----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/57018/ -----------------------------------------------------------
Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy. Bugs: RANGER-1409 https://issues.apache.org/jira/browse/RANGER-1409 Repository: ranger Description ------- **Problem Statement:** User role get deleted from x_portal_user_role table and login does not work when he tries to update his role to a restricted role for his profile by using Post method of API /service/users/ . **Proposed solution:** User's new requested role should be validated and if requested role is invalid then server should return error message. **Allowed Roles:** User having role 'ROLE_SYS_ADMIN' can change his role to 'ROLE_USER' User having role 'ROLE_KEY_ADMIN' can change his role to 'ROLE_USER' User having role 'ROLE_USER' should not able to change his role to any other role. Diffs ----- security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 6eabc89 Diff: https://reviews.apache.org/r/57018/diff/ Testing ------- **Steps performed on running Ranger admin node without applying the patch :** *Request :* curl -i --header "Accept:application/json" -H "Content-Type:application/json" --user rangerusersync:rangerusersync -X PUT http://localhost:6080/service/users -d '{"id":2,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync Admin123","userSource":0,"userRoleList":["ROLE_KEY_ADMIN"],"userPermList":[{"id":6,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":3,"isAllowed":1,"userName":"rangerusersync","moduleName":"Reports"},{"id":7,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":1,"isAllowed":1,"userName":"rangerusersync","moduleName":"Resource Based Policies"},{"id":8,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":4,"isAllowed":1,"userName":"rangerusersync","moduleName":"Audit"},{"id":9,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":2, "isAllowed":1,"userName":"rangerusersync","moduleName":"Users/Groups"},{"id":10,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":6,"isAllowed":1,"userName":"rangerusersync","moduleName":"Tag Based Policies"}],"groupPermissions":[],"password":"","profileImageGId":"","emailAddress":"","isTestUser":"","isRegistered":"","isInternal":"","gender":"","timeZone":"","oldPassword":"","newPassword":"","reEnterPassword":""}' *Response:* HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: RANGERADMINSESSIONID=6594B722959628DE9E2BBF6E85E440AB; Path=/; HttpOnly X-Frame-Options: DENY Content-Type: application/json Transfer-Encoding: chunked Date: Fri, 24 Feb 2017 06:05:08 GMT {"id":2,"createDate":null,"updateDate":null,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync Admin123","userSource":0,"userRoleList":["ROLE_KEY_ADMIN"],"userPermList":[{"id":6,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":3,"isAllowed":1,"userName":"rangerusersync","moduleName":"Reports"},{"id":7,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":1,"isAllowed":1,"userName":"rangerusersync","moduleName":"Resource Based Policies"},{"id":8,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":4,"isAllowed":1,"userName":"rangerusersync","moduleName":"Audit"},{"id":9,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":2,"isAllowed":1,"userName":"rangerusersync","moduleName":"Users/Groups"},{"id":10,"createDate":"2017-02-22T09:51:23Z","updateDate ":"2017-02-22T09:51:23Z","userId":2,"moduleId":6,"isAllowed":1,"userName":"rangerusersync","moduleName":"Tag Based Policies"}],"groupPermissions":[]} *Observation :* After above request it was observed that 'rangerusersync' role was deleted from x_portal_user_role and 'rangerusersync' login was not working. **Steps performed with patch :** *Request :* curl -i --header "Accept:application/json" -H "Content-Type:application/json" --user rangerusersync:rangerusersync -X PUT http://localhost:6080/service/users -d '{"id":2,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync Admin123","userSource":0,"userRoleList":["ROLE_KEY_ADMIN"],"userPermList":[{"id":6,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":3,"isAllowed":1,"userName":"rangerusersync","moduleName":"Reports"},{"id":7,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":1,"isAllowed":1,"userName":"rangerusersync","moduleName":"Resource Based Policies"},{"id":8,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":4,"isAllowed":1,"userName":"rangerusersync","moduleName":"Audit"},{"id":9,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":2, "isAllowed":1,"userName":"rangerusersync","moduleName":"Users/Groups"},{"id":10,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":6,"isAllowed":1,"userName":"rangerusersync","moduleName":"Tag Based Policies"}],"groupPermissions":[],"password":"","profileImageGId":"","emailAddress":"","isTestUser":"","isRegistered":"","isInternal":"","gender":"","timeZone":"","oldPassword":"","newPassword":"","reEnterPassword":" *Response :* HTTP/1.1 403 Forbidden Server: Apache-Coyote/1.1 Set-Cookie: RANGERADMINSESSIONID=5ABE87B1AD4CB9AA9C3D5F1AFFEC96CB; Path=/security-admin-web/; HttpOnly X-Frame-Options: DENY Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 979 Date: Fri, 24 Feb 2017 06:00:39 GMT Connection: close <html><head><title>Apache Tomcat/7.0.63 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 403 - Forbidden</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Forbidden</u></p><p><b>description</b> <u>Access to the specified resource has been forbidden.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.63</h3></body></html> Observation : After above request it was observed that 'rangerusersync' role was not updated/deleted from x_portal_user_role and 'rangerusersync' login was working. Thanks, Pradeep Agrawal