ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pradeep Agrawal <pradeep.agra...@freestoneinfotech.com>
Subject Re: Review Request 54623: RANGER-1250 : If non-existing access-permissions are added through curl then permission module shows loading icon.
Date Sat, 17 Dec 2016 10:20:57 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/54623/#review159547
-----------------------------------------------------------




agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
(line 347)
<https://reviews.apache.org/r/54623/#comment230574>

    if a request object contains multiple invalid access types then we need to display all
of them in the error response message.


- Pradeep Agrawal


On Dec. 13, 2016, 9:45 a.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/54623/
> -----------------------------------------------------------
> 
> (Updated Dec. 13, 2016, 9:45 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni,
Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1250
>     https://issues.apache.org/jira/browse/RANGER-1250
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> ** Problem Statement : ** If we create a policy with non-existing permissions through
curl then, it gets created successfully but has an impact on UI as permission module goes
in the loading state.
> Example:
> in hive's row-level-filtering there is no 'update' permission in Access. If we create
a policy with 'select' and 'update' in Access then it allows us to create a policy(returns
response code 204) but ranger-ui permission module shows loading icon.
> 
> ** Proposed Solution:** Proposed solution contain changes which shall validate whether
provided access-permissions are allowed or not. If permissions are not allowed/invalid then
create/update request shall fail with response code 400 bad request.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
279489d 
> 
> Diff: https://reviews.apache.org/r/54623/diff/
> 
> 
> Testing
> -------
> 
> **Steps performed(with patch)**
> 1. Installed and started Ranger admin.
> 2. tried to create row level filter policy with 'update' permission using REST : 
> 
> curl -i --header "Accept:application/json" -H "Content-Type:application/json" --user
admin:admin -X POST http://localhost:8080/security-admin-web/service/plugins/policies -d '{"policyType":"2","name":"policy2","isEnabled":true,"isAuditEnabled":true,"description":"","resources":{"database":{"values":["db1"],"isRecursive":"","isExcludes":false},"table":{"values":["table1"],"isRecursive":"",";isExcludes":false}},"rowFilterPolicyItems":[{"users":["hive"],"accesses":[{"type":"update","isAllowed":true}]}],"service":"hivedev"}'
> 
> **Expected Result :** Policy creation should fail with appropriate error message.
> 
> **Actual Result :** Policy creation failed with following response :
> 
> HTTP/1.1 400 Bad Request
> Server: Apache-Coyote/1.1
> Set-Cookie: RANGERADMINSESSIONID=F42CDCA50B714E240D5B17319D6458F0; Path=/security-admin-web/;
HttpOnly
> X-Frame-Options: DENY
> Content-Type: application/json
> Transfer-Encoding: chunked
> Date: Mon, 12 Dec 2016 05:32:07 GMT
> Connection: close
> 
> {"statusCode":1,"msgDesc":"(0) Validation failure: error code[3022], reason[Invalid access
type: access type=[update], valid access types=[[select]]], field[row filter policy item access
type], subfield[null], type[semantically incorrect] "}
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message