java | 1 + .../unix/jaas/PamPrincipal.java | 14 +- .../unix/jaas/RemoteUnixLoginModule.java | 38 +- .../unix/jaas/UnixGroupPrincipal.java | 5 +- .../unix/jaas/UnixUserPrincipal.java | 5 +- .../authentication/PasswordValidator.java | 11 +- .../UnixAuthenticationService.java | 88 ++-- 27 files changed, 486 insertions(+), 541 deletions(-) diff --git a/ugsync-util/src/main/java/org/apache/ranger/ugsyncutil/model/UnixSyncSourceInfo.java b/ugsync-util/src/main/java/org/apache/ranger/ugsyncutil/model/UnixSyncSourceInfo.java index e6cb6a630a..dbc2e0500a 100644 --- a/ugsync-util/src/main/java/org/apache/ranger/ugsyncutil/model/UnixSyncSourceInfo.java +++ b/ugsync-util/src/main/java/org/apache/ranger/ugsyncutil/model/UnixSyncSourceInfo.java @@ -26,10 +26,10 @@ public class UnixSyncSourceInfo { private String lastModified; private String minUserId; private String minGroupId; - private long totalUsersSynced; - private long totalGroupsSynced; - private long totalUsersDeleted; - private long totalGroupsDeleted; + private long totalUsersSynced; + private long totalGroupsSynced; + private long totalUsersDeleted; + private long totalGroupsDeleted; public String getMinGroupId() { return minGroupId; diff --git a/ugsync-util/src/main/java/org/apache/ranger/ugsyncutil/model/UsersGroupRoleAssignments.java b/ugsync-util/src/main/java/org/apache/ranger/ugsyncutil/model/UsersGroupRoleAssignments.java index 589b5d2a5c..9ee741cc87 100644 --- a/ugsync-util/src/main/java/org/apache/ranger/ugsyncutil/model/UsersGroupRoleAssignments.java +++ b/ugsync-util/src/main/java/org/apache/ranger/ugsyncutil/model/UsersGroupRoleAssignments.java @@ -31,13 +31,9 @@ @JsonIgnoreProperties(ignoreUnknown = true) public class UsersGroupRoleAssignments { List users; - Map groupRoleAssignments; - Map userRoleAssignments; - Map whiteListGroupRoleAssignments; - Map whiteListUserRoleAssignments; boolean isReset; diff --git a/ugsync-util/src/main/java/org/apache/ranger/ugsyncutil/model/XUserInfo.java b/ugsync-util/src/main/java/org/apache/ranger/ugsyncutil/model/XUserInfo.java index fd61ca5465..ff8b85defd 100644 --- a/ugsync-util/src/main/java/org/apache/ranger/ugsyncutil/model/XUserInfo.java +++ b/ugsync-util/src/main/java/org/apache/ranger/ugsyncutil/model/XUserInfo.java @@ -31,12 +31,12 @@ public class XUserInfo { private String description; private String otherAttributes; private String syncSource; - private Map otherAttrsMap = new HashMap<>(); private String userSource; private String status; private String isVisible; - private List groupNameList = new ArrayList(); - private List userRoleList = new ArrayList(); + private List groupNameList = new ArrayList<>(); + private List userRoleList = new ArrayList<>(); + private Map otherAttrsMap = new HashMap<>(); public String getId() { return id; diff --git a/ugsync-util/src/main/java/org/apache/ranger/ugsyncutil/util/UgsyncCommonConstants.java b/ugsync-util/src/main/java/org/apache/ranger/ugsyncutil/util/UgsyncCommonConstants.java index 704e8c4be2..ca1b82df3d 100644 --- a/ugsync-util/src/main/java/org/apache/ranger/ugsyncutil/util/UgsyncCommonConstants.java +++ b/ugsync-util/src/main/java/org/apache/ranger/ugsyncutil/util/UgsyncCommonConstants.java @@ -26,5 +26,6 @@ public class UgsyncCommonConstants { public static final String LDAP_URL = "ldap_url"; private UgsyncCommonConstants() { + // to block instantiation } } diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/AuthenticationCheck.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/AuthenticationCheck.java index 772b1d6b6f..7f6b6fb81c 100644 --- a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/AuthenticationCheck.java +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/AuthenticationCheck.java @@ -190,7 +190,7 @@ private Authentication getLdapBindAuthentication(String ldapUrl, String bindDn, result = ldapAuthenticationProvider.authenticate(finalAuthentication); } } catch (BadCredentialsException bce) { - logFile.println("ERROR: LDAP Authentication Failed. Please verify values for ranger.admin.auth.sampleuser and ranger.admin.auth.samplepassword\n"); + logFile.println("ERROR: LDAP Authentication Failed. Please verify values for ranger.admin.auth.sampleuser and ranger.admin.auth.samplepassword"); } catch (Exception e) { logFile.println("ERROR: LDAP Authentication Failed: " + e); } diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java index a188c8b069..c92e58bea8 100644 --- a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java @@ -32,18 +32,18 @@ public class CommandLineOptions { private final Options options = new Options(); private final String[] args; - private String input; - private String output; - private String discoverProperties; - private String retrieveValues; - private String ldapUrl = ""; - private String bindDn = ""; - private String bindPassword = ""; - private String userSearchBase = ""; - private String userSearchFilter = ""; - private String authUser = ""; - private String authPass = ""; - private boolean isAuthEnabled = true; + private String input; + private String output; + private String discoverProperties; + private String retrieveValues; + private String ldapUrl = ""; + private String bindDn = ""; + private String bindPassword = ""; + private String userSearchBase = ""; + private String userSearchFilter = ""; + private String authUser = ""; + private String authPass = ""; + private boolean isAuthEnabled = true; public CommandLineOptions(String[] args) { this.args = args; diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfig.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfig.java index 1ddd656d1c..5d28914ca0 100644 --- a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfig.java +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfig.java @@ -54,28 +54,29 @@ public class LdapConfig { private static final String UGSYNC_GROUPNAME_CASE_CONVERSION_PARAM = "ranger.usersync.ldap.groupname.caseconversion"; private static final String DEFAULT_UGSYNC_USERNAME_CASE_CONVERSION_VALUE = UGSYNC_NONE_CASE_CONVERSION_VALUE; private static final String DEFAULT_UGSYNC_GROUPNAME_CASE_CONVERSION_VALUE = UGSYNC_NONE_CASE_CONVERSION_VALUE; - private static final String LGSYNC_PAGED_RESULTS_ENABLED = "ranger.usersync.pagedresultsenabled"; - private static final String LGSYNC_PAGED_RESULTS_SIZE = "ranger.usersync.pagedresultssize"; - private static final String LGSYNC_GROUP_SEARCH_ENABLED = "ranger.usersync.group.searchenabled"; - private static final String LGSYNC_GROUP_SEARCH_BASE = "ranger.usersync.group.searchbase"; - private static final String LGSYNC_GROUP_SEARCH_SCOPE = "ranger.usersync.group.searchscope"; - private static final String LGSYNC_GROUP_OBJECT_CLASS = "ranger.usersync.group.objectclass"; - private static final String LGSYNC_GROUP_SEARCH_FILTER = "ranger.usersync.group.searchfilter"; - private static final String LGSYNC_GROUP_NAME_ATTRIBUTE = "ranger.usersync.group.nameattribute"; - private static final String LGSYNC_GROUP_MEMBER_ATTRIBUTE_NAME = "ranger.usersync.group.memberattributename"; + private static final String LGSYNC_PAGED_RESULTS_ENABLED = "ranger.usersync.pagedresultsenabled"; + private static final String LGSYNC_PAGED_RESULTS_SIZE = "ranger.usersync.pagedresultssize"; + private static final String LGSYNC_GROUP_SEARCH_ENABLED = "ranger.usersync.group.searchenabled"; + private static final String LGSYNC_GROUP_SEARCH_BASE = "ranger.usersync.group.searchbase"; + private static final String LGSYNC_GROUP_SEARCH_SCOPE = "ranger.usersync.group.searchscope"; + private static final String LGSYNC_GROUP_OBJECT_CLASS = "ranger.usersync.group.objectclass"; + private static final String LGSYNC_GROUP_SEARCH_FILTER = "ranger.usersync.group.searchfilter"; + private static final String LGSYNC_GROUP_NAME_ATTRIBUTE = "ranger.usersync.group.nameattribute"; + private static final String LGSYNC_GROUP_MEMBER_ATTRIBUTE_NAME = "ranger.usersync.group.memberattributename"; + private static final int DEFAULT_LGSYNC_PAGED_RESULTS_SIZE = 500; private static final boolean DEFAULT_LGSYNC_PAGED_RESULTS_ENABLED = true; private static final boolean DEFAULT_LGSYNC_GROUP_SEARCH_ENABLED = false; //Authentication related properties - private static final String AUTHENTICATION_METHOD = "ranger.authentication.method"; - private static final String AD_DOMAIN = "ranger.ldap.ad.domain"; - private static final String USER_DN_PATTERN = "ranger.ldap.user.dnpattern"; - private static final String GROUP_ROLE_ATTRIBUTE = "ranger.ldap.group.roleattribute"; - private static final String GROUP_SEARCH_BASE = "ranger.ldap.group.searchbase"; - private static final String GROUP_SEARCH_FILTER = "ranger.ldap.group.searchfilter"; - private static final String AUTH_USERNAME = "ranger.admin.auth.sampleuser"; - private static final String AUTH_PASSWORD = "ranger.admin.auth.samplepassword"; + private static final String AUTHENTICATION_METHOD = "ranger.authentication.method"; + private static final String AD_DOMAIN = "ranger.ldap.ad.domain"; + private static final String USER_DN_PATTERN = "ranger.ldap.user.dnpattern"; + private static final String GROUP_ROLE_ATTRIBUTE = "ranger.ldap.group.roleattribute"; + private static final String GROUP_SEARCH_BASE = "ranger.ldap.group.searchbase"; + private static final String GROUP_SEARCH_FILTER = "ranger.ldap.group.searchfilter"; + private static final String AUTH_USERNAME = "ranger.admin.auth.sampleuser"; + private static final String AUTH_PASSWORD = "ranger.admin.auth.samplepassword"; private final Properties prop = new Properties(); diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java index 8043ea62e0..9a2a105a07 100644 --- a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java @@ -52,8 +52,7 @@ public static void main(String[] args) { LdapConfig config = new LdapConfig(inFileName, cli.getBindPassword()); if (cli.getLdapUrl() != null && !cli.getLdapUrl().isEmpty()) { - config.updateInputPropFile(cli.getLdapUrl(), cli.getBindDn(), cli.getBindPassword(), - cli.getUserSearchBase(), cli.getUserSearchFilter(), cli.getAuthUser(), cli.getAuthPass()); + config.updateInputPropFile(cli.getLdapUrl(), cli.getBindDn(), cli.getBindPassword(), cli.getUserSearchBase(), cli.getUserSearchFilter(), cli.getAuthUser(), cli.getAuthPass()); } PrintStream logFile = null; diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java index d0ede31330..2867b11c0e 100644 --- a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java +++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java @@ -58,22 +58,22 @@ public class UserSync { "member", "memberUid" }; - private String userNameAttribute; - private String userObjClassName; - private String userGroupMemberName; - private String groupMemberName; - private String groupNameAttrName; - private String groupObjClassName; - private String groupSearchBase; - private String groupSearchFilter; - private String userSearchBase; - private String userSearchFilter; - private String searchBase; - private String groupName; + private String userNameAttribute; + private String userObjClassName; + private String userGroupMemberName; + private String groupMemberName; + private String groupNameAttrName; + private String groupObjClassName; + private String groupSearchBase; + private String groupSearchFilter; + private String userSearchBase; + private String userSearchFilter; + private String searchBase; + private String groupName; private final PrintStream logFile; private final PrintStream ambariProps; private final PrintStream installProps; - private final LdapConfig config; + private final LdapConfig config; public UserSync(LdapConfig config, PrintStream logFile, PrintStream ambariProps, PrintStream installProps) { this.config = config; @@ -123,14 +123,12 @@ public void findUserProperties(LdapContext ldapContext) throws Throwable { // 1. find basic user properties // 2. find user search base and user search filter by passing basic attributes findBasicUserProperties(ldapContext, true); - findAdvUserProperties(ldapContext, true); } public void getAllUsers(LdapContext ldapContext) throws Throwable { int noOfUsers = 0; Attribute userNameAttr = null; - //String groupName = null; Attribute groupMemberAttr; NamingEnumeration userSearchResultEnum = null; SearchControls userSearchControls = new SearchControls(); @@ -257,11 +255,7 @@ public void getAllUsers(LdapContext ldapContext) throws Throwable { (config.getGroupNameAttribute() != null && !config.getGroupNameAttribute().isEmpty()) || (config.getUserSearchBase() != null && !config.getUserSearchBase().isEmpty()) || (config.getUserSearchFilter() != null && !config.getUserSearchFilter().isEmpty())) { - throw new Exception("Please verify values for:\n ranger.usersync.ldap.user.nameattribute\n " + - "ranger.usersync.ldap.user.objectclass\n" + - "ranger.usersync.ldap.user.groupnameattribute\n" + - "ranger.usersync.ldap.user.searchbase\n" + - "ranger.usersync.ldap.user.searchfilter\n"); + throw new Exception("Please verify values for:\n ranger.usersync.ldap.user.nameattribute\n " + "ranger.usersync.ldap.user.objectclass\n" + "ranger.usersync.ldap.user.groupnameattribute\n" + "ranger.usersync.ldap.user.searchbase\n" + "ranger.usersync.ldap.user.searchfilter\n"); } else { throw new Exception(msg + ne); } @@ -302,8 +296,7 @@ public void getAllGroups(LdapContext ldapContext) throws Throwable { groupSearchAttributes.add(groupNameAttrName); groupSearchAttributes.add(groupMemberName); groupSearchAttributes.add("distinguishedName"); - groupSearchControls.setReturningAttributes(groupSearchAttributes.toArray( - new String[groupSearchAttributes.size()])); + groupSearchControls.setReturningAttributes(groupSearchAttributes.toArray(new String[groupSearchAttributes.size()])); String extendedGroupSearchFilter = "(objectclass=" + groupObjClassName + ")"; if (groupSearchFilter != null && !groupSearchFilter.trim().isEmpty()) { @@ -358,11 +351,7 @@ public void getAllGroups(LdapContext ldapContext) throws Throwable { (config.getUserGroupMemberAttributeName() != null && !config.getUserGroupMemberAttributeName().isEmpty()) || (config.getGroupSearchBase() != null && !config.getGroupSearchBase().isEmpty()) || (config.getGroupSearchFilter() != null && !config.getGroupSearchFilter().isEmpty())) { - throw new Exception("Please verify values for:\n ranger.usersync.group.memberattributename\n " + - "ranger.usersync.group.nameattribute\n" + - "ranger.usersync.group.objectclass\n" + - "ranger.usersync.group.searchbase\n" + - "ranger.usersync.group.searchfilter\n"); + throw new Exception("Please verify values for:\n ranger.usersync.group.memberattributename\n " + "ranger.usersync.group.nameattribute\n" + "ranger.usersync.group.objectclass\n" + "ranger.usersync.group.searchbase\n" + "ranger.usersync.group.searchfilter\n"); } else { throw new Exception(msg + ne); } @@ -403,8 +392,7 @@ private void initUserSync() { } } - /* Use the provided bind dn or the user search base and user search filter for sample user and determine the basic user attribute. - */ + // Use the provided bind dn or the user search base and user search filter for sample user and determine the basic user attribute. private void findBasicUserProperties(LdapContext ldapContext, boolean isOutputNeeded) throws Throwable { String bindDn = config.getLdapBindDn(); String userSFilter = config.getUserSearchFilter(); @@ -428,7 +416,6 @@ private void findBasicUserProperties(LdapContext ldapContext, boolean isOutputNe //int dcIndex = bindDn.toLowerCase().indexOf("dc="); userSBase = bindDn.substring(bindDn.indexOf(",") + 1); } - //System.out.println("Derived user search base = " + userSearchBase); } if (userSFilter == null || userSFilter.isEmpty()) { @@ -438,7 +425,6 @@ private void findBasicUserProperties(LdapContext ldapContext, boolean isOutputNe int cnEndIndex = bindDn.indexOf(","); userSFilter = bindDn.substring(0, cnEndIndex); } - //System.out.println("Derived user search filter = " + userSearchFilter); } try { @@ -529,12 +515,8 @@ private void findBasicUserProperties(LdapContext ldapContext, boolean isOutputNe noOfUsers++; } } catch (NamingException ne) { - String msg = "Exception occurred while discovering basic user properties:\n" + - "ranger.usersync.ldap.user.nameattribute\n" + - "ranger.usersync.ldap.user.objectclass\n" + - "ranger.usersync.ldap.user.groupnameattribute\n"; - if ((config.getUserSearchBase() != null && !config.getUserSearchBase().isEmpty()) || - (config.getUserSearchFilter() != null && !config.getUserSearchFilter().isEmpty())) { + String msg = "Exception occurred while discovering basic user properties:\n" + "ranger.usersync.ldap.user.nameattribute\n" + "ranger.usersync.ldap.user.objectclass\n" + "ranger.usersync.ldap.user.groupnameattribute\n"; + if ((config.getUserSearchBase() != null && !config.getUserSearchBase().isEmpty()) || (config.getUserSearchFilter() != null && !config.getUserSearchFilter().isEmpty())) { throw new Exception(msg + "Please verify values for ranger.usersync.ldap.user.searchbase and ranger.usersync.ldap.user.searchfilter"); } else { throw new Exception(msg + ne); @@ -620,7 +602,7 @@ private void findAdvUserProperties(LdapContext ldapContext, boolean isOutputNeed dnValue = dnValue.substring(dnValue.indexOf(",") + 1); } } else { - // If distinguishedName is not found, strip off the userName from the long name for OU or sub domain + // If distinguishedName is not found, strip off the userName from the long name for OU or subdomain dnValue = userEntry.getNameInNamespace(); dnValue = dnValue.substring(dnValue.indexOf(",") + 1); } @@ -659,15 +641,11 @@ private void findAdvUserProperties(LdapContext ldapContext, boolean isOutputNeed ambariProps.println("ranger.usersync.ldap.user.searchfilter=" + userSearchFilter); } } catch (NamingException ne) { - String msg = "Exception occured while discovering user properties:\n" + - "ranger.usersync.ldap.user.searchbase\n" + - "ranger.usersync.ldap.user.searchfilter\n"; + String msg = "Exception occured while discovering user properties:\n" + "ranger.usersync.ldap.user.searchbase\n" + "ranger.usersync.ldap.user.searchfilter\n"; if ((config.getUserNameAttribute() != null && !config.getUserNameAttribute().isEmpty()) || (config.getUserObjectClass() != null && !config.getUserObjectClass().isEmpty()) || (config.getGroupNameAttribute() != null && !config.getGroupNameAttribute().isEmpty())) { - throw new Exception("Please verify values for ranger.usersync.ldap.user.nameattribute, " + - "ranger.usersync.ldap.user.objectclass, and" + - "ranger.usersync.ldap.user.groupnameattribute"); + throw new Exception("Please verify values for ranger.usersync.ldap.user.nameattribute, ranger.usersync.ldap.user.objectclass, and ranger.usersync.ldap.user.groupnameattribute"); } else { throw new Exception(msg + ne); } @@ -815,7 +793,7 @@ private void findAdvGroupProperties(LdapContext ldapContext) throws Throwable { dnValue = dnValue.substring(dnValue.indexOf(",") + 1); } } else { - // If distinguishedName is not found, strip off the userName from the long name for OU or sub domain + // If distinguishedName is not found, strip off the userName from the long name for OU or subdomain dnValue = groupEntry.getNameInNamespace(); dnValue = dnValue.substring(dnValue.indexOf(",") + 1); } diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java index d7f71cb494..cb32756478 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java @@ -44,7 +44,7 @@ public class CustomSSLSocketFactory extends SSLSocketFactory { private static final Logger LOG = LoggerFactory.getLogger(CustomSSLSocketFactory.class); - private SSLSocketFactory sockFactory; + private SSLSocketFactory sockFactory; public CustomSSLSocketFactory() { SSLContext sslContext; diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java index a517ff9d0d..056d289f6e 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java @@ -70,26 +70,30 @@ public class LdapUserGroupBuilder implements UserGroupSource { private static final String DATE_FORMAT = "yyyyMMddHHmmss"; private static final String MEMBER_OF_ATTR = "memberof="; private static final String GROUP_NAME_ATTRIBUTE = "cn="; - private static final int PAGE_SIZE = 500; + private static final int PAGE_SIZE = 500; + /* for AD uSNChanged */ - private static long deltaSyncUserTime; - private static long deltaSyncGroupTime; + private static long deltaSyncUserTime; + private static long deltaSyncGroupTime; /* ***************** */ - private boolean pagedResultsEnabled = true; - private boolean groupSearchFirstEnabled = true; - private boolean userSearchEnabled = true; - private boolean groupSearchEnabled = true; - private int pagedResultsSize = PAGE_SIZE; - private int groupHierarchyLevels; - private int deleteCycles; - private int userSearchScope; - private int groupSearchScope; private final UserGroupSyncConfig config = UserGroupSyncConfig.getInstance(); + + private boolean pagedResultsEnabled = true; + private boolean groupSearchFirstEnabled = true; + private boolean userSearchEnabled = true; + private boolean groupSearchEnabled = true; + private int pagedResultsSize = PAGE_SIZE; + private int groupHierarchyLevels; + private int deleteCycles; + private int userSearchScope; + private int groupSearchScope; + /* for OpenLdap modifyTimestamp */ - private String deltaSyncUserTimeStamp; + private String deltaSyncUserTimeStamp; private String deltaSyncGroupTimeStamp; /* ******************************** */ + private String ldapUrl; private String ldapBindDn; private String ldapBindPassword; @@ -118,13 +122,16 @@ public class LdapUserGroupBuilder implements UserGroupSource { private LdapContext ldapContext; private SearchControls userSearchControls; private SearchControls groupSearchControls; - private Table groupUserTable; + private Table groupUserTable; + /* { key = user DN, value = map of user attributes {original name, DN, etc.}} */ private Map> sourceUsers; + /* { key = group DN, value = map of group attributes {original name, DN, etc.}} */ private Map> sourceGroups; + /* { key = group DN, value = set of user DNs (members) } */ - private Map> sourceGroupUsers; + private Map> sourceGroupUsers; StartTlsResponse tls; UgsyncAuditInfo ugsyncAuditInfo; @@ -221,7 +228,7 @@ public void updateSink(UserGroupSink sink) throws Throwable { try { sink.addOrUpdateUsersGroups(sourceGroups, sourceUsers, sourceGroupUsers, computeDeletes); DateFormat dateFormat = new SimpleDateFormat(DATE_FORMAT); - LOG.info("deltaSyncUserTime = {} and highestdeltaSyncUserTime = {}", deltaSyncUserTime, highestdeltaSyncUserTime); + LOG.info("deltaSyncUserTime = {} and highestDeltaSyncUserTime = {}", deltaSyncUserTime, highestdeltaSyncUserTime); if (deltaSyncUserTime < highestdeltaSyncUserTime) { // Incrementing highestdeltaSyncUserTime (for AD) in order to avoid search record repetition for next sync cycle. deltaSyncUserTime = highestdeltaSyncUserTime + 1; @@ -229,7 +236,7 @@ public void updateSink(UserGroupSink sink) throws Throwable { deltaSyncUserTimeStamp = dateFormat.format(new Date(highestdeltaSyncUserTime + 60L)); } - LOG.info("deltaSyncGroupTime = {} and highestdeltaSyncGroupTime = {} ", deltaSyncGroupTime, highestdeltaSyncGroupTime); + LOG.info("deltaSyncGroupTime = {} and highestDeltaSyncGroupTime = {} ", deltaSyncGroupTime, highestdeltaSyncGroupTime); // Update deltaSyncUserTime/deltaSyncUserTimeStamp here so that in case of failures, we get updates in next cycle if (deltaSyncGroupTime < highestdeltaSyncGroupTime) { // Incrementing highestdeltaSyncGroupTime (for AD) in order to avoid search record repetition for next sync cycle. @@ -480,13 +487,30 @@ private long getUsers(boolean computeDeletes) throws Throwable { // searchResults contains all the user entries final SearchResult userEntry = userSearchResultEnum.next(); - if (!isSearchResultValid(userEntry, false)) { + if (userEntry == null) { + LOG.info("userEntry null, skipping sync for the entry"); continue; } - Attributes attributes = userEntry.getAttributes(); - String userName = (String) attributes.get(userNameAttribute).get(); - String userFullName = userEntry.getNameInNamespace(); + Attributes attributes = userEntry.getAttributes(); + if (attributes == null) { + LOG.info("attributes missing for entry {}, skipping sync", userEntry.getNameInNamespace()); + continue; + } + + Attribute userNameAttr = attributes.get(userNameAttribute); + if (userNameAttr == null) { + LOG.info("{} missing for entry {}, skipping sync", userNameAttribute, userEntry.getNameInNamespace()); + continue; + } + + String userFullName = (userEntry.getNameInNamespace()); + String userName = (String) userNameAttr.get(); + + if (userName == null || userName.trim().isEmpty()) { + LOG.info("{} empty for entry {}, skipping sync", userNameAttribute, userEntry.getNameInNamespace()); + continue; + } Attribute timeStampAttr = attributes.get("uSNChanged"); if (timeStampAttr != null) { @@ -618,7 +642,7 @@ private long getUsers(boolean computeDeletes) throws Throwable { closeLdapContext(); } - LOG.debug("highestdeltaSyncUserTime = {}", highestdeltaSyncUserTime); + LOG.debug("highestDeltaSyncUserTime = {}", highestdeltaSyncUserTime); return highestdeltaSyncUserTime; } @@ -1172,50 +1196,4 @@ private String getDNForMemberOf(String searchFilter) throws Throwable { return computedSearchFilter; } - - private boolean isSearchResultValid(SearchResult searchResult, boolean isGroup) throws NamingException { - boolean result = true; - if (searchResult == null) { - LOG.debug("searchResult is null!"); - result = false; - } else { - Attributes attributes = searchResult.getAttributes(); - if (attributes == null) { - LOG.debug("Attributes missing for entry {}", searchResult.getNameInNamespace()); - result = false; - } else { - if (!isGroup) { - Attribute userNameAttr = attributes.get(userNameAttribute); - if (userNameAttr == null) { - LOG.debug("{} missing for entry {}", userNameAttribute, searchResult.getNameInNamespace()); - result = false; - } else { - String userName = (String) userNameAttr.get(); - - if (userName == null || userName.trim().isEmpty()) { - LOG.debug("{} empty for entry {}", userNameAttribute, searchResult.getNameInNamespace()); - result = false; - } - } - } else { - Attribute groupNameAttr = attributes.get(groupNameAttribute); - if (groupNameAttr == null) { - LOG.debug("{} missing for entry {}", groupNameAttribute, searchResult.getNameInNamespace()); - result = false; - } else { - String groupName = (String) groupNameAttr.get(); - - if (groupName == null || groupName.trim().isEmpty()) { - LOG.debug("{} empty for entry {}", groupNameAttr, searchResult.getNameInNamespace()); - result = false; - } - } - } - } - } - if (!result) { - LOG.debug("Skipping sync!"); - } - return result; - } } diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java index d411a85409..ae39859909 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java @@ -43,165 +43,202 @@ import java.util.StringTokenizer; public class UserGroupSyncConfig { - private static final Logger LOG = LoggerFactory.getLogger(UserGroupSyncConfig.class); - - private static final String CORE_SITE_CONFIG_FILE = "core-site.xml"; - public static final String CONFIG_FILE = "ranger-ugsync-site.xml"; - public static final String DEFAULT_CONFIG_FILE = "ranger-ugsync-default.xml"; - - private static final String UGSYNC_SOURCE_CLASS_PARAM = "ranger.usersync.source.impl.class"; - private static final String UGSYNC_SINK_CLASS_PARAM = "ranger.usersync.sink.impl.class"; - private static final String UGSYNC_SOURCE_CLASS = "org.apache.ranger.unixusersync.process.UnixUserGroupBuilder"; - private static final String UGSYNC_SINK_CLASS = "org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder"; - private static final String LGSYNC_SOURCE_CLASS = "org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder"; - - public static final String UGSYNC_ENABLED_PROP = "ranger.usersync.enabled"; - public static final String UGSYNC_PM_URL_PROP = "ranger.usersync.policymanager.baseURL"; - public static final String UGSYNC_UNIX_PASSWORD_FILE = "ranger.usersync.unix.password.file"; - public static final String DEFAULT_UGSYNC_UNIX_PASSWORD_FILE = "/etc/passwd"; - public static final String UGSYNC_UNIX_GROUP_FILE = "ranger.usersync.unix.group.file"; - public static final String DEFAULT_UGSYNC_UNIX_GROUP_FILE = "/etc/group"; - public static final String UGSYNC_MIN_USERID_PROP = "ranger.usersync.unix.minUserId"; - public static final String UGSYNC_MIN_GROUPID_PROP = "ranger.usersync.unix.minGroupId"; - public static final String DEFAULT_UGSYNC_MIN_GROUPID = "0"; - public static final String UGSYNC_MAX_RECORDS_PER_API_CALL_PROP = "ranger.usersync.policymanager.maxrecordsperapicall"; - public static final String UGSYNC_MOCK_RUN_PROP = "ranger.usersync.policymanager.mockrun"; - public static final String UGSYNC_TEST_RUN_PROP = "ranger.usersync.policymanager.testrun"; - public static final String UGSYNC_SOURCE_FILE_PROC = "ranger.usersync.filesource.file"; - public static final String UGSYNC_SOURCE_FILE_DELIMITER = "ranger.usersync.filesource.text.delimiter"; - public static final String UGSYNC_SOURCE_FILE_DELIMITERER = "ranger.usersync.filesource.text.delimiterer"; - public static final String UGSYNC_NONE_CASE_CONVERSION_VALUE = "none"; - public static final String UGSYNC_LOWER_CASE_CONVERSION_VALUE = "lower"; - public static final String UGSYNC_UPPER_CASE_CONVERSION_VALUE = "upper"; - public static final String SYNC_MAPPING_USERNAME = "ranger.usersync.mapping.username.regex"; - public static final String SYNC_MAPPING_GROUPNAME = "ranger.usersync.mapping.groupname.regex"; - public static final String UGSYNC_METRICS_ENABLED_PROP = "ranger.usersync.metrics.enabled"; - public static final String UGSYNC_NAME_VALIDATION_ENABLED = "ranger.usersync.name.validation.enabled"; - public static final String UGSYNC_SERVER_HA_ENABLED_PARAM = "ranger-ugsync.server.ha.enabled"; - public static final String UGSYNC_SYNC_SOURCE_VALIDATION_ENABLED = "ranger.usersync.syncsource.validation.enabled"; - - private static final String SSL_KEYSTORE_FILE_TYPE_PARAM = "ranger.keystore.file.type"; - private static final String SSL_TRUSTSTORE_FILE_TYPE_PARAM = "ranger.truststore.file.type"; - private static final String SSL_KEYSTORE_PATH_PARAM = "ranger.usersync.keystore.file"; - private static final String SSL_KEYSTORE_PATH_PASSWORD_PARAM = "ranger.usersync.keystore.password"; - private static final String SSL_KEYSTORE_PATH_PASSWORD_ALIAS = "usersync.ssl.key.password"; - private static final String SSL_TRUSTSTORE_PATH_PARAM = "ranger.usersync.truststore.file"; - private static final String SSL_TRUSTSTORE_PATH_PASSWORD_PARAM = "ranger.usersync.truststore.password"; - private static final String SSL_TRUSTSTORE_PATH_PASSWORD_ALIAS = "usersync.ssl.truststore.password"; - - private static final String UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_PARAM = "ranger.usersync.sleeptimeinmillisbetweensynccycle"; - private static final String UGSYNC_SLEEP_LDAP_FORCE_TIME_IN_MILLIS_BETWEEN_CYCLE_PARAM_ENABLED = "ranger.usersync.ldap.force.sleeptimeinmillisbetweensynccycle.enabled"; - private static final long UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_MIN_VALUE = 60000L; - private static final long UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_UNIX_DEFAULT_VALUE = 60000L; - private static final long UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_LDAP_DEFAULT_VALUE = 3600000L; - - private static final String LGSYNC_LDAP_URL = "ranger.usersync.ldap.url"; - private static final String LGSYNC_LDAP_DELTASYNC_ENABLED = "ranger.usersync.ldap.deltasync"; - private static final boolean DEFAULT_LGSYNC_LDAP_DELTASYNC_ENABLED = false; - private static final String LGSYNC_LDAP_STARTTLS_ENABLED = "ranger.usersync.ldap.starttls"; - private static final boolean DEFAULT_LGSYNC_LDAP_STARTTLS_ENABLED = false; - private static final String LGSYNC_LDAP_BIND_DN = "ranger.usersync.ldap.binddn"; - private static final String LGSYNC_LDAP_BIND_KEYSTORE = "ranger.usersync.credstore.filename"; - private static final String LGSYNC_LDAP_BIND_ALIAS = "ranger.usersync.ldap.bindalias"; - private static final String LGSYNC_LDAP_BIND_PASSWORD = "ranger.usersync.ldap.ldapbindpassword"; - private static final String LGSYNC_LDAP_AUTHENTICATION_MECHANISM = "ranger.usersync.ldap.authentication.mechanism"; - private static final String DEFAULT_AUTHENTICATION_MECHANISM = "simple"; - private static final String LGSYNC_SEARCH_BASE = "ranger.usersync.ldap.searchBase"; - private static final String LGSYNC_USER_SEARCH_BASE = "ranger.usersync.ldap.user.searchbase"; - private static final String LGSYNC_USER_SEARCH_SCOPE = "ranger.usersync.ldap.user.searchscope"; - private static final String LGSYNC_USER_OBJECT_CLASS = "ranger.usersync.ldap.user.objectclass"; - private static final String DEFAULT_USER_OBJECT_CLASS = "person"; - private static final String LGSYNC_GROUPNAMES = "ranger.usersync.ldap.groupnames"; - private static final String LGSYNC_USER_SEARCH_FILTER = "ranger.usersync.ldap.user.searchfilter"; - private static final String LGSYNC_USER_NAME_ATTRIBUTE = "ranger.usersync.ldap.user.nameattribute"; - private static final String DEFAULT_USER_NAME_ATTRIBUTE = "cn"; - private static final String LGSYNC_USER_GROUP_NAME_ATTRIBUTE = "ranger.usersync.ldap.user.groupnameattribute"; - private static final String DEFAULT_USER_GROUP_NAME_ATTRIBUTE = "memberof,ismemberof"; - private static final String LGSYNC_USER_CLOUDID_ATTRIBUTE = "ranger.usersync.ldap.user.cloudid.attribute"; - private static final String DEFAULT_USER_CLOUDID_ATTRIBUTE = "objectid"; - private static final String LGSYNC_USER_CLOUDID_ATTRIBUTE_DATATYPE = "ranger.usersync.ldap.user.cloudid.attribute.datatype"; - private static final String DEFAULT_USER_CLOUDID_ATTRIBUTE_DATATYPE = "byte[]"; - private static final String LGSYNC_OTHER_USER_ATTRIBUTES = "ranger.usersync.ldap.user.otherattributes"; - private static final String DEFAULT_OTHER_USER_ATTRIBUTES = "userurincipaluame,"; - private static final String UGSYNC_USERNAME_CASE_CONVERSION_PARAM = "ranger.usersync.ldap.username.caseconversion"; - private static final String DEFAULT_UGSYNC_USERNAME_CASE_CONVERSION_VALUE = UGSYNC_NONE_CASE_CONVERSION_VALUE; - private static final String UGSYNC_GROUPNAME_CASE_CONVERSION_PARAM = "ranger.usersync.ldap.groupname.caseconversion"; - private static final String DEFAULT_UGSYNC_GROUPNAME_CASE_CONVERSION_VALUE = UGSYNC_NONE_CASE_CONVERSION_VALUE; - private static final String DEFAULT_USER_GROUP_TEXTFILE_DELIMITER = ","; - private static final String LGSYNC_PAGED_RESULTS_ENABLED = "ranger.usersync.pagedresultsenabled"; - private static final boolean DEFAULT_LGSYNC_PAGED_RESULTS_ENABLED = true; - private static final String LGSYNC_PAGED_RESULTS_SIZE = "ranger.usersync.pagedresultssize"; - private static final int DEFAULT_LGSYNC_PAGED_RESULTS_SIZE = 500; - private static final String LGSYNC_GROUP_SEARCH_ENABLED = "ranger.usersync.group.searchenabled"; - private static final boolean DEFAULT_LGSYNC_GROUP_SEARCH_ENABLED = true; - private static final String LGSYNC_GROUP_SEARCH_FIRST_ENABLED = "ranger.usersync.group.search.first.enabled"; - private static final boolean DEFAULT_LGSYNC_GROUP_SEARCH_FIRST_ENABLED = true; - /** This flag (ranger.usersync.user.searchenabled) is used only when group search first is enabled to get username either - - * from the group member attribute of the group or - * from the additional user search based on the user attribute configuration + private static final Logger LOG = LoggerFactory.getLogger(UserGroupSyncConfig.class); + + private static final String CORE_SITE_CONFIG_FILE = "core-site.xml"; + + public static final String CONFIG_FILE = "ranger-ugsync-site.xml"; + public static final String DEFAULT_CONFIG_FILE = "ranger-ugsync-default.xml"; + public static final String UGSYNC_ENABLED_PROP = "ranger.usersync.enabled"; + + private static final String UGSYNC_SOURCE_CLASS_PARAM = "ranger.usersync.source.impl.class"; + private static final String UGSYNC_SINK_CLASS_PARAM = "ranger.usersync.sink.impl.class"; + private static final String UGSYNC_SOURCE_CLASS = "org.apache.ranger.unixusersync.process.UnixUserGroupBuilder"; + private static final String UGSYNC_SINK_CLASS = "org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder"; + private static final String LGSYNC_SOURCE_CLASS = "org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder"; + + /* LDAP Configs */ + private static final String LGSYNC_LDAP_URL = "ranger.usersync.ldap.url"; + private static final String LGSYNC_LDAP_AUTHENTICATION_MECHANISM = "ranger.usersync.ldap.authentication.mechanism"; + private static final String LGSYNC_REFERRAL = "ranger.usersync.ldap.referral"; + private static final String LGSYNC_LDAP_BIND_DN = "ranger.usersync.ldap.binddn"; + private static final String LGSYNC_LDAP_BIND_ALIAS = "ranger.usersync.ldap.bindalias"; + private static final String LGSYNC_LDAP_BIND_PASSWORD = "ranger.usersync.ldap.ldapbindpassword"; + private static final String LGSYNC_SEARCH_BASE = "ranger.usersync.ldap.searchBase"; + private static final String LGSYNC_USER_SEARCH_BASE = "ranger.usersync.ldap.user.searchbase"; + private static final String LGSYNC_USER_SEARCH_SCOPE = "ranger.usersync.ldap.user.searchscope"; + private static final String LGSYNC_USER_OBJECT_CLASS = "ranger.usersync.ldap.user.objectclass"; + private static final String LGSYNC_USER_SEARCH_FILTER = "ranger.usersync.ldap.user.searchfilter"; + private static final String LGSYNC_USER_NAME_ATTRIBUTE = "ranger.usersync.ldap.user.nameattribute"; + private static final String LGSYNC_USER_GROUP_NAME_ATTRIBUTE = "ranger.usersync.ldap.user.groupnameattribute"; + private static final String LGSYNC_OTHER_USER_ATTRIBUTES = "ranger.usersync.ldap.user.otherattributes"; + private static final String LGSYNC_USER_CLOUDID_ATTRIBUTE = "ranger.usersync.ldap.user.cloudid.attribute"; + private static final String LGSYNC_USER_CLOUDID_ATTRIBUTE_DATATYPE = "ranger.usersync.ldap.user.cloudid.attribute.datatype"; + private static final String UGSYNC_USERNAME_CASE_CONVERSION_PARAM = "ranger.usersync.ldap.username.caseconversion"; + /** + * ranger.usersync.user.searchenabled is used only when group search first is enabled to get username from - + * 1. the group member attribute of the group or + * 2. the additional user search based on the user attribute configuration */ - private static final String LGSYNC_USER_SEARCH_ENABLED = "ranger.usersync.user.searchenabled"; - private static final boolean DEFAULT_LGSYNC_USER_SEARCH_ENABLED = true; - private static final String LGSYNC_GROUP_SEARCH_BASE = "ranger.usersync.group.searchbase"; - private static final String LGSYNC_GROUP_SEARCH_SCOPE = "ranger.usersync.group.searchscope"; - private static final String LGSYNC_GROUP_OBJECT_CLASS = "ranger.usersync.group.objectclass"; - private static final String DEFAULT_LGSYNC_GROUP_OBJECT_CLASS = "groupofnames"; - private static final String LGSYNC_GROUP_SEARCH_FILTER = "ranger.usersync.group.searchfilter"; - private static final String LGSYNC_GROUP_NAME_ATTRIBUTE = "ranger.usersync.group.nameattribute"; - private static final String DEFAULT_LGSYNC_GROUP_NAME_ATTRIBUTE = "cn"; - private static final String LGSYNC_GROUP_MEMBER_ATTRIBUTE_NAME = "ranger.usersync.group.memberattributename"; - private static final String DEFAULT_LGSYNC_GROUP_MEMBER_ATTRIBUTE_NAME = "member"; - private static final String LGSYNC_GROUP_CLOUDID_ATTRIBUTE = "ranger.usersync.ldap.group.cloudid.attribute"; - private static final String DEFAULT_GROUP_CLOUDID_ATTRIBUTE = "objectid"; - private static final String LGSYNC_GROUP_CLOUDID_ATTRIBUTE_DATATYPE = "ranger.usersync.ldap.group.cloudid.attribute.datatype"; - private static final String DEFAULT_GROUP_CLOUDID_ATTRIBUTE_DATATYPE = "byte[]"; - private static final String LGSYNC_OTHER_GROUP_ATTRIBUTES = "ranger.usersync.ldap.group.otherattributes"; - private static final String DEFAULT_OTHER_GROUP_ATTRIBUTES = "displayname,"; - private static final String LGSYNC_GROUP_HIERARCHY_LEVELS = "ranger.usersync.ldap.grouphierarchylevels"; - private static final int DEFAULT_LGSYNC_GROUP_HIERARCHY_LEVELS = 0; - private static final String UGSYNC_UPDATE_MILLIS_MIN = "ranger.usersync.unix.updatemillismin"; - private static final long