ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dineshkumar Yadav <dineshkumar.ya...@outlook.com>
Subject Re: Review Request 72626: RANGER-2881 : Delegate Admin user having role "user" able to create policy which has non-existing users/groups
Date Wed, 01 Jul 2020 17:03:46 GMT


> On July 1, 2020, 1:27 p.m., Pradeep Agrawal wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
> > Lines 1537 (patched)
> > <https://reviews.apache.org/r/72626/diff/1/?file=2235136#file2235136line1537>
> >
> >     There are already several methods to check admin access in this class, not sure
its good idea to have one more like this. 
> >     
> >     If you are going to keep this method then please review existing call to other
check admin methods and see if any of them can be replaced with this.

This method is for scenario where user is Delegate Admin having role as “user” trying
create Policy with existing user/group/role.
In case if specified policy has non-existing user/group/role. It will give specific response
as existing response is common.


- Dineshkumar


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72626/#review221113
-----------------------------------------------------------


On July 1, 2020, 7:05 a.m., Dineshkumar Yadav wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72626/
> -----------------------------------------------------------
> 
> (Updated July 1, 2020, 7:05 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni,
Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Ranger user having role as "user" with delegate admin permission able to create policy
which has non-existing users/groups/roles in the specified policy. 
> only admin users should be able to create policy with new users/groups/roles on the fly
creation of users/groups/roles.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 9ce481c63

>   security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 4fb21a094 
>   security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java ff8e2ba43 
> 
> 
> Diff: https://reviews.apache.org/r/72626/diff/1/
> 
> 
> Testing
> -------
> 
> Without patch  steps
> 	1. Create user with role “user”
> 	2. Give him delegate admin role.
> 	3. Create policy using curl request where specified policy should include non existing
user/group.
> 	4. It will be able to create the policy.
> 
> With patch same steps will give error “operation denied user/group specified in policy
does not exist in ranger admin.”
> 
> 
> Thanks,
> 
> Dineshkumar Yadav
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message