Re: Review Request 71724: RANGER-2642: Grant/Revoke REST invocations by non-service users should not specify resource owner

Abhay Kulkarni Fri, 08 Nov 2019 10:13:20 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71724/
-----------------------------------------------------------


(Updated Nov. 8, 2019, 6:12 p.m.)


Review request for ranger, Madhan Neethiraj and Ramesh Mani.


Changes
-------

Updated with Apache JIRA information


Summary (updated)
-----------------

RANGER-2642: Grant/Revoke REST invocations by non-service users should not 
specify resource owner


Bugs: RANGER-2642
    https://issues.apache.org/jira/browse/RANGER-2642


Repository: ranger


Description (updated)
-------

If Grant/Revoke REST API is invoked by a user which is not a admin or not 
listed in policy.grantrevoke.auth.users config parameter value, then resource 
being granted permission to should not specify ownership information. 
Otherwise, such user may be able to modify a resource for which it does not 
have delegated-admin privilege.


Diffs (updated)
-----

  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
3d8a32977 


Diff: https://reviews.apache.org/r/71724/diff/3/

Changes: https://reviews.apache.org/r/71724/diff/2-3/


Testing (updated)
-------

Passed all unit tests


Thanks,

Abhay Kulkarni

Re: Review Request 71724: RANGER-2642: Grant/Revoke REST invocations by non-service users should not specify resource owner

Reply via email to