ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pradeep Agrawal <pradeepagrawal8...@gmail.com>
Subject Re: Review Request 72626: RANGER-2881 : Delegate Admin user having role "user" able to create policy which has non-existing users/groups
Date Wed, 01 Jul 2020 13:27:22 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72626/#review221113
-----------------------------------------------------------




security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
Lines 1537 (patched)
<https://reviews.apache.org/r/72626/#comment309904>

    There are already several methods to check admin access in this class, not sure its good
idea to have one more like this. 
    
    If you are going to keep this method then please review existing call to other check admin
methods and see if any of them can be replaced with this.



security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
Lines 1543 (patched)
<https://reviews.apache.org/r/72626/#comment309903>

    1) Are you missing something here => "Operation" + " denied. LoggedInUser="
    
    2) Also do you want to print user id or user login id ?
    3)


- Pradeep Agrawal


On July 1, 2020, 7:05 a.m., Dineshkumar Yadav wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72626/
> -----------------------------------------------------------
> 
> (Updated July 1, 2020, 7:05 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni,
Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Ranger user having role as "user" with delegate admin permission able to create policy
which has non-existing users/groups/roles in the specified policy. 
> only admin users should be able to create policy with new users/groups/roles on the fly
creation of users/groups/roles.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 9ce481c63

>   security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 4fb21a094 
>   security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java ff8e2ba43 
> 
> 
> Diff: https://reviews.apache.org/r/72626/diff/1/
> 
> 
> Testing
> -------
> 
> Without patch  steps
> 	1. Create user with role “user”
> 	2. Give him delegate admin role.
> 	3. Create policy using curl request where specified policy should include non existing
user/group.
> 	4. It will be able to create the policy.
> 
> With patch same steps will give error “operation denied user/group specified in policy
does not exist in ranger admin.”
> 
> 
> Thanks,
> 
> Dineshkumar Yadav
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message