ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gautam Borad" <gbo...@gmail.com>
Subject Re: Review Request 39122: RANGER-688 : Handle scenario where ids of XUser and XPortalUser are not in sync
Date Mon, 12 Oct 2015 09:07:01 GMT


> On Oct. 9, 2015, 10:24 p.m., Madhan Neethiraj wrote:
> > Followig two places seem to be inconsistent in assigning to XXUserPermission.userId:
the first one assigns XXUser.id and the second one assigns XXPortalUser.id. Please review.
> > 
> > XUserMgr.java: #272
> >   vXUserPermission.setUserId(xUser.getId());
> > 
> > XUserPermissionServiceBase.java: #53
> >   vObj.setUserId(portalUser.getId());

XUserMgr.java: #272
  vXUserPermission.setUserId(xUser.getId());
>>> From here object is getting created using createResource method of service class,
so as per the implementation while creating object, client/UI/internal code will send xUserId
and at service layer it will be mapped to xPortalUserId.
So this seems correct.

XUserPermissionServiceBase.java: #53
  vObj.setUserId(portalUser.getId());
>>> This is the place where the mapping from xUserId to xPortalUserId happens. As
I mentioned above while creating/updating, UI/client will send xUserId which will be mapped
here to xPortalUserId.


- Gautam


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39122/#review102121
-----------------------------------------------------------


On Oct. 9, 2015, 9:15 a.m., Gautam Borad wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/39122/
> -----------------------------------------------------------
> 
> (Updated Oct. 9, 2015, 9:15 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj,
Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-688
>     https://issues.apache.org/jira/browse/RANGER-688
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> *Current Implementation:*
> 
> x_user_module_perm.userId refers to x_portal_user.id but while assigning/revoking permissions
using permission model, UI sends userId of x_user table.
> So this is a bug in current implementation because UI sends x_user.id and server assumes
that it's x_portal_user.id and will create permission.
> When IDs of x_user and x_portal_user will not be in sync at that time this may cause
a serious issue.
> 
> *Fix provided in patch:*
> 
> UI will always have x_user/s but on server side x_portal_user/s required. So now we can't
expect UI to send x_portal_user.id in userPermission object so in patch what we have done
is:
> Let UI send x_user.id in userPermission object but on server side it will be mapped to
x_portal_user.id and same when UI is reading permissions, let database return x_portal_user.id
that will be mapped to x_user.id. 
> Due to this UI remains as it is and also, we don't need to change table structure of
x_user_module_perm.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 5f43bc0 
>   security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java 59e55f3

>   security-admin/src/main/java/org/apache/ranger/db/XXPortalUserDao.java d3467f8 
>   security-admin/src/main/java/org/apache/ranger/db/XXUserDao.java 0887594 
>   security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java e10dc14

>   security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java
f0aa938 
>   security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java
3ff9c8d 
>   security-admin/src/main/java/org/apache/ranger/service/XUserPermissionServiceBase.java
59c082d 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml 0370e9a 
> 
> Diff: https://reviews.apache.org/r/39122/diff/
> 
> 
> Testing
> -------
> 
> Tested by creating a XPOrtalUser user using curl command and then for a new user, assigned
permissions to check if permissions are not messed up.
> 
> 
> Thanks,
> 
> Gautam Borad
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message