> On July 31, 2019, 8:13 a.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > > Lines 805 (patched) > > <https://reviews.apache.org/r/71166/diff/3/?file=2158473#file2158473line811> > > > > Consider checking if 'session == null' - as most callers of > > ContextUtil.getCurrentUserSession() seem to do. Please review update other > > such instances as well - like #827.
Added null check in few other methods as well though they are not related to this jira. - Pradeep ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71166/#review216980 ----------------------------------------------------------- On July 31, 2019, 7:26 a.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/71166/ > ----------------------------------------------------------- > > (Updated July 31, 2019, 7:26 a.m.) > > > Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay > Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh > Mani, Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-2518 > https://issues.apache.org/jira/browse/RANGER-2518 > > > Repository: ranger > > > Description > ------- > > **Problem Statement:** Current service admin user can not delete the ranger > service. > > **Proposed Solution:** > > As during service/repo creation, creator reference get added in added_by_id > field of x_service table. we can compare the logged in user id and service > creator id. if both matches then no need to check the admin permissions. This > will allow service creator user to delete the service. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java > 0ad7df2dd > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 84202335d > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > b06273cc5 > > security-admin/src/main/java/org/apache/ranger/service/XResourceService.java > 43a855e6d > > security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java > d613c700a > security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java > 34be7e914 > > > Diff: https://reviews.apache.org/r/71166/diff/4/ > > > Testing > ------- > > Built, Installed and started ranger with the patch. > Login from admin user. > Create a user 'testuser1' with 'admin' role > Logout from admin user and login from 'testuser1' > create hive service 'hivedev' > Logout from 'testuser1' user and login from 'admin' > Change the role of 'testuser1' user from 'admin' to 'user' > Logout from admin user > execute below curl command by using 'testuser1' user's credential > curl -i --header "Accept:application/json" -H "Content-Type: > application/json" -u testuser1:user1234 -X DELETE > 'http://172.22.111.117:6080/service/plugins/services/5' > > > **Expected behaviour:** > service should get deleted and return http response code 204 with no content. > > **Actual behaviour:** > Response received: > > HTTP/1.1 204 No Content > Set-Cookie: RANGERADMINSESSIONID=3F481200366A0823073FFE27FF982A84; Path=/; > HttpOnly > X-Frame-Options: DENY > X-XSS-Protection: 1; mode=block > Strict-Transport-Security: max-age=31536000; includeSubDomains > Content-Security-Policy: default-src 'none'; script-src 'self' > 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src > 'self' 'unsafe-inline';font-src 'self' > Cache-Control: no-cache, no-store, max-age=0, must-revalidate > Pragma: no-cache > Expires: 0 > X-Content-Type-Options: nosniff > Content-Type: application/json > Date: Thu, 25 Jul 2019 13:50:13 GMT > Server: Apache Ranger > > > Thanks, > > Pradeep Agrawal > >
