ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dineshkumar Yadav <dineshkumar.ya...@outlook.com>
Subject Re: Review Request 72626: RANGER-2881 : Delegate Admin user having role "user" able to create policy which has non-existing users/groups
Date Wed, 01 Jul 2020 07:05:16 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72626/
-----------------------------------------------------------

(Updated July 1, 2020, 7:05 a.m.)


Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni,
Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.


Repository: ranger


Description
-------

Ranger user having role as "user" with delegate admin permission able to create policy which
has non-existing users/groups/roles in the specified policy. 
only admin users should be able to create policy with new users/groups/roles on the fly creation
of users/groups/roles.


Diffs
-----

  security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 9ce481c63 
  security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 4fb21a094 
  security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java ff8e2ba43 


Diff: https://reviews.apache.org/r/72626/diff/1/


Testing
-------

Without patch  steps
	1. Create user with role “user”
	2. Give him delegate admin role.
	3. Create policy using curl request where specified policy should include non existing user/group.
	4. It will be able to create the policy.

With patch same steps will give error “operation denied user/group specified in policy does
not exist in ranger admin.”


Thanks,

Dineshkumar Yadav


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message