DEFAULT_UGSYNC_UPDATE_MILLIS_MIN = 60_000; // ms - private static final String UGSYNC_UNIX_BACKEND = "ranger.usersync.unix.backend"; - private static final String DEFAULT_UGSYNC_UNIX_BACKEND = "passwd"; - private static final String UGSYNC_GROUP_ENUMERATE_ENABLED = "ranger.usersync.group.enumerate"; - private static final String UGSYNC_GROUP_ENUMERATE_GROUPS = "ranger.usersync.group.enumerategroup"; - private static final String SYNC_POLICY_MGR_KEYSTORE = "ranger.usersync.policymgr.keystore"; - private static final String SYNC_POLICY_MGR_ALIAS = "ranger.usersync.policymgr.alias"; - private static final String SYNC_POLICY_MGR_PASSWORD = "ranger.usersync.policymgr.password"; - private static final String SYNC_POLICY_MGR_USERNAME = "ranger.usersync.policymgr.username"; - private static final String SYNC_POLICY_MGR_MAX_RETRY_ATTEMPTS = "ranger.usersync.policymgr.max.retry.attempts"; - private static final String SYNC_POLICY_MGR_RETRY_INTERVAL_MS = "ranger.usersync.policymgr.retry.interval.ms"; - private static final String DEFAULT_POLICYMGR_USERNAME = "rangerusersync"; - private static final String SYNC_SOURCE = "ranger.usersync.sync.source"; - private static final String LGSYNC_REFERRAL = "ranger.usersync.ldap.referral"; - private static final String DEFAULT_LGSYNC_REFERRAL = "ignore"; - private static final String SYNC_MAPPING_USERNAME_HANDLER = "ranger.usersync.mapping.username.handler"; - private static final String DEFAULT_SYNC_MAPPING_USERNAME_HANDLER = "org.apache.ranger.usergroupsync.RegEx"; - private static final String SYNC_MAPPING_GROUPNAME_HANDLER = "ranger.usersync.mapping.groupname.handler"; - private static final String DEFAULT_SYNC_MAPPING_GROUPNAME_HANDLER = "org.apache.ranger.usergroupsync.RegEx"; - private static final String SYNC_MAPPING_SEPARATOR = "ranger.usersync.mapping.regex.separator"; - private static final String DEFAULT_MAPPING_SEPARATOR = "/"; - private static final String ROLE_ASSIGNMENT_LIST_DELIMITER = "ranger.usersync.role.assignment.list.delimiter"; - private static final String USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER = "ranger.usersync.users.groups.assignment.list.delimiter"; - private static final String USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER = "ranger.usersync.username.groupname.assignment.list.delimiter"; - private static final String GROUP_BASED_ROLE_ASSIGNMENT_RULES = "ranger.usersync.group.based.role.assignment.rules"; - private static final String WHITELIST_USER_ROLE_ASSIGNMENT_RULES = "ranger.usersync.whitelist.users.role.assignment.rules"; - private static final String DEFAULT_WHITELIST_USER_ROLE_ASSIGNMENT_RULES = "&ROLE_SYS_ADMIN:u:admin,rangerusersync,rangertagsync&ROLE_KEY_ADMIN:u:keyadmin"; - private static final String USERSYNC_RANGER_COOKIE_ENABLED_PROP = "ranger.usersync.cookie.enabled"; - private static final String RANGER_ADMIN_COOKIE_NAME_PROPS = "ranger.usersync.dest.ranger.session.cookie.name"; - private static final String UGSYNC_METRICS_FILEPATH = "ranger.usersync.metrics.filepath"; - private static final String DEFAULT_UGSYNC_METRICS_FILEPATH = "/tmp/"; - private static final String UGSYNC_METRICS_FILENAME = "ranger.usersync.metrics.filename"; - private static final String DEFAULT_UGSYNC_METRICS_FILENAME = "ranger_usersync_metric.json"; - private static final String UGSYNC_METRICS_FREQUENCY_TIME_IN_MILLIS_PARAM = "ranger.usersync.metrics.frequencytimeinmillis"; - private static final long DEFAULT_UGSYNC_METRICS_FREQUENCY_TIME_IN_MILLIS = 10000L; - private static final String UGSYNC_DELETES_ENABLED = "ranger.usersync.deletes.enabled"; - private static final boolean DEFAULT_UGSYNC_DELETES_ENABLED = false; - private static final String UGSYNC_DELETES_FREQUENCY = "ranger.usersync.deletes.frequency"; - private static final long DEFAULT_UGSYNC_DELETES_FREQUENCY = 10L; // After every 10 sync cycles - private static final boolean DEFAULT_UGSYNC_NAME_VALIDATION_ENABLED = false; - private static final long UGSYNC_INIT_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_MIN_VALUE_FOR_HA = 5000L; - private static final boolean DEFAULT_UGSYNC_SYNC_SOURCE_VALIDATION_ENABLED = true; + private static final String LGSYNC_USER_SEARCH_ENABLED = "ranger.usersync.user.searchenabled"; + + private static final String LGSYNC_GROUP_SEARCH_BASE = "ranger.usersync.group.searchbase"; + private static final String LGSYNC_GROUP_SEARCH_SCOPE = "ranger.usersync.group.searchscope"; + private static final String LGSYNC_GROUP_OBJECT_CLASS = "ranger.usersync.group.objectclass"; + private static final String LGSYNC_GROUP_SEARCH_FILTER = "ranger.usersync.group.searchfilter"; + private static final String LGSYNC_GROUP_NAME_ATTRIBUTE = "ranger.usersync.group.nameattribute"; + private static final String LGSYNC_GROUP_MEMBER_ATTRIBUTE_NAME = "ranger.usersync.group.memberattributename"; + private static final String LGSYNC_GROUP_SEARCH_ENABLED = "ranger.usersync.group.searchenabled"; + private static final String LGSYNC_GROUP_SEARCH_FIRST_ENABLED = "ranger.usersync.group.search.first.enabled"; + private static final String LGSYNC_GROUPNAMES = "ranger.usersync.ldap.groupnames"; + private static final String LGSYNC_OTHER_GROUP_ATTRIBUTES = "ranger.usersync.ldap.group.otherattributes"; + private static final String LGSYNC_GROUP_CLOUDID_ATTRIBUTE = "ranger.usersync.ldap.group.cloudid.attribute"; + private static final String LGSYNC_GROUP_CLOUDID_ATTRIBUTE_DATATYPE = "ranger.usersync.ldap.group.cloudid.attribute.datatype"; + private static final String UGSYNC_GROUPNAME_CASE_CONVERSION_PARAM = "ranger.usersync.ldap.groupname.caseconversion"; + private static final String LGSYNC_GROUP_HIERARCHY_LEVELS = "ranger.usersync.ldap.grouphierarchylevels"; + + private static final String LGSYNC_LDAP_BIND_KEYSTORE = "ranger.usersync.credstore.filename"; + private static final String LGSYNC_LDAP_DELTASYNC_ENABLED = "ranger.usersync.ldap.deltasync"; + private static final String LGSYNC_LDAP_STARTTLS_ENABLED = "ranger.usersync.ldap.starttls"; + private static final String UGSYNC_SLEEP_LDAP_FORCE_TIME_IN_MILLIS_BETWEEN_CYCLE_PARAM_ENABLED = "ranger.usersync.ldap.force.sleeptimeinmillisbetweensynccycle.enabled"; + + /* LDAP Defaults */ + public static final String UGSYNC_NONE_CASE_CONVERSION_VALUE = "none"; + public static final String UGSYNC_LOWER_CASE_CONVERSION_VALUE = "lower"; + public static final String UGSYNC_UPPER_CASE_CONVERSION_VALUE = "upper"; + + private static final String DEFAULT_AUTHENTICATION_MECHANISM = "simple"; + private static final String DEFAULT_USER_OBJECT_CLASS = "person"; + private static final String DEFAULT_USER_NAME_ATTRIBUTE = "cn"; + private static final String DEFAULT_USER_GROUP_NAME_ATTRIBUTE = "memberof,ismemberof"; + private static final String DEFAULT_USER_CLOUDID_ATTRIBUTE = "objectid"; + private static final String DEFAULT_USER_CLOUDID_ATTRIBUTE_DATATYPE = "byte[]"; + private static final String DEFAULT_OTHER_USER_ATTRIBUTES = "userurincipaluame,"; + private static final String DEFAULT_UGSYNC_USERNAME_CASE_CONVERSION_VALUE = UGSYNC_NONE_CASE_CONVERSION_VALUE; + + private static final String DEFAULT_LGSYNC_GROUP_OBJECT_CLASS = "groupofnames"; + private static final String DEFAULT_LGSYNC_GROUP_NAME_ATTRIBUTE = "cn"; + private static final String DEFAULT_LGSYNC_GROUP_MEMBER_ATTRIBUTE_NAME = "member"; + private static final String DEFAULT_GROUP_CLOUDID_ATTRIBUTE = "objectid"; + private static final String DEFAULT_GROUP_CLOUDID_ATTRIBUTE_DATATYPE = "byte[]"; + private static final String DEFAULT_OTHER_GROUP_ATTRIBUTES = "displayname,"; + private static final String DEFAULT_UGSYNC_GROUPNAME_CASE_CONVERSION_VALUE = UGSYNC_NONE_CASE_CONVERSION_VALUE; + private static final String DEFAULT_LGSYNC_REFERRAL = "ignore"; + private static final int DEFAULT_LGSYNC_GROUP_HIERARCHY_LEVELS = 0; + private static final int DEFAULT_LGSYNC_PAGED_RESULTS_SIZE = 500; + private static final boolean DEFAULT_LGSYNC_LDAP_DELTASYNC_ENABLED = false; + private static final boolean DEFAULT_LGSYNC_LDAP_STARTTLS_ENABLED = false; + private static final boolean DEFAULT_LGSYNC_PAGED_RESULTS_ENABLED = true; + private static final boolean DEFAULT_LGSYNC_GROUP_SEARCH_ENABLED = true; + private static final boolean DEFAULT_LGSYNC_USER_SEARCH_ENABLED = true; + private static final boolean DEFAULT_LGSYNC_GROUP_SEARCH_FIRST_ENABLED = true; + + /* Unix Configs */ + public static final String UGSYNC_MIN_USERID_PROP = "ranger.usersync.unix.minUserId"; + public static final String UGSYNC_MIN_GROUPID_PROP = "ranger.usersync.unix.minGroupId"; + public static final String UGSYNC_UNIX_PASSWORD_FILE = "ranger.usersync.unix.password.file"; + public static final String UGSYNC_UNIX_GROUP_FILE = "ranger.usersync.unix.group.file"; + + private static final String UGSYNC_GROUP_ENUMERATE_ENABLED = "ranger.usersync.group.enumerate"; + private static final String UGSYNC_GROUP_ENUMERATE_GROUPS = "ranger.usersync.group.enumerategroup"; + private static final String UGSYNC_UNIX_BACKEND = "ranger.usersync.unix.backend"; + + /* Unix Defaults */ + public static final String DEFAULT_UGSYNC_UNIX_GROUP_FILE = "/etc/group"; + public static final String DEFAULT_UGSYNC_UNIX_PASSWORD_FILE = "/etc/passwd"; + public static final String DEFAULT_UGSYNC_MIN_GROUPID = "0"; + + private static final String DEFAULT_UGSYNC_UNIX_BACKEND = "passwd"; + private static final String UGSYNC_UPDATE_MILLIS_MIN = "ranger.usersync.unix.updatemillismin"; + + /* File Sync Configs */ + public static final String UGSYNC_SOURCE_FILE_PROC = "ranger.usersync.filesource.file"; + public static final String UGSYNC_SOURCE_FILE_DELIMITER = "ranger.usersync.filesource.text.delimiter"; + public static final String UGSYNC_SOURCE_FILE_DELIMITERER = "ranger.usersync.filesource.text.delimiterer"; + + private static final String DEFAULT_USER_GROUP_TEXTFILE_DELIMITER = ","; + + /* RegEx */ + public static final String SYNC_MAPPING_USERNAME = "ranger.usersync.mapping.username.regex"; + public static final String SYNC_MAPPING_GROUPNAME = "ranger.usersync.mapping.groupname.regex"; + + private static final String SYNC_MAPPING_USERNAME_HANDLER = "ranger.usersync.mapping.username.handler"; + private static final String SYNC_MAPPING_GROUPNAME_HANDLER = "ranger.usersync.mapping.groupname.handler"; + private static final String SYNC_MAPPING_SEPARATOR = "ranger.usersync.mapping.regex.separator"; + + private static final String DEFAULT_SYNC_MAPPING_USERNAME_HANDLER = "org.apache.ranger.usergroupsync.RegEx"; + private static final String DEFAULT_SYNC_MAPPING_GROUPNAME_HANDLER = "org.apache.ranger.usergroupsync.RegEx"; + + private static final String DEFAULT_MAPPING_SEPARATOR = "/"; + + /* Role Assignments */ + private static final String ROLE_ASSIGNMENT_LIST_DELIMITER = "ranger.usersync.role.assignment.list.delimiter"; + private static final String USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER = "ranger.usersync.users.groups.assignment.list.delimiter"; + private static final String USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER = "ranger.usersync.username.groupname.assignment.list.delimiter"; + private static final String GROUP_BASED_ROLE_ASSIGNMENT_RULES = "ranger.usersync.group.based.role.assignment.rules"; + private static final String WHITELIST_USER_ROLE_ASSIGNMENT_RULES = "ranger.usersync.whitelist.users.role.assignment.rules"; + private static final String DEFAULT_WHITELIST_USER_ROLE_ASSIGNMENT_RULES = "&ROLE_SYS_ADMIN:u:admin,rangerusersync,rangertagsync&ROLE_KEY_ADMIN:u:keyadmin"; + + /* Metrics */ + public static final String UGSYNC_METRICS_ENABLED_PROP = "ranger.usersync.metrics.enabled"; + + private static final String UGSYNC_METRICS_FILENAME = "ranger.usersync.metrics.filename"; + private static final String DEFAULT_UGSYNC_METRICS_FILENAME = "ranger_usersync_metric.json"; + private static final String UGSYNC_METRICS_FILEPATH = "ranger.usersync.metrics.filepath"; + private static final String UGSYNC_METRICS_FREQUENCY_TIME_IN_MILLIS_PARAM = "ranger.usersync.metrics.frequencytimeinmillis"; + + private static final String DEFAULT_UGSYNC_METRICS_FILEPATH = "/tmp/"; + private static final long DEFAULT_UGSYNC_METRICS_FREQUENCY_TIME_IN_MILLIS = 10_000L; + + /* Policy Manager Configs */ + public static final String UGSYNC_PM_URL_PROP = "ranger.usersync.policymanager.baseURL"; + public static final String UGSYNC_MAX_RECORDS_PER_API_CALL_PROP = "ranger.usersync.policymanager.maxrecordsperapicall"; + public static final String UGSYNC_MOCK_RUN_PROP = "ranger.usersync.policymanager.mockrun"; + public static final String UGSYNC_TEST_RUN_PROP = "ranger.usersync.policymanager.testrun"; + + private static final String SYNC_POLICY_MGR_KEYSTORE = "ranger.usersync.policymgr.keystore"; + private static final String SYNC_POLICY_MGR_ALIAS = "ranger.usersync.policymgr.alias"; + private static final String SYNC_POLICY_MGR_PASSWORD = "ranger.usersync.policymgr.password"; + private static final String SYNC_POLICY_MGR_USERNAME = "ranger.usersync.policymgr.username"; + private static final String SYNC_POLICY_MGR_MAX_RETRY_ATTEMPTS = "ranger.usersync.policymgr.max.retry.attempts"; + private static final String SYNC_POLICY_MGR_RETRY_INTERVAL_MS = "ranger.usersync.policymgr.retry.interval.ms"; + private static final String DEFAULT_POLICYMGR_USERNAME = "rangerusersync"; + + /* Other Configs */ + public static final String UGSYNC_SERVER_HA_ENABLED_PARAM = "ranger-ugsync.server.ha.enabled"; + public