ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pradeep Agrawal (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-443) ncorrect http status code for missing ranger portal permission
Date Mon, 23 May 2016 09:19:12 GMT

    [ https://issues.apache.org/jira/browse/RANGER-443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15296138#comment-15296138
] 

Pradeep Agrawal commented on RANGER-443:
----------------------------------------

Tried below mention things on latest code of master branch:
1. Created user 'testuser1'
2. Provided permission on User-Group Module to user 'testuser1' , row id generated for this
entry in x_user_module_perm table was 27.
3. Removed permission of user 'testuser1'  from UI, which changed the is_allowed column value
from 1 to 0.
4. To remove the permission entry from table call delete REST mention below.
curl -i -u admin:admin  --header "Accept:application/json" -H "Content-Type:application/json"
-X DELETE http://localhost:8080/security-admin-web/service/xusers/permission/user/27
5. Now tried to access the permission id 27 from user having 'User' role and 'Admin' role.
a) Request from user(testuser1) having 'User' role  : curl -i -u testuser1:user1234  --header
"Accept:application/json" -H "Content-Type:application/json" -X GET  http://localhost:8080/security-admin-web/service/xusers/permission/user/27
Response Code received : 403 Forbidden
b) Request from user(admin) having 'Admin' role : curl -i -u admin:admin  --header "Accept:application/json"
-H "Content-Type:application/json" -X GET  http://localhost:8080/security-admin-web/service/xusers/permission/user/27
Response Code received : 404 Not Found

Conclusion : Permission tab module access is restricted to users having 'Admin' role. @PreAuthorize
annotation is executed before processing called REST API. Since permission tab related operation(allowing/removing
any user/group from any module) is restricted to only 'Admin' role; normal user shall always
get response code 403.

> ncorrect http status code for missing ranger portal permission
> --------------------------------------------------------------
>
>                 Key: RANGER-443
>                 URL: https://issues.apache.org/jira/browse/RANGER-443
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin
>    Affects Versions: 0.5.0
>            Reporter: Dilli Arumugam
>            Assignee: Pradeep Agrawal
>            Priority: Minor
>
> Created user module permission.
> Deleted the permission.
> Tried to get the permission.
> curl -i -v -u permtestuser1:permtestuser1 -X GET -H "Accept: application/json" http://localhost:6080/service/xusers/permission/user/200
> About to connect() to localhost port 6080 (#0)
> Trying ::1... connected
> Connected to localhost (::1) port 6080 (#0)
> Server auth using Basic with user 'permtestuser1'
> > GET /service/xusers/permission/user/200 HTTP/1.1
> > Authorization: Basic cGVybXRlc3R1c2VyMTpwZXJtdGVzdHVzZXIx
> > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic
ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> > Host: localhost:6080
> > Accept: application/json
> > 
> < HTTP/1.1 400 Bad Request
> HTTP/1.1 400 Bad Request
> < Server: Apache-Coyote/1.1
> Server: Apache-Coyote/1.1
> < Set-Cookie: JSESSIONID=B33F499239B04ACAD15D6ADD38558AC0; Path=/; HttpOnly
> Set-Cookie: JSESSIONID=B33F499239B04ACAD15D6ADD38558AC0; Path=/; HttpOnly
> < Content-Type: application/json
> Content-Type: application/json
> < Transfer-Encoding: chunked
> Transfer-Encoding: chunked
> < Date: Mon, 27 Apr 2015 19:10:46 GMT
> Date: Mon, 27 Apr 2015 19:10:46 GMT
> < Connection: close
> Connection: close
> <
> Closing connection #0
> Unknown macro: {"statusCode"}
> Please note the status code
> HTTP/1.1 400 Bad Request
> It should return
> HTTP/1.1 404 Not Found



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message