Review Request 57018: RANGER-1409 : User role get deleted from table when he tries to update his role to a restricted role

Fri, 24 Feb 2017 01:02:54 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/57018/
-----------------------------------------------------------

Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay 
Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, 
Sailaja Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-1409
    https://issues.apache.org/jira/browse/RANGER-1409


Repository: ranger


Description
-------

**Problem Statement:** User role get deleted from x_portal_user_role table and 
login does not work when he tries to update his role to a restricted role for 
his profile by using Post method of API /service/users/ . 

**Proposed solution:** User's new requested role should be validated and if 
requested role is invalid then server should return error message.

**Allowed Roles:**
User having role 'ROLE_SYS_ADMIN' can change his role to 'ROLE_USER'
User having role 'ROLE_KEY_ADMIN' can change his role to 'ROLE_USER'
User having role 'ROLE_USER' should not able to change his role to any other 
role.


Diffs
-----

  security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 6eabc89 

Diff: https://reviews.apache.org/r/57018/diff/


Testing
-------

**Steps performed on running Ranger admin node without applying the patch :** 
*Request :* 
curl -i --header "Accept:application/json" -H "Content-Type:application/json" 
--user rangerusersync:rangerusersync -X PUT  
http://localhost:6080/service/users -d 
'{"id":2,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync
 
Admin123","userSource":0,"userRoleList":["ROLE_KEY_ADMIN"],"userPermList":[{"id":6,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":3,"isAllowed":1,"userName":"rangerusersync","moduleName":"Reports"},{"id":7,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":1,"isAllowed":1,"userName":"rangerusersync","moduleName":"Resource
 Based 
Policies"},{"id":8,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":4,"isAllowed":1,"userName":"rangerusersync","moduleName":"Audit"},{"id":9,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":2,
 
"isAllowed":1,"userName":"rangerusersync","moduleName":"Users/Groups"},{"id":10,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":6,"isAllowed":1,"userName":"rangerusersync","moduleName":"Tag
 Based 
Policies"}],"groupPermissions":[],"password":"","profileImageGId":"","emailAddress":"","isTestUser":"","isRegistered":"","isInternal":"","gender":"","timeZone":"","oldPassword":"","newPassword":"","reEnterPassword":""}'


*Response:* 
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: RANGERADMINSESSIONID=6594B722959628DE9E2BBF6E85E440AB; Path=/; 
HttpOnly
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Fri, 24 Feb 2017 06:05:08 GMT

{"id":2,"createDate":null,"updateDate":null,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync
 
Admin123","userSource":0,"userRoleList":["ROLE_KEY_ADMIN"],"userPermList":[{"id":6,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":3,"isAllowed":1,"userName":"rangerusersync","moduleName":"Reports"},{"id":7,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":1,"isAllowed":1,"userName":"rangerusersync","moduleName":"Resource
 Based 
Policies"},{"id":8,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":4,"isAllowed":1,"userName":"rangerusersync","moduleName":"Audit"},{"id":9,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":2,"isAllowed":1,"userName":"rangerusersync","moduleName":"Users/Groups"},{"id":10,"createDate":"2017-02-22T09:51:23Z","updateDate
 
":"2017-02-22T09:51:23Z","userId":2,"moduleId":6,"isAllowed":1,"userName":"rangerusersync","moduleName":"Tag
 Based Policies"}],"groupPermissions":[]}

*Observation :* After above request it was observed that 'rangerusersync' role 
was deleted from x_portal_user_role and 'rangerusersync' login was not working.

**Steps performed with patch :**

*Request :* 
curl -i --header "Accept:application/json" -H "Content-Type:application/json" 
--user rangerusersync:rangerusersync -X PUT  
http://localhost:6080/service/users -d 
'{"id":2,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync
 
Admin123","userSource":0,"userRoleList":["ROLE_KEY_ADMIN"],"userPermList":[{"id":6,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":3,"isAllowed":1,"userName":"rangerusersync","moduleName":"Reports"},{"id":7,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":1,"isAllowed":1,"userName":"rangerusersync","moduleName":"Resource
 Based 
Policies"},{"id":8,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":4,"isAllowed":1,"userName":"rangerusersync","moduleName":"Audit"},{"id":9,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":2,
 
"isAllowed":1,"userName":"rangerusersync","moduleName":"Users/Groups"},{"id":10,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":6,"isAllowed":1,"userName":"rangerusersync","moduleName":"Tag
 Based 
Policies"}],"groupPermissions":[],"password":"","profileImageGId":"","emailAddress":"","isTestUser":"","isRegistered":"","isInternal":"","gender":"","timeZone":"","oldPassword":"","newPassword":"","reEnterPassword":"


*Response :*
HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Set-Cookie: RANGERADMINSESSIONID=5ABE87B1AD4CB9AA9C3D5F1AFFEC96CB; 
Path=/security-admin-web/; HttpOnly
X-Frame-Options: DENY
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 979
Date: Fri, 24 Feb 2017 06:00:39 GMT
Connection: close

<html><head><title>Apache Tomcat/7.0.63 - Error report</title><style><!--H1 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
 H2 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
 H3 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
 BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} 
B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P 
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
 {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> 
</head><body><h1>HTTP Status 403 - Forbidden</h1><HR size="1" 
noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> 
<u>Forbidden</u></p><p><b>description</b> <u>Access to the specified resource 
has been forbidden.</u></p><HR size="1" noshade="noshade"><h3>Apache 
Tomcat/7.0.63</h3></body></html>

Observation : After above request it was observed that 'rangerusersync' role 
was not updated/deleted from x_portal_user_role and 'rangerusersync' login was 
working.


Thanks,

Pradeep Agrawal

Reply via email to