static final String UGSYNC_NAME_VALIDATION_ENABLED = "ranger.usersync.name.validation.enabled"; + public static final String UGSYNC_SYNC_SOURCE_VALIDATION_ENABLED = "ranger.usersync.syncsource.validation.enabled"; + private static final String UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_PARAM = "ranger.usersync.sleeptimeinmillisbetweensynccycle"; + + private static final long UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_MIN_VALUE = 60_000L; + private static final long UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_UNIX_DEFAULT_VALUE = 60_000L; + private static final long UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_LDAP_DEFAULT_VALUE = 3_600_000L; + private static final long DEFAULT_UGSYNC_UPDATE_MILLIS_MIN = 60_000; + private static final long UGSYNC_INIT_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_MIN_VALUE_FOR_HA = 5_000L; + private static final boolean DEFAULT_UGSYNC_NAME_VALIDATION_ENABLED = false; + private static final boolean DEFAULT_UGSYNC_SYNC_SOURCE_VALIDATION_ENABLED = true; + + private static final String SYNC_SOURCE = "ranger.usersync.sync.source"; + private static final String LGSYNC_PAGED_RESULTS_ENABLED = "ranger.usersync.pagedresultsenabled"; + private static final String LGSYNC_PAGED_RESULTS_SIZE = "ranger.usersync.pagedresultssize"; + private static final String UGSYNC_DELETES_ENABLED = "ranger.usersync.deletes.enabled"; + private static final String UGSYNC_DELETES_FREQUENCY = "ranger.usersync.deletes.frequency"; + private static final String USERSYNC_RANGER_COOKIE_ENABLED_PROP = "ranger.usersync.cookie.enabled"; + private static final String RANGER_ADMIN_COOKIE_NAME_PROPS = "ranger.usersync.dest.ranger.session.cookie.name"; + + private static final boolean DEFAULT_UGSYNC_DELETES_ENABLED = false; + private static final long DEFAULT_UGSYNC_DELETES_FREQUENCY = 10L; // After every 10 sync cycles + + /* SSL Configs */ + private static final String SSL_KEYSTORE_FILE_TYPE_PARAM = "ranger.keystore.file.type"; + private static final String SSL_TRUSTSTORE_FILE_TYPE_PARAM = "ranger.truststore.file.type"; + private static final String SSL_KEYSTORE_PATH_PARAM = "ranger.usersync.keystore.file"; + private static final String SSL_KEYSTORE_PATH_PASSWORD_PARAM = "ranger.usersync.keystore.password"; + private static final String SSL_TRUSTSTORE_PATH_PARAM = "ranger.usersync.truststore.file"; + private static final String SSL_TRUSTSTORE_PATH_PASSWORD_PARAM = "ranger.usersync.truststore.password"; + private static final String SSL_KEYSTORE_PATH_PASSWORD_ALIAS = "usersync.ssl.key.password"; + private static final String SSL_TRUSTSTORE_PATH_PASSWORD_ALIAS = "usersync.ssl.truststore.password"; + private static volatile UserGroupSyncConfig me; private final Properties prop = new Properties(); private Configuration userGroupConfig; @@ -342,19 +379,15 @@ public String getSSLKeyStorePath() { } public String getSSLKeyStorePathPassword() { - if (prop == null) { - return null; - } if (prop.containsKey(LGSYNC_LDAP_BIND_KEYSTORE)) { String path = prop.getProperty(LGSYNC_LDAP_BIND_KEYSTORE); - String alias = SSL_KEYSTORE_PATH_PASSWORD_ALIAS; if (path != null) { - if (!path.trim().isEmpty() && !alias.trim().isEmpty()) { + if (!path.trim().isEmpty()) { if ("bcfks".equalsIgnoreCase(getSSLKeyStoreType())) { - String crendentialProviderPrefixBcfks = "bcfks" + "://file"; + String crendentialProviderPrefixBcfks = "bcfks://file"; path = crendentialProviderPrefixBcfks + path; } - String password = CredentialReader.getDecryptedString(path.trim(), alias.trim(), getSSLKeyStoreType()); + String password = CredentialReader.getDecryptedString(path.trim(), SSL_KEYSTORE_PATH_PASSWORD_ALIAS.trim(), getSSLKeyStoreType()); if (password != null && !password.trim().isEmpty() && !"none".equalsIgnoreCase(password.trim()) && !"_".equalsIgnoreCase(password.trim())) { prop.setProperty(SSL_KEYSTORE_PATH_PASSWORD_PARAM, password); } @@ -369,9 +402,6 @@ public String getSSLTrustStorePath() { } public String getSSLTrustStorePathPassword() { - if (prop == null) { - return null; - } if (prop.containsKey(LGSYNC_LDAP_BIND_KEYSTORE)) { String path = prop.getProperty(LGSYNC_LDAP_BIND_KEYSTORE); if (path != null) { @@ -402,7 +432,7 @@ public long getUpdateMillisMin() { public long getInitSleepTimeInMillisBetweenCycle() throws Throwable { long initSleepValue; - Configuration config = getUserGroupConfig(); + Configuration config = getUserGroupConfig(); if (config.getBoolean(UGSYNC_SERVER_HA_ENABLED_PARAM, false)) { initSleepValue = UGSYNC_INIT_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_MIN_VALUE_FOR_HA; } else { @@ -412,7 +442,7 @@ public long getInitSleepTimeInMillisBetweenCycle() throws Throwable { } public long getSleepTimeInMillisBetweenCycle() throws Throwable { - String val = prop.getProperty(UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_PARAM); + String val = prop.getProperty(UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_PARAM); boolean isLdapForce = Boolean.parseBoolean(prop.getProperty(UGSYNC_SLEEP_LDAP_FORCE_TIME_IN_MILLIS_BETWEEN_CYCLE_PARAM_ENABLED)); String className = getUserGroupSource().getClass().getName(); if (val == null) { @@ -427,7 +457,7 @@ public long getSleepTimeInMillisBetweenCycle() throws Throwable { if (LGSYNC_SOURCE_CLASS.equals(className)) { if (isLdapForce && ret < UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_LDAP_DEFAULT_VALUE) { minInterval = ret; - LOG.info("If you force the synchronization time of ldap users to be less than the default of 3600s, this setting [{}] millisec will take effect", minInterval); + LOG.info("If you force the synchronization time of ldap users to be less than the default of 3600s, this setting [{}] millisecond will take effect", minInterval); } else { minInterval = UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_LDAP_DEFAULT_VALUE; } @@ -437,7 +467,7 @@ public long getSleepTimeInMillisBetweenCycle() throws Throwable { minInterval = UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_MIN_VALUE; } if ((!isTestRunEnabled()) && (ret < minInterval)) { - LOG.info("Sleep Time Between Cycle can not be lower than [{}] millisec. resetting to min value.", minInterval); + LOG.info("Sleep Time Between Cycle can not be lower than [{}] milli sec. resetting to min value.", minInterval); ret = minInterval; } return ret; @@ -482,9 +512,6 @@ public String getLdapBindDn() throws Throwable { public String getLdapBindPassword() { //update credential from keystore - if (prop == null) { - return null; - } if (prop.containsKey(LGSYNC_LDAP_BIND_KEYSTORE)) { String path = prop.getProperty(LGSYNC_LDAP_BIND_KEYSTORE); if (path != null) { @@ -603,8 +630,8 @@ public Set getGroupNameSet() { } public Set getUserGroupNameAttributeSet() { - String uga = getUserGroupNameAttribute(); - StringTokenizer st = new StringTokenizer(uga, ","); + String uga = getUserGroupNameAttribute(); + StringTokenizer st = new StringTokenizer(uga, ","); Set userGroupNameAttributeSet = new HashSet<>(); while (st.hasMoreTokens()) { userGroupNameAttributeSet.add(st.nextToken().trim()); @@ -617,7 +644,7 @@ public Set getOtherUserAttributes() { if (otherAttributes == null || otherAttributes.trim().isEmpty()) { otherAttributes = DEFAULT_OTHER_USER_ATTRIBUTES; } - StringTokenizer st = new StringTokenizer(otherAttributes, ","); + StringTokenizer st = new StringTokenizer(otherAttributes, ","); Set otherUserAttributes = new HashSet<>(); while (st.hasMoreTokens()) { otherUserAttributes.add(st.nextToken().trim()); @@ -681,7 +708,7 @@ public void setPagedResultsEnabled(boolean pagedResultsEnabled) { public int getPagedResultsSize() { int pagedResultsSize; - String val = prop.getProperty(LGSYNC_PAGED_RESULTS_SIZE); + String val = prop.getProperty(LGSYNC_PAGED_RESULTS_SIZE); if (val == null || val.trim().isEmpty()) { pagedResultsSize = DEFAULT_LGSYNC_PAGED_RESULTS_SIZE; } else { @@ -843,7 +870,7 @@ public Set getOtherGroupAttributes() { if (otherAttributes == null || otherAttributes.trim().isEmpty()) { otherAttributes = DEFAULT_OTHER_GROUP_ATTRIBUTES; } - StringTokenizer st = new StringTokenizer(otherAttributes, ","); + StringTokenizer st = new StringTokenizer(otherAttributes, ","); Set otherGroupAttributes = new HashSet<>(); while (st.hasMoreTokens()) { otherGroupAttributes.add(st.nextToken().trim()); @@ -884,13 +911,13 @@ public String getProperty(String aPropertyName, String aDefaultValue) { public String getPolicyMgrPassword() { //update credential from keystore String password; - if (prop != null && prop.containsKey(SYNC_POLICY_MGR_KEYSTORE)) { + if (prop.containsKey(SYNC_POLICY_MGR_KEYSTORE)) { password = prop.getProperty(SYNC_POLICY_MGR_PASSWORD); if (password != null && !password.isEmpty()) { return password; } } - if (prop != null && prop.containsKey(SYNC_POLICY_MGR_KEYSTORE) && prop.containsKey(SYNC_POLICY_MGR_ALIAS)) { + if (prop.containsKey(SYNC_POLICY_MGR_KEYSTORE) && prop.containsKey(SYNC_POLICY_MGR_ALIAS)) { String path = prop.getProperty(SYNC_POLICY_MGR_KEYSTORE); String alias = prop.getProperty(SYNC_POLICY_MGR_ALIAS, "policymgr.user.password"); if (path != null && alias != null) { @@ -916,7 +943,7 @@ public String getPolicyMgrPassword() { public String getPolicyMgrUserName() { String userName = null; - if (prop != null && prop.containsKey(SYNC_POLICY_MGR_USERNAME)) { + if (prop.containsKey(SYNC_POLICY_MGR_USERNAME)) { userName = prop.getProperty(SYNC_POLICY_MGR_USERNAME); } if (userName == null || userName.isEmpty()) { @@ -935,7 +962,7 @@ public int getPolicyMgrRetryIntervalMs() { public String getSyncSource() { String syncSource = null; - if (prop != null && prop.containsKey(SYNC_SOURCE)) { + if (prop.containsKey(SYNC_SOURCE)) { syncSource = prop.getProperty(SYNC_SOURCE); if (syncSource == null || syncSource.trim().isEmpty()) { syncSource = null; @@ -948,7 +975,7 @@ public String getSyncSource() { public String getContextReferral() { String referral = "ignore"; - if (prop != null && prop.containsKey(LGSYNC_REFERRAL)) { + if (prop.containsKey(LGSYNC_REFERRAL)) { referral = prop.getProperty(LGSYNC_REFERRAL); if (referral == null || referral.trim().isEmpty()) { referral = DEFAULT_LGSYNC_REFERRAL; @@ -961,19 +988,17 @@ public String getContextReferral() { public List getAllRegexPatterns(String baseProperty) { List regexPatterns = new ArrayList<>(); - if (prop != null) { - String baseRegex = prop.getProperty(baseProperty); - if (baseRegex == null) { - return regexPatterns; - } - regexPatterns.add(baseRegex); - int i = 1; - String nextRegex = prop.getProperty(baseProperty + "." + i); - while (nextRegex != null) { - regexPatterns.add(nextRegex); - i++; - nextRegex = prop.getProperty(baseProperty + "." + i); - } + String baseRegex = prop.getProperty(baseProperty); + if (baseRegex == null) { + return regexPatterns; + } + regexPatterns.add(baseRegex); + int i = 1; + String nextRegex = prop.getProperty(baseProperty + "." + i); + while (nextRegex != null) { + regexPatterns.add(nextRegex); + i++; + nextRegex = prop.getProperty(baseProperty + "." + i); } return regexPatterns; } @@ -997,7 +1022,7 @@ public String getUserSyncMappingGroupNameHandler() { } public String getGroupRoleRules() { - if (prop != null && prop.containsKey(GROUP_BASED_ROLE_ASSIGNMENT_RULES)) { + if (prop.containsKey(GROUP_BASED_ROLE_ASSIGNMENT_RULES)) { String groupRoleRules = prop.getProperty(GROUP_BASED_ROLE_ASSIGNMENT_RULES); if (StringUtils.isNotBlank(groupRoleRules)) { return groupRoleRules.trim(); @@ -1007,7 +1032,7 @@ public String getGroupRoleRules() { } public String getWhileListUserRoleRules() { - if (prop != null && prop.containsKey(WHITELIST_USER_ROLE_ASSIGNMENT_RULES)) { + if (prop.containsKey(WHITELIST_USER_ROLE_ASSIGNMENT_RULES)) { String whiteListUserRoleRules = prop.getProperty(WHITELIST_USER_ROLE_ASSIGNMENT_RULES); if (StringUtils.isNotBlank(whiteListUserRoleRules)) { return whiteListUserRoleRules.trim(); @@ -1017,7 +1042,7 @@ public String getWhileListUserRoleRules() { } public String getUserGroupDelimiter() { - if (prop != null && prop.containsKey(USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER)) { + if (prop.containsKey(USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER)) { String userGroupDelimiter = prop.getProperty(USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER); if (userGroupDelimiter != null && !userGroupDelimiter.isEmpty()) { return userGroupDelimiter; @@ -1027,7 +1052,7 @@ public String getUserGroupDelimiter() { } public String getUserGroupNameDelimiter() { - if (prop != null && prop.containsKey(USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER)) { + if (prop.containsKey(USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER)) { String userGroupNameDelimiter = prop.getProperty(USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER); if (userGroupNameDelimiter != null && !userGroupNameDelimiter.isEmpty()) { return userGroupNameDelimiter; @@ -1051,7 +1076,7 @@ public String getRangerAdminCookieName() { } public String getRoleDelimiter() { - if (prop != null && prop.containsKey(ROLE_ASSIGNMENT_LIST_DELIMITER)) { + if (prop.containsKey(ROLE_ASSIGNMENT_LIST_DELIMITER)) { String roleDelimiter = prop .getProperty(ROLE_ASSIGNMENT_LIST_DELIMITER); if (roleDelimiter != null && !roleDelimiter.isEmpty()) { @@ -1227,7 +1252,7 @@ public String getRegexSeparator() { public boolean isSyncSourceValidationEnabled() { boolean isSyncSourceValidationEnabled = DEFAULT_UGSYNC_SYNC_SOURCE_VALIDATION_ENABLED; - String val = prop.getProperty(UGSYNC_SYNC_SOURCE_VALIDATION_ENABLED); + String val = prop.getProperty(UGSYNC_SYNC_SOURCE_VALIDATION_ENABLED); if (StringUtils.isNotEmpty(val)) { isSyncSourceValidationEnabled = Boolean.parseBoolean(val); } @@ -1242,7 +1267,7 @@ private void init() { } private String getUserGroupSourceClassName() { - String val = prop.getProperty(UGSYNC_SOURCE_CLASS_PARAM); + String val = prop.getProperty(UGSYNC_SOURCE_CLASS_PARAM); String className; String syncSource; diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/FileSourceUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/FileSourceUserGroupBuilder.java index 233c9bf197..c0d2738293 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/FileSourceUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/FileSourceUserGroupBuilder.java @@ -55,8 +55,8 @@ public class FileSourceUserGroupBuilder extends AbstractUserGroupSource implemen private String currentSyncSource; private Map> sourceUsers; // Stores username and attr name & value pairs private Map> sourceGroups; // Stores groupname and attr name & value pairs - private Map> sourceGroupUsers; - private Map> user2GroupListMap = new HashMap<>(); + private Map> sourceGroupUsers; + private Map> user2GroupListMap = new HashMap<>(); private UgsyncAuditInfo ugsyncAuditInfo; private FileSyncSourceInfo fileSyncSourceInfo; private int deleteCycles; diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java index 78bb0883b2..704bac323c 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java @@ -62,12 +62,12 @@ public class PolicyMgrUserGroupBuilder extends AbstractUserGroupSource implement private static final Logger LOG = LoggerFactory.getLogger(PolicyMgrUserGroupBuilder.class); /* ***** POST APIs **** */ - private static final String PM_ADD_USERS_URI = "/service/xusers/ugsync/users"; - private static final String PM_ADD_GROUPS_URI = "/service/xusers/ugsync/groups/"; - private static final String PM_ADD_GROUP_USER_LIST_URI = "/service/xusers/ugsync/groupusers"; - private static final String PM_AUDIT_INFO_URI = "/service/xusers/ugsync/auditinfo/"; - private static final String PM_UPDATE_DELETED_USERS_URI = "/service/xusers/ugsync/users/visibility"; - private static final String PM_UPDATE_DELETED_GROUPS_URI = "/service/xusers/ugsync/groups/visibility"; + private static final String PM_ADD_USERS_URI = "/service/xusers/ugsync/users"; + private static final String PM_ADD_GROUPS_URI = "/service/xusers/ugsync/groups/"; + private static final String PM_ADD_GROUP_USER_LIST_URI = "/service/xusers/ugsync/groupusers"; + private static final String PM_AUDIT_INFO_URI = "/service/xusers/ugsync/auditinfo/"; + private static final String PM_UPDATE_DELETED_USERS_URI = "/service/xusers/ugsync/users/visibility"; + private static final String PM_UPDATE_DELETED_GROUPS_URI = "/service/xusers/ugsync/groups/visibility"; /* ******************* */ /* ***** GET APIs **** */ @@ -90,8 +90,10 @@ public class PolicyMgrUserGroupBuilder extends AbstractUserGroupSource implement private static final String ISVISIBLE = "1"; private static final String ISHIDDEN = "0"; private static final Pattern USER_OR_GROUP_NAME_VALIDATION_REGEX = Pattern.compile("^([A-Za-z0-9_]|[\u00C0-\u017F])([a-zA-Z0-9\\s,._\\-+/@= ]|[\u00C0-\u017F])+$", Pattern.CASE_INSENSITIVE); - private static String localHostname = "unknown"; - private static String errMsgForInactiveServer = "This userGroupSync server is not in active state. Cannot commit transaction!"; + + private static String localHostname = "unknown"; + private static String errMsgForInactiveServer = "This userGroupSync server is not in active state. Cannot commit transaction!"; + private volatile RangerUgSyncRESTClient ldapUgSyncClient; /* {key: user name in DB} */ private Map userCache; @@ -103,10 +105,10 @@ public class PolicyMgrUserGroupBuilder extends AbstractUserGroupSource implement private Map groupNameMap; /* {key: userDN, value: user name in DB} */ private Map userNameMap; + private Set computeRolesForUsers; private Map deltaGroups; private Map deltaUsers; private Map> deltaGroupUsers; - private Set computeRolesForUsers; private Map deletedGroups; private Map deletedUsers; private int noOfNewUsers; @@ -411,7 +413,8 @@ protected void setUserSyncNameValidationEnabled(String isNameValidationEnabled) private void buildUserGroupInfo() throws Throwable { if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)) { LOG.info(String.format("Using principal: %s and keytab: %s", principal, keytab)); - Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules); + + Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules); Boolean isInitDone = Subject.doAs(sub, new PrivilegedAction() { @Override public Boolean run() { @@ -427,7 +430,7 @@ public Boolean run() { } }); if (isInitDone.booleanValue() == false) { - String msg = ("Failed to build Users and Groups from Ranger admin"); + String msg = "Failed to build Users and Groups from Ranger admin"; LOG.error(msg); throw new Exception(msg); } @@ -440,6 +443,7 @@ public Boolean run() { private void buildGroupList() throws Throwable { LOG.debug("==> PolicyMgrUserGroupBuilder.buildGroupList()"); + int totalCount = 100; int retrievedCount = 0; @@ -465,9 +469,9 @@ private void buildGroupList() throws Throwable { } } LOG.debug(String.format("REST response from %s : %s", PM_GROUP_LIST_URI, response)); - GetXGroupListResponse groupList = JsonUtils.jsonToObject(response, GetXGroupListResponse.class); - totalCount = groupList.getTotalCount(); + GetXGroupListResponse groupList = JsonUtils.jsonToObject(response, GetXGroupListResponse.class); + totalCount = groupList.getTotalCount(); if (groupList.getXgroupInfoList() != null) { for (XGroupInfo g : groupList.getXgroupInfoList()) { @@ -513,8 +517,9 @@ private void buildUserList() throws Throwable { } LOG.debug(String.format("REST response from %s : %s", PM_USER_LIST_URI, response)); + GetXUserListResponse userList = JsonUtils.jsonToObject(response, GetXUserListResponse.class); - totalCount = userList.getTotalCount(); + totalCount = userList.getTotalCount(); if (userList.getXuserInfoList() != null) { for (XUserInfo u : userList.getXuserInfoList()) { @@ -551,6 +556,7 @@ private void buildGroupUserLinkList() throws Throwable { } } LOG.debug(String.format("REST response from %s : %s", PM_GET_ALL_GROUP_USER_MAP_LIST_URI, response)); + groupUsersCache = JsonUtils.jsonToObject(response, Map.class); if (MapUtils.isEmpty(groupUsersCache)) { groupUsersCache = new HashMap<>(); @@ -925,19 +931,22 @@ public Integer run() { private int getUsers(GetXUserListResponse xUserList) throws Throwable { LOG.debug("==> PolicyMgrUserGroupBuilder.getUsers()"); + int ret = 0; int totalCount = xUserList.getTotalCount(); int uploadedCount = 0; int pageSize = Integer.parseInt(recordsToPullPerCall); + while (uploadedCount < totalCount) { checkStatus(); GetXUserListResponse pagedXUserList = new GetXUserListResponse(); int pagedXUserListLen = uploadedCount + pageSize; - pagedXUserList.setXuserInfoList(xUserList.getXuserInfoList().subList(uploadedCount, - pagedXUserListLen > totalCount ? totalCount : pagedXUserListLen)); + + pagedXUserList.setXuserInfoList(xUserList.getXuserInfoList().subList(uploadedCount, pagedXUserListLen > totalCount ? totalCount : pagedXUserListLen)); pagedXUserList.setTotalCount(pageSize); if (pagedXUserList.getXuserInfoList().isEmpty()) { LOG.info("PolicyMgrUserGroupBuilder.getUsers() done updating users"); + return 1; } @@ -1028,8 +1037,8 @@ private int getGroups(GetXGroupListResponse xGroupList) throws Throwable { checkStatus(); GetXGroupListResponse pagedXGroupList = new GetXGroupListResponse(); int pagedXGroupListLen = uploadedCount + pageSize; - pagedXGroupList.setXgroupInfoList(xGroupList.getXgroupInfoList().subList(uploadedCount, - pagedXGroupListLen > totalCount ? totalCount : pagedXGroupListLen)); + + pagedXGroupList.setXgroupInfoList(xGroupList.getXgroupInfoList().subList(uploadedCount, pagedXGroupListLen > totalCount ? totalCount : pagedXGroupListLen)); pagedXGroupList.setTotalCount(pageSize); String response = getDataFromLdap(PM_ADD_GROUPS_URI, pagedXGroupList); @@ -1094,10 +1103,10 @@ private int getGroupUsers(List groupUserInfoList) throws Throwabl while (uploadedCount < totalCount) { checkStatus(); - int pagedGroupUserInfoListLen = uploadedCount + pageSize; + int pagedGroupUserInfoListLen = uploadedCount + pageSize; List pagedGroupUserInfoList = groupUserInfoList.subList(uploadedCount, pagedGroupUserInfoListLen > totalCount ? totalCount : pagedGroupUserInfoListLen); + String response = getDataFromLdap(PM_ADD_GROUP_USER_LIST_URI, pagedGroupUserInfoList); - String response = getDataFromLdap(PM_ADD_GROUP_USER_LIST_URI, pagedGroupUserInfoList); if (StringUtils.isNotEmpty(response)) { try { ret = Integer.valueOf(response); @@ -1153,20 +1162,22 @@ private String updateUsersRoles(UsersGroupRoleAssignments ugRoleAssignments) { checkStatus(); int pagedUgRoleAssignmentsListLen = uploadedCount + pageSize; UsersGroupRoleAssignments pagedUgRoleAssignmentsList = new UsersGroupRoleAssignments(); - pagedUgRoleAssignmentsList.setUsers(ugRoleAssignments.getUsers().subList(uploadedCount, - pagedUgRoleAssignmentsListLen > totalCount ? totalCount : pagedUgRoleAssignmentsListLen)); + + pagedUgRoleAssignmentsList.setUsers(ugRoleAssignments.getUsers().subList(uploadedCount, pagedUgRoleAssignmentsListLen > totalCount ? totalCount : pagedUgRoleAssignmentsListLen)); pagedUgRoleAssignmentsList.setGroupRoleAssignments(ugRoleAssignments.getGroupRoleAssignments()); pagedUgRoleAssignmentsList.setUserRoleAssignments(ugRoleAssignments.getUserRoleAssignments()); pagedUgRoleAssignmentsList.setWhiteListGroupRoleAssignments(ugRoleAssignments.getWhiteListGroupRoleAssignments()); pagedUgRoleAssignmentsList.setWhiteListUserRoleAssignments(ugRoleAssignments.getWhiteListUserRoleAssignments()); pagedUgRoleAssignmentsList.setReset(ugRoleAssignments.isReset()); + if ((uploadedCount + pageSize) >= totalCount) { // this is the last iteration of the loop pagedUgRoleAssignmentsList.setLastPage(true); } ClientResponse clientRes; - String url = PM_UPDATE_USERS_ROLES_URI; + String url = PM_UPDATE_USERS_ROLES_URI; String jsonString = JsonUtils.objectToJson(pagedUgRoleAssignmentsList); + LOG.debug(String.format("Paged RoleAssignments Request to %s: %s", url, jsonString)); if (isRangerCookieEnabled) { @@ -1345,8 +1356,7 @@ private String tryUploadEntityWithCred(Object obj, String apiURL) { } } } - if (clientResp.getStatus() != HttpServletResponse.SC_OK && clientResp.getStatus() != HttpServletResponse.SC_NO_CONTENT - && clientResp.getStatus() != HttpServletResponse.SC_BAD_REQUEST) { + if (clientResp.getStatus() != HttpServletResponse.SC_OK && clientResp.getStatus() != HttpServletResponse.SC_NO_CONTENT && clientResp.getStatus() != HttpServletResponse.SC_BAD_REQUEST) { sessionId = null; isValidRangerCookie = false; } @@ -1387,8 +1397,7 @@ private String tryGetEntityWithCred(String apiURL, int retrievedCount) { } } } - if (clientResp.getStatus() != HttpServletResponse.SC_OK && clientResp.getStatus() != HttpServletResponse.SC_NO_CONTENT - && clientResp.getStatus() != HttpServletResponse.SC_BAD_REQUEST) { + if (clientResp.getStatus() != HttpServletResponse.SC_OK && clientResp.getStatus() != HttpServletResponse.SC_NO_CONTENT && clientResp.getStatus() != HttpServletResponse.SC_BAD_REQUEST) { sessionId = null; isValidRangerCookie = false; } @@ -1451,6 +1460,7 @@ private void getRoleForUserGroups(String userGroupRolesData, Map String roleDelimiter = config.getRoleDelimiter(); String userGroupDelimiter = config.getUserGroupDelimiter(); String userNameDelimiter = config.getUserGroupNameDelimiter(); + roleDelimiter = StringUtils.isEmpty(roleDelimiter) ? "&" : roleDelimiter; userGroupDelimiter = StringUtils.isEmpty(userGroupDelimiter) ? ":" : userGroupDelimiter; userNameDelimiter = StringUtils.isEmpty(userNameDelimiter) ? "," : userNameDelimiter; @@ -1649,10 +1659,7 @@ private int updateDeletedUsers() throws Throwable { LOG.debug("==> PolicyMgrUserGroupBuilder.updateDeletedUsers({})", deletedUsers); int ret = 0; - if (authenticationType != null - && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) - && SecureClientLogin.isKerberosCredentialExists(principal, - keytab)) { + if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)) { try { Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules); ret = Subject.doAs(sub, new PrivilegedAction() { @@ -1679,6 +1686,7 @@ public Integer run() { private int getDeletedUsers() throws Throwable { LOG.debug("==> PolicyMgrUserGroupBuilder.getDeletedUsers()"); + checkStatus(); int ret = 0; String response = null; @@ -1696,7 +1704,9 @@ private int getDeletedUsers() throws Throwable { LOG.error("Failed to get response, Error is : ", t); } } + LOG.debug(String.format("REST response from %s : %s", PM_UPDATE_DELETED_USERS_URI, response)); + if (response != null) { try { ret = Integer.valueOf(response); diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java index a29bb5730c..7b28c551c6 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java @@ -57,35 +57,30 @@ public class UnixUserGroupBuilder implements UserGroupSource { static final String LINUX_GET_GROUP_CMD = "getent group %s"; // mainly for testing purposes, there might be a better way - static final String MAC_GET_ALL_USERS_CMD = "dscl . -readall /Users