----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71724/#review218613 -----------------------------------------------------------
Ship it! Ship It! - Madhan Neethiraj On Nov. 9, 2019, 7:10 a.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/71724/ > ----------------------------------------------------------- > > (Updated Nov. 9, 2019, 7:10 a.m.) > > > Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Sailaja > Polavarapu. > > > Bugs: RANGER-2642 > https://issues.apache.org/jira/browse/RANGER-2642 > > > Repository: ranger > > > Description > ------- > > If Grant/Revoke REST API is invoked by a user which is not a admin or not > listed in policy.grantrevoke.auth.users config parameter value, then resource > being granted permission to should not specify ownership information. > Otherwise, such user may be able to modify a resource for which it does not > have delegated-admin privilege. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java > abb1b1013 > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 0ab733c65 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 3d8a32977 > > > Diff: https://reviews.apache.org/r/71724/diff/6/ > > > Testing > ------- > > Passed all unit tests > > > Thanks, > > Abhay Kulkarni > >
