> On July 29, 2019, 8:07 p.m., Abhay Kulkarni wrote: > > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > > Lines 1480 (patched) > > <https://reviews.apache.org/r/71166/diff/2/?file=2157967#file2157967line1481> > > > > Adding creating user as a service-admin will grant the creator a lot > > more power/capabilities that are not needed for the this specific flow. > > Please review to see if this is necessary. > > > > Alternately, as the creator's identity is automatically recorded in the > > createdBy field (in the BaseMoObject), this can be checked against the > > identity of user trying to delete the service. If they match, then allow > > the delete service to go through.
@Abhay: Would like to know issues which can come by adding the service creator as service-admin user and what would require if we need to handle that? did you mean that along with proposed patch I should check added_by_id field value logic as well ? -- Currently from the UI only admin user can create a service or from public api a service user can also create ranger service via kerberos/spengo call. I think via service admin config it will be easy to track who can delete the service. Also, Currently in Ranger I don't think there is any implementation which has 'added_by_id' approach. I think from end user point of view it will be a little different behaviour if we add this implementation. Please let me know how to proceed from here. - Pradeep ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71166/#review216922 ----------------------------------------------------------- On July 26, 2019, 5:19 a.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/71166/ > ----------------------------------------------------------- > > (Updated July 26, 2019, 5:19 a.m.) > > > Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay > Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh > Mani, Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-2518 > https://issues.apache.org/jira/browse/RANGER-2518 > > > Repository: ranger > > > Description > ------- > > **Problem Statement:** Current service admin user can not delete the ranger > service. > > **Proposed Solution:** > > During service/repo creation, add the creating user as a service admin for > that service. improve the deleteService API to allow service admin user to > delete the service. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 77c91ab9d > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 990fc2bba > security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java > b6f13f47e > security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java > 34be7e914 > > > Diff: https://reviews.apache.org/r/71166/diff/2/ > > > Testing > ------- > > Built, Installed and started ranger with the patch. > Login from admin user. > Create a user 'testuser1' with 'admin' role > Logout from admin user and login from 'testuser1' > create hive service 'hivedev' > opened the service edit page and can see 'testuser1' was added as service > admin user. > Logout from 'testuser1' user and login from 'admin' > Change the role of 'testuser1' user from 'admin' to 'user' > Logout from admin user > execute below curl command > curl -i --header "Accept:application/json" -H "Content-Type: > application/json" -u testuser1:user1234 -X DELETE > 'http://172.22.111.117:6080/service/plugins/services/5' > > > **Expected behaviour:** > service should get deleted and return http response code 204 with no content. > > **Actual behaviour:** > Response received: > > HTTP/1.1 204 No Content > Set-Cookie: RANGERADMINSESSIONID=3F481200366A0823073FFE27FF982A84; Path=/; > HttpOnly > X-Frame-Options: DENY > X-XSS-Protection: 1; mode=block > Strict-Transport-Security: max-age=31536000; includeSubDomains > Content-Security-Policy: default-src 'none'; script-src 'self' > 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src > 'self' 'unsafe-inline';font-src 'self' > Cache-Control: no-cache, no-store, max-age=0, must-revalidate > Pragma: no-cache > Expires: 0 > X-Content-Type-Options: nosniff > Content-Type: application/json > Date: Thu, 25 Jul 2019 13:50:13 GMT > Server: Apache Ranger > > > Thanks, > > Pradeep Agrawal > >
