[jira] [Updated] (RANGER-2642) Grant/Revoke REST invocations by non-service users should not specify resource owner

Velmurugan Periasamy (Jira) Thu, 14 Nov 2019 04:53:32 -0800


     [ 
https://issues.apache.org/jira/browse/RANGER-2642?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Velmurugan Periasamy updated RANGER-2642:
-----------------------------------------
    Fix Version/s: 2.1.0

> Grant/Revoke REST invocations by non-service users should not specify 
> resource owner
> ------------------------------------------------------------------------------------
>
>                 Key: RANGER-2642
>                 URL: https://issues.apache.org/jira/browse/RANGER-2642
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: master
>            Reporter: Abhay Kulkarni
>            Assignee: Abhay Kulkarni
>            Priority: Major
>             Fix For: master, 2.1.0
>
>
> If Grant/Revoke REST API is invoked by a user which is not a admin or not 
> listed in policy.grantrevoke.auth.users config parameter value, then resource 
> being granted permission to should not specify ownership information. 
> Otherwise, such user may be able to modify a resource for which it does not 
> have delegated-admin privilege.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-2642) Grant/Revoke REST invocations by non-service users should not specify resource owner

Reply via email to