ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Velmurugan Periasamy <vperias...@hortonworks.com>
Subject Re: Review Request 71615: RANGER-2618 : Restrict rolename change when a policy with that role exist
Date Wed, 16 Oct 2019 13:17:58 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71615/#review218226
-----------------------------------------------------------




security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
Lines 125 (patched)
<https://reviews.apache.org/r/71615/#comment305821>

    To be consistent with validation on https://reviews.apache.org/r/71614/ check if role
is part of other roles.


- Velmurugan Periasamy


On Oct. 15, 2019, 1:54 p.m., Nikhil P wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71615/
> -----------------------------------------------------------
> 
> (Updated Oct. 15, 2019, 1:54 p.m.)
> 
> 
> Review request for ranger, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal,
Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2618
>     https://issues.apache.org/jira/browse/RANGER-2618
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> When we try to delete a role associated with a ranger policy, the operation is not allowed.
Likewise, role edit for rolename change also should be restricted.
> Reason:
> Rolename edit is allowed and the ranger policy still exists with old rolename reference.
Policy enforcement happens as per old policy. Rolename change is not taken into consideration
during policy download.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java dfc5be89d 
> 
> 
> Diff: https://reviews.apache.org/r/71615/diff/2/
> 
> 
> Testing
> -------
> 
> Tested on local vm whether rolename update is restricted if it exists in any policy.
> 
> 
> Thanks,
> 
> Nikhil P
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message