UniqueID PrimaryGroupID | " + - "awk 'BEGIN { OFS = \":\"; ORS=\"\\n\"; i=0;}" + - "/RecordName: / {name = $2;i = 0;}/PrimaryGroupID: / {gid = $2;}" + - "/^ / {if (i == 0) { i++; name = $1;}}" + - "/UniqueID: / {uid = $2;print name, \"*\", gid, uid;}'"; - static final String MAC_GET_ALL_GROUPS_CMD = "dscl . -list /Groups PrimaryGroupID | " + - "awk -v OFS=\":\" '{print $1, \"*\", $2, \"\"}'"; - static final String MAC_GET_GROUP_CMD = "dscl . -read /Groups/%1$s | paste -d, -s - | sed -e 's/:/|/g' | " + - "awk -v OFS=\":\" -v ORS=\"\\n\" -F, '{print \"%1$s\",\"*\",$6,$4}' | " + - "sed -e 's/:[^:]*| /:/g' | sed -e 's/ /,/g'"; - static final String BACKEND_PASSWD = "passwd"; + static final String MAC_GET_ALL_USERS_CMD = "dscl . -readall /Users UniqueID PrimaryGroupID | awk 'BEGIN { OFS = \":\"; ORS=\"\\n\"; i=0;}/RecordName: / {name = $2;i = 0;}/PrimaryGroupID: / {gid = $2;}/^ / {if (i == 0) { i++; name = $1;}}/UniqueID: / {uid = $2;print name, \"*\", gid, uid;}'"; + static final String MAC_GET_ALL_GROUPS_CMD = "dscl . -list /Groups PrimaryGroupID | awk -v OFS=\":\" '{print $1, \"*\", $2, \"\"}'"; + static final String MAC_GET_GROUP_CMD = "dscl . -read /Groups/%1$s | paste -d, -s - | sed -e 's/:/|/g' | awk -v OFS=\":\" -v ORS=\"\\n\" -F, '{print \"%1$s\",\"*\",$6,$4}' | sed -e 's/:[^:]*| /:/g' | sed -e 's/ /,/g'"; + static final String BACKEND_PASSWD = "passwd"; + + private final boolean enumerateGroupMembers; + private final UserGroupSyncConfig config = UserGroupSyncConfig.getInstance(); + private final int minimumUserId; + private final int minimumGroupId; + private final String unixPasswordFile; + private final String unixGroupFile; + private final long timeout; + Set allGroups = new HashSet<>(); private boolean useNss; - private final boolean enumerateGroupMembers; private boolean isUpdateSinkSucc = true; - private final UserGroupSyncConfig config = UserGroupSyncConfig.getInstance(); - private Map groupId2groupNameMap; + private Map groupId2groupNameMap; private Map> sourceUsers; // Stores username and attr name & value pairs private Map> sourceGroups; // Stores groupname and attr name & value pairs - private Map> sourceGroupUsers; - private Table groupUserTable; // groupname, username, group id - private final String unixPasswordFile; - private final String unixGroupFile; + private Map> sourceGroupUsers; + private Table groupUserTable; // groupname, username, group id private String currentSyncSource; private int deleteCycles; - private final int minimumUserId; - private final int minimumGroupId; private long lastUpdateTime; - private final long timeout; private long passwordFileModifiedAt; private long groupFileModifiedAt; private UgsyncAuditInfo ugsyncAuditInfo; @@ -99,13 +94,10 @@ public UnixUserGroupBuilder() { minimumGroupId = Integer.parseInt(config.getMinGroupId()); unixPasswordFile = config.getUnixPasswordFile(); unixGroupFile = config.getUnixGroupFile(); - - if (LOG.isDebugEnabled()) { - LOG.debug("Minimum UserId: {}, minimum GroupId: {}", minimumUserId, minimumGroupId); - } - - timeout = config.getUpdateMillisMin(); + timeout = config.getUpdateMillisMin(); enumerateGroupMembers = config.isGroupEnumerateEnabled(); + + LOG.debug("Minimum UserId: {}, minimum GroupId: {}", minimumUserId, minimumGroupId); } public static void main(String[] args) throws Throwable { diff --git a/ugsync/src/main/java/org/apache/ranger/usergroupsync/RegEx.java b/ugsync/src/main/java/org/apache/ranger/usergroupsync/RegEx.java index d991f856e5..aecb59dcd0 100644 --- a/ugsync/src/main/java/org/apache/ranger/usergroupsync/RegEx.java +++ b/ugsync/src/main/java/org/apache/ranger/usergroupsync/RegEx.java @@ -27,8 +27,8 @@ import java.util.regex.Pattern; public class RegEx extends AbstractMapper { - private UserGroupSyncConfig config = UserGroupSyncConfig.getInstance(); - private LinkedHashMap replacementPattern; + private final UserGroupSyncConfig config = UserGroupSyncConfig.getInstance(); + private LinkedHashMap replacementPattern; public LinkedHashMap getReplacementPattern() { return replacementPattern; diff --git a/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserSyncMetricsProducer.java b/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserSyncMetricsProducer.java index e3af416c6c..8a7f220d54 100644 --- a/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserSyncMetricsProducer.java +++ b/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserSyncMetricsProducer.java @@ -29,6 +29,7 @@ public class UserSyncMetricsProducer implements Runnable { private static final Logger LOG = LoggerFactory.getLogger(UserSyncMetricsProducer.class); + private boolean shutdownFlag; public static void main(String[] args) { diff --git a/ugsync/src/test/java/org/apache/ranger/unixusersync/process/TestFileSourceUserGroupBuilder.java b/ugsync/src/test/java/org/apache/ranger/unixusersync/process/TestFileSourceUserGroupBuilder.java index dcedbb183d..08466d6881 100644 --- a/ugsync/src/test/java/org/apache/ranger/unixusersync/process/TestFileSourceUserGroupBuilder.java +++ b/ugsync/src/test/java/org/apache/ranger/unixusersync/process/TestFileSourceUserGroupBuilder.java @@ -26,7 +26,7 @@ import static org.junit.Assert.assertTrue; public class TestFileSourceUserGroupBuilder { - private UserGroupSyncConfig config = UserGroupSyncConfig.getInstance(); + private final UserGroupSyncConfig config = UserGroupSyncConfig.getInstance(); @Test public void testUpdateSinkFromCsvFile() throws Throwable { diff --git a/ugsync/src/test/java/org/apache/ranger/usergroupsync/PolicyMgrUserGroupBuilderTest.java b/ugsync/src/test/java/org/apache/ranger/usergroupsync/PolicyMgrUserGroupBuilderTest.java index 7897439050..bbc8374160 100644 --- a/ugsync/src/test/java/org/apache/ranger/usergroupsync/PolicyMgrUserGroupBuilderTest.java +++ b/ugsync/src/test/java/org/apache/ranger/usergroupsync/PolicyMgrUserGroupBuilderTest.java @@ -39,7 +39,7 @@ public PolicyMgrUserGroupBuilderTest() { } @Override - public void init() throws Throwable { + public void init() { allGroups = new HashSet<>(); allUsers = new HashSet<>(); groupUsers = new HashMap<>(); @@ -48,16 +48,16 @@ public void init() throws Throwable { } @Override - public void addOrUpdateUsersGroups(Map> sourceGroups, Map> sourceUsers, Map> sourceGroupUsers, boolean computeDeletes) throws Throwable { - for (String userdn : sourceUsers.keySet()) { - String username = userNameTransform(sourceUsers.get(userdn).get("original_name")); + public void addOrUpdateUsersGroups(Map> sourceGroups, Map> sourceUsers, Map> sourceGroupUsers, boolean computeDeletes) { + for (String userDn : sourceUsers.keySet()) { + String username = userNameTransform(sourceUsers.get(userDn).get("original_name")); allUsers.add(username); if (!isValidString(username)) { invalidUsers.add(username); } } - for (String groupdn : sourceGroups.keySet()) { - String groupname = groupNameTransform(sourceGroups.get(groupdn).get("original_name")); + for (String groupDn : sourceGroups.keySet()) { + String groupname = groupNameTransform(sourceGroups.get(groupDn).get("original_name")); allGroups.add(groupname); if (!isValidString(groupname)) { invalidGroups.add(groupname); diff --git a/ugsync/src/test/java/org/apache/ranger/usergroupsync/TestRegEx.java b/ugsync/src/test/java/org/apache/ranger/usergroupsync/TestRegEx.java index 560615a46d..7e9856c3af 100644 --- a/ugsync/src/test/java/org/apache/ranger/usergroupsync/TestRegEx.java +++ b/ugsync/src/test/java/org/apache/ranger/usergroupsync/TestRegEx.java @@ -38,22 +38,22 @@ public class TestRegEx { List groupRegexPatterns; @Before - public void setUp() throws Exception { + public void setUp() { userNameRegEx = new RegEx(); groupNameRegEx = new RegEx(); - userRegexPatterns = new ArrayList(); - groupRegexPatterns = new ArrayList(); + userRegexPatterns = new ArrayList<>(); + groupRegexPatterns = new ArrayList<>(); } @Test - public void testUserNameTransform() throws Throwable { + public void testUserNameTransform() { userRegexPatterns.add("s/\\s/_/"); userNameRegEx.populateReplacementPatterns(userNameBaseProperty, userRegexPatterns, mappingSeparator); assertEquals("test_user", userNameRegEx.transform("test user")); } @Test - public void testGroupNameTransform() throws Throwable { + public void testGroupNameTransform() { groupRegexPatterns.add("s/\\s/_/g"); groupRegexPatterns.add("s/_/\\$/g"); groupNameRegEx.populateReplacementPatterns(groupNameBaseProperty, groupRegexPatterns, mappingSeparator); @@ -67,7 +67,7 @@ public void testEmptyTransform() { } @Test - public void testTransform() throws Throwable { + public void testTransform() { userRegexPatterns.add("s/\\s/_/g"); groupRegexPatterns.add("s/\\s/_/g"); userNameRegEx.populateReplacementPatterns(userNameBaseProperty, userRegexPatterns, mappingSeparator); @@ -77,7 +77,7 @@ public void testTransform() throws Throwable { } @Test - public void testTransform1() throws Throwable { + public void testTransform1() { userRegexPatterns.add("s/\\\\/ /g"); userRegexPatterns.add("s//_/g"); userNameRegEx.populateReplacementPatterns(userNameBaseProperty, userRegexPatterns, mappingSeparator); @@ -90,10 +90,10 @@ public void testTransform1() throws Throwable { } @Test - public void testTransformWithSeparators() throws Throwable { + public void testTransformWithSeparators() { String[] separators = {"%", "#", "&", "!", "@", "-", "~", "=", ",", " "}; for (String separator : separators) { - userRegexPatterns = new ArrayList(); + userRegexPatterns = new ArrayList<>(); userRegexPatterns.add(String.format("s%sdark%sDE/dark%sg", separator, separator, separator)); userNameRegEx.populateReplacementPatterns(userNameBaseProperty, userRegexPatterns, separator); assertEquals("DE/dark_knight_admin", userNameRegEx.transform("dark_knight_admin")); @@ -101,7 +101,7 @@ public void testTransformWithSeparators() throws Throwable { } @Test - public void testUsernamePrefix() throws Throwable { + public void testUsernamePrefix() { // appends PR/ to the beginning String separator = "#"; userRegexPatterns = Collections.singletonList("s#^(.*)#PR/$1#g"); @@ -113,7 +113,7 @@ public void testUsernamePrefix() throws Throwable { } @Test - public void testUsernameSuffix() throws Throwable { + public void testUsernameSuffix() { // appends _ty to the end String separator = "#"; userRegexPatterns = Collections.singletonList("s#^(.*)#$1_ty#g"); diff --git a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java index 7b33823787..84d8a7ff73 100644 --- a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java +++ b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java @@ -42,6 +42,7 @@ public class PamLoginModule implements LoginModule { public static final String SERVICE_KEY = "ranger.pam.service"; + private PAM pam; private Subject subject; private CallbackHandler callbackHandler; diff --git a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamPrincipal.java b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamPrincipal.java index 969323b035..c6fb51c1a1 100644 --- a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamPrincipal.java +++ b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamPrincipal.java @@ -26,13 +26,13 @@ import java.util.Set; public class PamPrincipal implements Principal { - private String userName; - private String gecos; - private String homeDir; - private String shell; - private int uid; - private int gid; - private Set groups; + private final String userName; + private final String gecos; + private final String homeDir; + private final String shell; + private final Set groups; + private final int uid; + private final int gid; public PamPrincipal(UnixUser user) { super(); diff --git a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java index 57bb32412b..7c3c1f6b0e 100644 --- a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java +++ b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java @@ -46,7 +46,6 @@ import java.net.Socket; import java.security.KeyStore; import java.security.SecureRandom; -import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.Map; @@ -64,6 +63,7 @@ public class RemoteUnixLoginModule implements LoginModule { private static final String SERVER_CERT_VALIDATION_PARAM = "ranger.unixauth.server.cert.validation"; private static final String JAAS_ENABLED_PARAM = "ranger.unixauth.remote.login.enabled"; private static final String SSL_ALGORITHM = "TLSv1.2"; + private String userName; private String remoteHostName; private String loginGroups; @@ -194,11 +194,7 @@ public void initParams(Properties options) { } val = (String) options.get(DEBUG_PARAM); - if (val != null && (!val.equalsIgnoreCase("false"))) { - debug = true; - } else { - debug = false; - } + debug = val != null && (!val.equalsIgnoreCase("false")); remoteHostName = (String) options.get(REMOTE_LOGIN_HOST_PARAM); log("RemoteHostName:" + remoteHostName); @@ -284,16 +280,8 @@ private String getLoginReplyFromAuthService(String aUserName, char[] modifiedPas if (keyStorePath != null) { KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); - InputStream in = null; - - in = getFileInputStream(keyStorePath); - - try { + try (InputStream in = getFileInputStream(keyStorePath)) { ks.load(in, keyStorePathPassword.toCharArray()); - } finally { - if (in != null) { - in.close(); - } } KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); @@ -306,34 +294,26 @@ private String getLoginReplyFromAuthService(String