Skip to content

Commit

Permalink
RANGER-2617 : Provide descriptive error message when role delete not …
Browse files Browse the repository at this point in the history 
…allowed
  • Loading branch information
@NikhilPurbhe
NikhilPurbhe committed Oct 17, 2019
1 parent 722a660 commit f11d297
Show file tree
Hide file tree
Showing 4 changed files with 60 additions and 0 deletions.
28 changes: 28 additions & 0 deletions security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,8 @@ public void deleteRole(String roleName) throws Exception {
throw restErrorUtil.createRESTException("Role with name: " + roleName + " does not exist");
}

ensureRoleDeleteAllowed(roleName);

daoMgr.getXXGlobalState().onGlobalAppDataChange(RANGER_ROLE_GLOBAL_STATE_NAME);

RangerRole role = roleService.read(xxRole.getId());
Expand All @@ -166,6 +168,8 @@ public void deleteRole(String roleName) throws Exception {
public void deleteRole(Long roleId) throws Exception {
RangerRole role = roleService.read(roleId);

ensureRoleDeleteAllowed(role.getName());

daoMgr.getXXGlobalState().onGlobalAppDataChange(RANGER_ROLE_GLOBAL_STATE_NAME);

roleRefUpdater.cleanupRefTables(role);
Expand All @@ -174,6 +178,30 @@ public void deleteRole(Long roleId) throws Exception {
bizUtil.createTrxLog(trxLogList);
}

private void ensureRoleDeleteAllowed(String roleName) throws Exception {
boolean roleNotInPolicy = ensureRoleNotInPolicy(roleName);
if(!roleNotInPolicy) {
throw new Exception("Role '"+ roleName +"' can not be deleted as it is referenced in one or more policies");
}

boolean roleNotInOtherRole = ensureRoleNotInRole(roleName);
if(!roleNotInOtherRole) {
throw new Exception("Role '"+ roleName + "' can not be deleted as it is referenced in one or more other roles");
}
}

private boolean ensureRoleNotInPolicy(String roleName) {
Long roleRefPolicyCount = daoMgr.getXXPolicyRefRole().findRoleRefPolicyCount(roleName);

return roleRefPolicyCount < 1;
}

private boolean ensureRoleNotInRole(String roleName) {
Long roleRefRoleCount = daoMgr.getXXRoleRefRole().findRoleRefRoleCount(roleName);

return roleRefRoleCount < 1;
}

@Override
public RangerRole getRole(Long id) throws Exception {
return roleService.read(id);
Expand Down
12 changes: 12 additions & 0 deletions security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,5 +96,17 @@ public List<RangerPolicyRetriever.PolicyTextNameMap> findUpdatedRoleNamesByServi
return ret;
}

public Long findRoleRefPolicyCount(String roleName) {
Long ret = -1L;

try {
ret = getEntityManager().createNamedQuery("XXPolicyRefRole.findRoleRefPolicyCount", Long.class)
.setParameter("roleName", roleName).getSingleResult();
} catch (Exception e) {
}

return ret;
}

}

12 changes: 12 additions & 0 deletions security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,18 @@ public List<XXRoleRefRole> findBySubRoleName(String subRoleName) {
}
}

public Long findRoleRefRoleCount(String subRoleName) {
Long ret = -1L;

try {
ret = getEntityManager().createNamedQuery("XXRoleRefRole.findRoleRefRoleCount", Long.class)
.setParameter("subRoleName", subRoleName).getSingleResult();
} catch (Exception e) {
}

return ret;
}

public Set<Long> getContainingRoles(Long subRoleId) {
Set<Long> ret;

Expand Down
8 changes: 8 additions & 0 deletions security-admin/src/main/resources/META-INF/jpa_named_queries.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1546,6 +1546,11 @@
<query>select obj from XXRoleRefRole obj where obj.subRoleName = :subRoleName </query>
</named-query>

<named-query name="XXRoleRefRole.findRoleRefRoleCount">
<query>select count(obj.roleId) from XXRoleRefRole obj where obj.subRoleName = :subRoleName </query>
</named-query>


<!-- XXPolicyRefRole -->
<named-query name="XXPolicyRefRole.findByPolicyId">
<query>select obj from XXPolicyRefRole obj where obj.policyId = :policyId </query>
Expand Down Expand Up @@ -1574,6 +1579,9 @@
</query>
</named-query>

<named-query name="XXPolicyRefRole.findRoleRefPolicyCount">
<query>select count(obj.policyId) from XXPolicyRefRole obj where obj.roleName = :roleName </query>
</named-query>

<!-- XXTagChangeLog -->
<named-query name="XXTagChangeLog.findSinceVersion">
Expand Down

0 comments on commit f11d297

Please sign in to comment.