Re: Review Request 71724: RANGER-2642: Grant/Revoke REST invocations by non-service users should not specify resource owner

Abhay Kulkarni Fri, 15 Nov 2019 07:31:11 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71724/
-----------------------------------------------------------


(Updated Nov. 15, 2019, 3:30 p.m.)


Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Sailaja 
Polavarapu.


Changes
-------

Fixed PMD violations


Bugs: RANGER-2642
    https://issues.apache.org/jira/browse/RANGER-2642


Repository: ranger


Description
-------

If Grant/Revoke REST API is invoked by a user which is not a admin or not 
listed in policy.grantrevoke.auth.users config parameter value, then resource 
being granted permission to should not specify ownership information. 
Otherwise, such user may be able to modify a resource for which it does not 
have delegated-admin privilege.


Diffs (updated)
-----

  security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 
6cd8634a5 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
333672dbc 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
20849f650 


Diff: https://reviews.apache.org/r/71724/diff/7/

Changes: https://reviews.apache.org/r/71724/diff/6-7/


Testing
-------

Passed all unit tests


Thanks,

Abhay Kulkarni

Re: Review Request 71724: RANGER-2642: Grant/Revoke REST invocations by non-service users should not specify resource owner

Reply via email to