ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Velmurugan Periasamy <vperias...@hortonworks.com>
Subject Re: Review Request 71615: RANGER-2618 : Restrict rolename change when a policy with that role exist
Date Tue, 15 Oct 2019 12:13:30 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71615/#review218214
-----------------------------------------------------------




security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
Lines 125 (patched)
<https://reviews.apache.org/r/71615/#comment305810>

    Reuse ensureRoleNotInPolicy method introduced in https://reviews.apache.org/r/71614/


- Velmurugan Periasamy


On Oct. 15, 2019, 11:39 a.m., Nikhil P wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71615/
> -----------------------------------------------------------
> 
> (Updated Oct. 15, 2019, 11:39 a.m.)
> 
> 
> Review request for ranger, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal,
Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2618
>     https://issues.apache.org/jira/browse/RANGER-2618
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> When we try to delete a role associated with a ranger policy, the operation is not allowed.
Likewise, role edit for rolename change also should be restricted.
> Reason:
> Rolename edit is allowed and the ranger policy still exists with old rolename reference.
Policy enforcement happens as per old policy. Rolename change is not taken into consideration
during policy download.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java 9151a7209 
> 
> 
> Diff: https://reviews.apache.org/r/71615/diff/1/
> 
> 
> Testing
> -------
> 
> Tested on local vm whether rolename update is restricted if it exists in any policy.
> 
> 
> Thanks,
> 
> Nikhil P
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message