aUserName, char[] modifiedPas TrustManager[] tm = null; if (serverCertValidation) { - KeyStore trustStoreKeyStore = null; + KeyStore trustStoreKeyStore; if (trustStorePath != null) { trustStoreKeyStore = KeyStore.getInstance(KeyStore.getDefaultType()); - InputStream in = null; - - in = getFileInputStream(trustStorePath); - - try { + try (InputStream in = getFileInputStream(trustStorePath)) { trustStoreKeyStore.load(in, trustStorePathPassword.toCharArray()); trustManagerFactory.init(trustStoreKeyStore); tm = trustManagerFactory.getTrustManagers(); - } finally { - if (in != null) { - in.close(); - } } } } else { TrustManager ignoreValidationTM = new X509TrustManager() { - public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { + public void checkClientTrusted(X509Certificate[] chain, String authType) { // Ignore Server Certificate Validation } - public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { + public void checkServerTrusted(X509Certificate[] chain, String authType) { // Ignore Server Certificate Validation } @@ -359,7 +339,6 @@ public X509Certificate[] getAcceptedIssuers() { OutputStreamWriter writer = new OutputStreamWriter(sslsocket.getOutputStream()); writer.write(loginData); - writer.flush(); BufferedReader reader = new BufferedReader(new InputStreamReader(sslsocket.getInputStream())); @@ -367,7 +346,6 @@ public X509Certificate[] getAcceptedIssuers() { ret = reader.readLine(); reader.close(); - writer.close(); } finally { if (sslsocket != null) { @@ -386,7 +364,7 @@ public X509Certificate[] getAcceptedIssuers() { } private InputStream getFileInputStream(String path) throws FileNotFoundException { - InputStream ret = null; + InputStream ret; File f = new File(path); diff --git a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/UnixGroupPrincipal.java b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/UnixGroupPrincipal.java index 129330b11f..19ca032871 100644 --- a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/UnixGroupPrincipal.java +++ b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/UnixGroupPrincipal.java @@ -23,8 +23,9 @@ import java.security.Principal; public class UnixGroupPrincipal implements Principal, Serializable { - private static final long serialVersionUID = 8137147441841439754L; - private String groupName; + private static final long serialVersionUID = 8137147441841439754L; + + private final String groupName; public UnixGroupPrincipal(String groupName) { this.groupName = groupName; diff --git a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/UnixUserPrincipal.java b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/UnixUserPrincipal.java index 49da784619..d280e689b6 100644 --- a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/UnixUserPrincipal.java +++ b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/UnixUserPrincipal.java @@ -23,8 +23,9 @@ import java.security.Principal; public class UnixUserPrincipal implements Principal, Serializable { - private static final long serialVersionUID = -3568658536591178268L; - private String userName; + private static final long serialVersionUID = -3568658536591178268L; + + private final String userName; public UnixUserPrincipal(String userName) { this.userName = userName; diff --git a/unixauthservice/src/main/java/org/apache/ranger/authentication/PasswordValidator.java b/unixauthservice/src/main/java/org/apache/ranger/authentication/PasswordValidator.java index a6d6dd4d92..0df92cafdf 100644 --- a/unixauthservice/src/main/java/org/apache/ranger/authentication/PasswordValidator.java +++ b/unixauthservice/src/main/java/org/apache/ranger/authentication/PasswordValidator.java @@ -33,11 +33,9 @@ public class PasswordValidator implements Runnable { private static final Logger LOG = LoggerFactory.getLogger(PasswordValidator.class); - private static String validatorProgram; - private static List adminUserList; - private static String adminRoleNames; + private static String validatorProgram; private Socket client; @@ -71,7 +69,7 @@ public static void setAdminRoleNames(String adminRoleNames) { @Override public void run() { - BufferedReader reader = null; + BufferedReader reader; PrintWriter writer = null; String userName = null; @@ -95,15 +93,14 @@ public void run() { writer.flush(); LOG.error("Response [{}] for user: {} as ValidatorProgram is not defined in configuration", res, userName); } else { - BufferedReader pReader = null; - PrintWriter pWriter = null; + BufferedReader pReader; + PrintWriter pWriter; Process p = null; try { p = Runtime.getRuntime().exec(validatorProgram); pReader = new BufferedReader(new InputStreamReader(p.getInputStream())); - pWriter = new PrintWriter(new OutputStreamWriter(p.getOutputStream())); pWriter.println(request); diff --git a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java index 97c07072cd..cc9b2497d0 100644 --- a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java +++ b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java @@ -54,6 +54,7 @@ public class UnixAuthenticationService { private static final Logger LOG = LoggerFactory.getLogger(UnixAuthenticationService.class); + private static final String serviceName = "UnixAuthenticationService"; private static final String SSL_ALGORITHM = "TLSv1.2"; private static final String REMOTE_LOGIN_AUTH_SERVICE_PORT_PARAM = "ranger.usersync.port"; @@ -69,17 +70,20 @@ public class UnixAuthenticationService { private static final String SSL_ENABLED_PARAM = "ranger.usersync.ssl"; private static final String CREDSTORE_FILENAME_PARAM = "ranger.usersync.credstore.filename"; private static final String[] UGSYNC_CONFIG_XML_FILES = {"ranger-ugsync-default.xml", "ranger-ugsync-site.xml"}; + private static boolean enableUnixAuth; - private String keyStorePath; - private String keyStoreType; - private List enabledProtocolsList; - private List enabledCipherSuiteList; - private String keyStorePathPassword; - private String trustStorePath; - private String trustStorePathPassword; - private String trustStoreType; - private List adminUserList = new ArrayList(); - private String adminRoleNames; + + private final List adminUserList = new ArrayList<>(); + + private String adminRoleNames; + private String keyStorePath; + private String keyStorePathPassword; + private String keyStoreType; + private String trustStorePath; + private String trustStorePathPassword; + private String trustStoreType; + private List enabledProtocolsList; + private List enabledCipherSuiteList; private UserSyncHAInitializerImpl userSyncHAInitializerImpl; private int portNum; private boolean sslEnabled; @@ -88,7 +92,7 @@ public UnixAuthenticationService() { } public static void main(String[] args) { - enableUnixAuth = Arrays.stream(args).anyMatch(arg -> "-enableUnixAuth".equalsIgnoreCase(arg)); + enableUnixAuth = Arrays.stream(args).anyMatch("-enableUnixAuth"::equalsIgnoreCase); UnixAuthenticationService service = new UnixAuthenticationService(); service.userSyncHAInitializerImpl = UserSyncHAInitializerImpl.getInstance(UserGroupSyncConfig.getInstance().getUserGroupConfig()); service.run(); @@ -125,19 +129,11 @@ public void startService() throws Throwable { if (keyStorePath != null && !keyStorePath.isEmpty()) { KeyStore ks = KeyStore.getInstance(keyStoreType); - InputStream in = null; - - in = getFileInputStream(keyStorePath); - - try { + try (InputStream in = getFileInputStream(keyStorePath)) { if (keyStorePathPassword == null) { keyStorePathPassword = ""; } ks.load(in, keyStorePathPassword.toCharArray()); - } finally { - if (in != null) { - in.close(); - } } KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); @@ -152,19 +148,11 @@ public void startService() throws Throwable { if (trustStorePath != null && !trustStorePath.isEmpty()) { trustStoreKeyStore = KeyStore.getInstance(trustStoreType); - InputStream in = null; - - in = getFileInputStream(trustStorePath); - - try { + try (InputStream in = getFileInputStream(trustStorePath)) { if (trustStorePathPassword == null) { trustStorePathPassword = ""; } trustStoreKeyStore.load(in, trustStorePathPassword.toCharArray()); - } finally { - if (in != null) { - in.close(); - } } } @@ -182,7 +170,7 @@ public void startService() throws Throwable { if (sslEnabled) { SSLServerSocket secureSocket = (SSLServerSocket) socket; String[] protocols = secureSocket.getEnabledProtocols(); - Set allowedProtocols = new HashSet(); + Set allowedProtocols = new HashSet<>(); for (String ep : protocols) { if (enabledProtocolsList.contains(ep.toUpperCase())) { LOG.info("Enabling Protocol: [{}]", ep); @@ -196,17 +184,13 @@ public void startService() throws Throwable { secureSocket.setEnabledProtocols(allowedProtocols.toArray(new String[0])); } String[] enabledCipherSuites = secureSocket.getEnabledCipherSuites(); - Set allowedCipherSuites = new HashSet(); + Set allowedCipherSuites = new HashSet<>(); for (String enabledCipherSuite : enabledCipherSuites) { if (enabledCipherSuiteList.contains(enabledCipherSuite)) { - if (LOG.isDebugEnabled()) { - LOG.debug("Enabling CipherSuite : [{}]", enabledCipherSuite); - } + LOG.debug("Enabling CipherSuite : [{}]", enabledCipherSuite); allowedCipherSuites.add(enabledCipherSuite); } else { - if (LOG.isDebugEnabled()) { - LOG.debug("Disabling CipherSuite : [{}]", enabledCipherSuite); - } + LOG.debug("Disabling CipherSuite : [{}]", enabledCipherSuite); } } if (!allowedCipherSuites.isEmpty()) { @@ -214,7 +198,7 @@ public void startService() throws Throwable { } } - Socket client = null; + Socket client; try { while ((client = socket.accept()) != null) { @@ -234,12 +218,15 @@ private void startUnixUserGroupSyncProcess() { UserGroupSync syncProc = new UserGroupSync(); Thread newSyncProcThread = new Thread(syncProc); newSyncProcThread.setName("UnixUserSyncThread"); - // If this thread is set as daemon, then the entire process will terminate if enableUnixAuth is false - // Therefore this is marked as non-daemon thread. Don't change the following line + + /* If this thread is set as daemon, then the entire process will terminate if enableUnixAuth is false + Therefore this is marked as non-daemon thread. Don't change the following line + */ newSyncProcThread.setDaemon(false); newSyncProcThread.start(); LOG.info("UnixUserSyncThread started"); LOG.info("creating UserSyncMetricsProducer thread with default metrics location : {}", System.getProperty("logdir")); + //Start the user sync metrics boolean isUserSyncMetricsEnabled = UserGroupSyncConfig.getInstance().isUserSyncMetricsEnabled(); if (isUserSyncMetricsEnabled) { @@ -255,7 +242,7 @@ private void startUnixUserGroupSyncProcess() { } //TODO: add more validation code - private void init() throws Throwable { + private void init() { Properties prop = new Properties(); for (String fn : UGSYNC_CONFIG_XML_FILES) { @@ -263,9 +250,8 @@ private void init() throws Throwable { } String credStoreFileName = prop.getProperty(CREDSTORE_FILENAME_PARAM); - - keyStorePath = prop.getProperty(SSL_KEYSTORE_PATH_PARAM); - + keyStorePath = prop.getProperty(SSL_KEYSTORE_PATH_PARAM); + trustStorePath = prop.getProperty(SSL_TRUSTSTORE_PATH_PARAM); keyStoreType = prop.getProperty(SSL_KEYSTORE_FILE_TYPE_PARAM, KeyStore.getDefaultType()); trustStoreType = prop.getProperty(SSL_TRUSTSTORE_FILE_TYPE_PARAM, KeyStore.getDefaultType()); @@ -287,19 +273,19 @@ private void init() throws Throwable { String crendentialProviderPrefixBcfks = "bcfks://file"; credStoreFileName = crendentialProviderPrefixBcfks + credStoreFileName; } + keyStorePathPassword = CredentialReader.getDecryptedString(credStoreFileName, SSL_KEYSTORE_PATH_PASSWORD_ALIAS, keyStoreType); trustStorePathPassword = CredentialReader.getDecryptedString(credStoreFileName, SSL_TRUSTSTORE_PATH_PASSWORD_ALIAS, trustStoreType); + portNum = Integer.parseInt(prop.getProperty(REMOTE_LOGIN_AUTH_SERVICE_PORT_PARAM)); + String validatorProg = prop.getProperty(CRED_VALIDATOR_PROG); - trustStorePath = prop.getProperty(SSL_TRUSTSTORE_PATH_PARAM); - portNum = Integer.parseInt(prop.getProperty(REMOTE_LOGIN_AUTH_SERVICE_PORT_PARAM)); - String validatorProg = prop.getProperty(CRED_VALIDATOR_PROG); if (validatorProg != null) { PasswordValidator.setValidatorProgram(validatorProg); } String adminUsers = prop.getProperty(ADMIN_USER_LIST_PARAM); - if (adminUsers != null && adminUsers.trim().length() > 0) { + if (adminUsers != null && !adminUsers.trim().isEmpty()) { for (String u : adminUsers.split(",")) { LOG.info("Adding Admin User: {}", u.trim()); adminUserList.add(u.trim()); @@ -320,12 +306,12 @@ private void init() throws Throwable { String defaultEnabledProtocols = "TLSv1.2"; String enabledProtocols = prop.getProperty("ranger.usersync.https.ssl.enabled.protocols", defaultEnabledProtocols); String enabledCipherSuites = prop.getProperty("ranger.usersync.https.ssl.enabled.cipher.suites", ""); - enabledProtocolsList = new ArrayList(Arrays.asList(enabledProtocols.toUpperCase().trim().split("\\s*,\\s*"))); - enabledCipherSuiteList = new ArrayList(Arrays.asList(enabledCipherSuites.toUpperCase().trim().split("\\s*,\\s*"))); + enabledProtocolsList = new ArrayList<>(Arrays.asList(enabledProtocols.toUpperCase().trim().split("\\s*,\\s*"))); + enabledCipherSuiteList = new ArrayList<>(Arrays.asList(enabledCipherSuites.toUpperCase().trim().split("\\s*,\\s*"))); } private InputStream getFileInputStream(String path) throws FileNotFoundException { - InputStream ret = null; + InputStream ret; File f = new File(path);