----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/57018/#review167000 -----------------------------------------------------------
Ship it! Ship It! - Velmurugan Periasamy On Feb. 24, 2017, 9:02 a.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/57018/ > ----------------------------------------------------------- > > (Updated Feb. 24, 2017, 9:02 a.m.) > > > Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay > Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, > Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-1409 > https://issues.apache.org/jira/browse/RANGER-1409 > > > Repository: ranger > > > Description > ------- > > **Problem Statement:** User role get deleted from x_portal_user_role table > and login does not work when he tries to update his role to a restricted role > for his profile by using Post method of API /service/users/ . > > **Proposed solution:** User's new requested role should be validated and if > requested role is invalid then server should return error message. > > **Allowed Roles:** > User having role 'ROLE_SYS_ADMIN' can change his role to 'ROLE_USER' > User having role 'ROLE_KEY_ADMIN' can change his role to 'ROLE_USER' > User having role 'ROLE_USER' should not able to change his role to any other > role. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 6eabc89 > > Diff: https://reviews.apache.org/r/57018/diff/ > > > Testing > ------- > > **Steps performed on running Ranger admin node without applying the patch :** > *Request :* > curl -i --header "Accept:application/json" -H "Content-Type:application/json" > --user rangerusersync:rangerusersync -X PUT > http://localhost:6080/service/users -d > '{"id":2,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync > > Admin123","userSource":0,"userRoleList":["ROLE_KEY_ADMIN"],"userPermList":[{"id":6,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":3,"isAllowed":1,"userName":"rangerusersync","moduleName":"Reports"},{"id":7,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":1,"isAllowed":1,"userName":"rangerusersync","moduleName":"Resource > Based > Policies"},{"id":8,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":4,"isAllowed":1,"userName":"rangerusersync","moduleName":"Audit"},{"id":9,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId": 2,"isAllowed":1,"userName":"rangerusersync","moduleName":"Users/Groups"},{"id":10,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":6,"isAllowed":1,"userName":"rangerusersync","moduleName":"Tag Based Policies"}],"groupPermissions":[],"password":"","profileImageGId":"","emailAddress":"","isTestUser":"","isRegistered":"","isInternal":"","gender":"","timeZone":"","oldPassword":"","newPassword":"","reEnterPassword":""}' > > > *Response:* > HTTP/1.1 200 OK > Server: Apache-Coyote/1.1 > Set-Cookie: RANGERADMINSESSIONID=6594B722959628DE9E2BBF6E85E440AB; Path=/; > HttpOnly > X-Frame-Options: DENY > Content-Type: application/json > Transfer-Encoding: chunked > Date: Fri, 24 Feb 2017 06:05:08 GMT > > {"id":2,"createDate":null,"updateDate":null,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync > > Admin123","userSource":0,"userRoleList":["ROLE_KEY_ADMIN"],"userPermList":[{"id":6,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":3,"isAllowed":1,"userName":"rangerusersync","moduleName":"Reports"},{"id":7,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":1,"isAllowed":1,"userName":"rangerusersync","moduleName":"Resource > Based > Policies"},{"id":8,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":4,"isAllowed":1,"userName":"rangerusersync","moduleName":"Audit"},{"id":9,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":2,"isAllowed":1,"userName":"rangerusersync","moduleName":"Users/Groups"},{"id":10,"createDate":"2017-02-22T09:51:23Z","updateDa te":"2017-02-22T09:51:23Z","userId":2,"moduleId":6,"isAllowed":1,"userName":"rangerusersync","moduleName":"Tag Based Policies"}],"groupPermissions":[]} > > *Observation :* After above request it was observed that 'rangerusersync' > role was deleted from x_portal_user_role and 'rangerusersync' login was not > working. > > **Steps performed with patch :** > > *Request :* > curl -i --header "Accept:application/json" -H "Content-Type:application/json" > --user rangerusersync:rangerusersync -X PUT > http://localhost:6080/service/users -d > '{"id":2,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync > > Admin123","userSource":0,"userRoleList":["ROLE_KEY_ADMIN"],"userPermList":[{"id":6,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":3,"isAllowed":1,"userName":"rangerusersync","moduleName":"Reports"},{"id":7,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":1,"isAllowed":1,"userName":"rangerusersync","moduleName":"Resource > Based > Policies"},{"id":8,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":4,"isAllowed":1,"userName":"rangerusersync","moduleName":"Audit"},{"id":9,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId": 2,"isAllowed":1,"userName":"rangerusersync","moduleName":"Users/Groups"},{"id":10,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":6,"isAllowed":1,"userName":"rangerusersync","moduleName":"Tag Based Policies"}],"groupPermissions":[],"password":"","profileImageGId":"","emailAddress":"","isTestUser":"","isRegistered":"","isInternal":"","gender":"","timeZone":"","oldPassword":"","newPassword":"","reEnterPassword":" > > > *Response :* > HTTP/1.1 403 Forbidden > Server: Apache-Coyote/1.1 > Set-Cookie: RANGERADMINSESSIONID=5ABE87B1AD4CB9AA9C3D5F1AFFEC96CB; > Path=/security-admin-web/; HttpOnly > X-Frame-Options: DENY > Content-Type: text/html;charset=utf-8 > Content-Language: en > Content-Length: 979 > Date: Fri, 24 Feb 2017 06:00:39 GMT > Connection: close > > <html><head><title>Apache Tomcat/7.0.63 - Error report</title><style><!--H1 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} > H2 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} > H3 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} > BODY > {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P > {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A > {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> > </head><body><h1>HTTP Status 403 - Forbidden</h1><HR size="1" > noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> > <u>Forbidden</u></p><p><b>description</b> <u>Access to the specified resource > has been forbidden.</u></p><HR size="1" noshade="noshade"><h3>Apache > Tomcat/7.0.63</h3></body></html> > > Observation : After above request it was observed that 'rangerusersync' role > was not updated/deleted from x_portal_user_role and 'rangerusersync' login > was working. > > > Thanks, > > Pradeep Agrawal > >