-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71724/
-----------------------------------------------------------
(Updated Nov. 9, 2019, 2:42 a.m.)
Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Sailaja
Polavarapu.
Changes
-------
Updated to exclude policies with {OWNER} as user from delegate-admin
policy-engine. Added checks to secure Grant/Revoke REST endpoints.
Bugs: RANGER-2642
https://issues.apache.org/jira/browse/RANGER-2642
Repository: ranger
Description
-------
If Grant/Revoke REST API is invoked by a user which is not a admin or not
listed in policy.grantrevoke.auth.users config parameter value, then resource
being granted permission to should not specify ownership information.
Otherwise, such user may be able to modify a resource for which it does not
have delegated-admin privilege.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
065120f84
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
3d8a32977
Diff: https://reviews.apache.org/r/71724/diff/4/
Changes: https://reviews.apache.org/r/71724/diff/3-4/
Testing
-------
Passed all unit tests
Thanks,
Abhay Kulkarni
